Explore the vast range of titles available.

Purpose Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known characteristics, the cybersecurity phenomenon goes beyond the detection of technological impacts, and encompasses all the dimensions of an organization. This study thus focusses on an additional set of organizational elements. The key elements of cybersecurity organizational readiness depicted here are cybersecurity awareness, cybersecurity culture and cybersecurity organizational resilience (OR). This study aims to qualitatively assess small and medium enterprises’ (SMEs) overall level of organizational cybersecurity readiness. Design/methodology/approach This study focused on conducting a cybersecurity organizational readiness assessment using a sample of 53 Italian SMEs from the information and communication technology sector. Informed mixed method research, this study was conducted consistent with the principles of the explanatory sequential mixed method design, and adopting a quanti-qualitative methodology. The quantitative data were collected through a questionnaire. Qualitative data were subsequently collected through semi-structured interviews. Findings Although many elements of the technical aspects of cybersecurity OR have yielded very encouraging results, there are still some areas that require improvement. These include those facets that constitute the foundation of cybersecurity awareness, and, thus, a cybersecurity culture. This result highlights that the areas in need of improvement are exactly those that are most important in fighting against cyber threats via organizational cybersecurity readiness. Originality/value Although the importance of SMEs is obvious, evidence of such organizations’ attitudes to cybersecurity are still limited. This research is an attempt to depict the organizational issue related to cybersecurity, i.e. overall cybersecurity organizational readiness.

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework provides a rich and actionable repository of adversarial tactics, techniques, and procedures. Its innovative approach has been broadly welcomed by both vendors and enterprise customers in the industry. Its usage extends from adversary emulation, red teaming, behavioral analytics development to a defensive gap and SOC (Security Operations Center) maturity assessment. While extensive research has been done on analyzing specific attacks or specific organizational culture and human behavior factors leading to such attacks, a holistic view on the association of both is currently missing. In this paper, we present our research results on associating a comprehensive set of organizational and individual culture factors (as described on our developed cyber-security culture framework) with security vulnerabilities mapped to specific adversary behavior and patterns utilizing the MITRE ATT&CK framework. Thus, exploiting MITRE ATT&CK’s possibilities towards a scientific direction that has not yet been explored: security assessment and defensive design, a step prior to its current application domain. The suggested cyber-security culture framework was originally designed to aim at critical infrastructures and, more specifically, the energy sector. Organizations of these domains exhibit a co-existence and strong interaction of the IT (Information Technology) and OT (Operational Technology) networks. As a result, we emphasize our scientific effort on the hybrid MITRE ATT&CK for Enterprise and ICS (Industrial Control Systems) model as a broader and more holistic approach. The results of our research can be utilized in an extensive set of applications, including the efficient organization of security procedures as well as enhancing security readiness evaluation results by providing more insights into imminent threats and security risks.

Purpose The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company. Design/methodology/approach Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in. Findings Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved. Originality/value This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

Purpose: This research aims to enhance practical organizational practices and academic research literature by critically investigating the latest findings in cybersecurity culture research through a systematic review of relevant literature and research.   Theoretical Framework:This work seeks to summarize key research developments in a research area that remains challenging for companies as they seek to build strong security cultures to protect their information (Tripwire, 2020). And reviewing the legal regulations that must be trained to protect institutions from cyber threats in the Kingdom of Bahrain and Saudi Arabia.   Design/Methodology/Approach: The methodology of this study implements a systematic literature review to assess the main components of cybersecurity culture and what good practice can help to build it professionally.    Findings: The main results find that current literature must move from a technical approach to information security to a socio-cultural one. Also, this study predicts that cybercrime will increase dramatically and cost the world trillions annually.    Research Practical and Social Implications: this study attempts to define human resource management's role in cybersecurity awareness training and therfore the managers can deveplo the necessary rules to secure the organizational information.   Originality/Value: The study is within the first studies  to  be  conducted  in  GCC countries.  Moreover, the  to build a cyber security culture is unique topic add on to the academic knowledge. Also, can motivate the future studies to focus on efficiently organizing security procedures and enhancing security readiness appraisal consequences by providing more perceptions of imminent threats and security hazards. 

Abstract While many cybersecurity culture studies have focused on identifying and measuring an organization's cybersecurity culture—assumptions, values, behaviors, and artifacts—less research has focused on how cybersecurity culture is enacted in the daily workplace in ways that lead to cultural change. In this paper, I approach cybersecurity culture as a meaning-making activity, or practice within an organization. Organizational theory on narrative practices—including storytelling, sensemaking, and sensegiving—provide a conceptual framework to better understand cultural meaning-making practices, as well as how those practices shape decision-making and organizational actions. Using ethnographic observation and interview data, I conducted a narrative analysis of interdisciplinary communication between IT and Facilities professionals working with Internet of Things vendors and their associated risks. The findings demonstrate that storytelling, sensegiving, and sensemaking practices were key to developing an emerging narrative that shaped professional and organizational decision-making to improve cybersecurity. The results of this study suggest that a narrative approach to cybersecurity culture can illuminate practices of cultural meaning-making and organizational decision-making, and suggests that organizations should provide resources for IT and Facilities professionals to engage in interdisciplinary work to create a more robust cybersecurity culture in Facilities departments.

The coronavirus pandemic led to an unprecedented crisis affecting all aspects of the concurrent reality. Its consequences vary from political and societal to technical and economic. These side effects provided fertile ground for a noticeable cyber-crime increase targeting critical infrastructures and, more specifically, the health sector; the domain suffering the most during the pandemic. This paper aims to assess the cybersecurity culture readiness of hospitals’ workforce during the COVID-19 crisis. Towards that end, a cybersecurity awareness webinar was held in December 2020 targeting Greek Healthcare Institutions. Concepts of cybersecurity policies, standards, best practices, and solutions were addressed. Its effectiveness was evaluated via a two-step procedure. Firstly, an anonymous questionnaire was distributed at the end of the webinar and voluntarily answered by attendees to assess the comprehension level of the presented cybersecurity aspects. Secondly, a post-evaluation phishing campaign was conducted approximately four months after the webinar, addressing non-medical employees. The main goal was to identify security awareness weaknesses and assist in drafting targeted assessment campaigns specifically tailored to the health domain needs. This paper analyses in detail the results of the aforementioned approaches while also outlining the lessons learned along with the future scientific routes deriving from this research.

Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.

In a prelude to the invasion of Ukraine in 2022, Russian hackers probed and attacked Ukrainian computer networks to find vulnerabilities and exfiltrate information that might be useful in future conflicts. In our previous article, we documented the most severe of these cyber espionage and sabotages, known as NotPetya in the case study “Cyberattack: The Maersk Global Supply Chain Meltdown.” Although technical factors were instrumental in the sophisticated success of NotPetya, less attention and scrutiny have been given to organizational failures and cultural shortcomings that opened the door for bad actors to threaten the viability of key businesses and infrastructure. As we broadened our investigation beyond NotPetya to include other cyberattacks and hacking incidents, we were able to find a consistent pattern of cultural failures linked to misaligned incentives, a disconnect between top management and technical personnel, and a general lack of awareness and engagement of the existential threat posed by cyberattacks.

In search of competitiveness and the delivery of value for stakeholders, organizations not only develop a social purpose, generate benefits and optimize resources, but also manage their risks, including cyber, where organizations have been threatened due to the challenge of maintaining technical and management controls for their treatment. Under this scenario, they must not only cover technologies but also people as an integral part of the computer environment to be protected; For this reason, they must promote a culture of cybersecurity that contributes to risk mitigation and continuous improvement. The proposed model adopts a methodology that takes into account the selection of a set of factors that affect the cybersecurity culture of an organization, measures these factors from an assessment method that considers a series of attributes (indicators), and whose qualifications lead to the determination of a level of maturity. Tales situaciones revelan la importancia que tiene la ciberseguridad para el sector financiero, Sin embargo, (Tarafdar et al., 2014) indican que múltiples estudios demuestran que las fallas de seguridad de mayor alcance y gravedad no se deben a explotación de vulnerabilidades técnicas en la infraestructura tecnológica si no a conductas inadecuadas causadas por la falta de conciencia de los empleados que manejan la información Por lo tanto, existe la necesidad de que las compañías financieras implementen estrategias efectivas de concientización y generación de cultura organizaciona! en seguridad de la información y ciberseguridad.

Cybersecurity: A Concern of the Business, Not Just IT. In Part 2, we will build upon Part 1 and introduce additional tools that transform cyber risk issues into enterprise risk dialogue. This chapter starts to break down the COSO framework. It lays the foundation for elevating cyber risk conversations to enterprise risk by focusing on the first two guiding principles of COSO: Governance and Culture Strategy and Objective Setting At the end of this chapter, the case study relives one of the author's greatest regrets and warns of the consequences of failing to establish a robust governance structure.