Address
1st Floor, North Westgate House, Harlow, Essex, CM20 1YS
Introducing cyber security intervention programmes does not guarantee success.
Organisations sometimes fail to obtain the desired results in the implementation of cyber security intervention programmes. This is because of the need for a better understanding of organisational culture and the characteristics of such culture before designing intervention programmes. The organisations then go ahead and spend money on the intervention programme they see fit or the ones sold to them. The problem with this approach is that the intervention introduced in the organisation needs to be more suitable for solving the cyber security problems that exist. Even when implemented over a long period, it fails to influence a behaviour change among the subcultures of different departments within the organisation.
Therefore, it is important to understand the organisation’s makeup in terms of its culture and characteristics.
This information about the organisation’s culture is crucial in informing the cyber security intervention programme to be implemented.
The intervention is expected to address the identified cyber security problems in the organisation. The informed decision made about the choice and the implementation approach will more likely be cost-effective.
However, things are done differently in organisations. The IT team and the relevant stakeholders may be aware of the cyber security challenges. Examples of the challenges could be poor phishing and password behaviours as well as issues around cyber security policy compliance. It is essential to address these problems effectively to avoid a situation whereby hackers take advantage of the vulnerabilities that exist. This could lead to cyber security breaches that may prove costly and cause reputation damage. It could also result in job losses if the organisation is severely impacted.
Actions need to be taken fast. But oftentimes decision makers do not take the time to study or understand the type of organisation culture that exists before introducing solutions. I remember a comment made by a professor in an interview I conducted two years ago. As part of my PhD research, I explored behaviours and perceptions of Cyber Security Culture (CSC) in Higher Education Institutions (HEIs).
I was surprised to hear the professor say this: “To be quite honest, if the provost says to us one day, I want you all to be using this tool or that, we would just ignore him because we don’t have that same relationship, not to be disrespectful, but it just doesn’t work like that in a university.”
An observation from this comment is that relationship and engagement between those who implement cyber security intervention programmes and the organisation culture are crucial.
Awareness of these critical points is necessary to implement a successful cyber security intervention.
The organisational culture can be classed into four types based on the degree of centralisation and formality in the organisation. This could determine the type of CSC that is seen in the organisation and can inform “how things are done” in such an organisation.
The four types of culture are the following:
In an autocratic power culture, the leaders make the major decisions and must be involved in implementing any change. Hence, leaders are needed to sponsor cyber security intervention programmes. Their involvement will ensure that employees approve and participate in any change introduced, including policy compliance.
A bureaucratic culture is characterised by a hierarchical structure, division of tasks, and formal rules and regulations. Employees follow the rules and regulations specified in job descriptions and policies and are less likely to question the specified requirements or expectations. Examples of organisations with a bureaucratic culture are banks and public sector organisations.
The matrix task-based culture is found in manufacturing organisations. It is characterised by planning and team effort. An approach such as project management is used in this sector, and as such, projects are easier to implement. Again, compliance with security policy expectations is less of an issue here.
In an anarchic individualistic culture, such as the culture present in a HEI and a law practice, the individual in this organisation expects to be consulted before the organisation and its IT team make a decision and implement information security controls. Failure to involve them in decision-making may result in a lack of cooperation and non-compliance with cyber security expectations. This is the reason HEIs academics will resist the implementation of phishing exercises in their institution. Trust has also been affected when phishing exercises have been implemented without carrying the academics along in the decision-making process.
In order to maintain a security-aware culture in organisations, the approach of implementing cyber security intervention is of prime importance. Organisations have to be aware of the type of culture that exists among the users so that an appropriate cyber security intervention programme can be tailored by experts to suit and address the challenges in the organisations.
This will ensure that the risk of cyber security incidents is kept to a minimum and that information assets are secure.