Understanding and Implementing a Culture of Cybersecurity

By Luis Emilio Alvarez-Dionisi, Ph.D. and Nelly Urrego-Baquero

The Nexus  |  Monday, 13 May 2019

Cultures have been studied by sociologists and anthropologists for a very long time. The fact that culture is an area of scientific study speaks to its importance and the need to understand culture and its impact on people and their behaviors. Now, culture is a hot topic among senior management and many IT and auditing enterprises worldwide due to market globalization, the massive use of the Internet for everything from buying to banking to socializing, and the constant evolution of technology. And it is well-documented that cybersecurity culture is well worth understanding, improving and implementing.

Cybersecurity Culture

The main objective of cybersecurity is to protect “information assets by addressing threats to information processed, stored, and transported by internetworked information systems.”1

Cybersecurity culture is “the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies.”2 In reality, the main objective of cybersecurity culture is to develop and implement a cybersecurity culture ecosystem to support cybersecurity. Sharing the experience of establishing an advanced social and psychological groundwork may help support cybersecurity.

The need to address cybersecurity technology and processes requires having previously developed a cybersecurity culture. Having a cybersecurity culture is a dynamic process that demands continuous attention. Initially, organizations can use project management to implement a cybersecurity culture. Once the groundwork for a cybersecurity culture has been established, the organization can convert cybersecurity culture into an ongoing operation for the enterprise.

A Strategic Decision About Cybersecurity Culture

Deploying cybersecurity culture requires the board of directors and senior management to decide to support and enable a cybersecurity shield to mitigate the risk associated with cyberattacks. As a result, enterprises should answer the following question: "Should we develop and implement a cybersecurity culture to reinforce cyberprotection of our organization?"

Perhaps such a question needs to be evaluated by senior executives who manage cybersecurity projects. These executives must also assess whether the development and implementation of a cybersecurity culture should be done before establishing cybersecurity technology and processes.

Propelling Cybersecurity With a Cybersecurity Culture Ecosystem

Because people are considered the weakest link in the cybersecurity chain, they must be encouraged to increase their cybersecurity awareness and attend appropriate cybersecurity education3 and training programs.

Importance of Cybersecurity Culture

Implementing a cybersecurity culture enables:

  • Empowering people—Cybersecurity culture empowers people with the sociological and psychological skills that are required to work with cybersecurity technology and processes.
  • Projecting cybersecurity meaning—Within the enterprise, the importance of the people, technology and processes of cybersecurity is understood. The consequences of ignoring cybersecurity's technological and financial risk are addressed.
  • Establishing stakeholder partnership and collaboration of key players—A network of cybersecurity stakeholders is defined and managed. Stakeholders include employees, managers, government agencies, senior executives, boards of directors, technology providers, consulting providers, and education and training providers.
  • Providing an education and training road map—An appropriate education and training program that encompasses the people, technology and processes of cybersecurity is integrated and delivered.

As a result, the cybersecurity culture ecosystem should be developed and implemented before cybersecurity technology and processes.

Editor’s Note

This article is excerpted from an article that appeared in the ISACA Journal. Read Luis Emilio Alvarez-Dionisi’s and Nelly Urrego-Baquero’s full article, “Implementing a Cybersecurity Culture,” in volume 2, 2019, of the ISACA Journal.

Luis Emilio Alvarez-Dionisi, Ph.D.

Is a professor of artificial intelligence (AI), machine learning and deep learning. He is an international management consultant with extensive experience working with chief executive officers, boards of directors and senior management in Fortune 500 companies. He has advised numerous organizations worldwide, including Intel, IBM, Merck, Chevron, Isuzu, Smiths Detection, the Beijing 2008 Olympic Games and the Government of Singapore Investment Corporation (GIC) on project, program and portfolio management. Alvarez-Dionisi’s research work focuses on global project management trends, agile project management, AI, cybersecurity culture, chatbots for business, engineering robotics, big data applications, IT governance and medical information systems. He can be reached at dr.luis.alvarez@outlook.com.

Nelly Urrego-Baquero

Is an electronic engineer and IT researcher with broad management experience in operation and project management. She is a former director of a satellite communication system. Similarly, Urrego-Baquero was in charge of a mobile systems’ division for tracking vehicles for the South American region. She was also in charge of setting up the infrastructure framework for a military mobile data center in South America. Her research focus is on the Internet of Things (IoT), project management, cybersecurity, IT risk management and digital business. She can be reached at n.urregobaquero@audencia.com and nurrego@gmail.com.


1 ISACA, Cybersecurity Fundamentals Glossary, USA, 2016
2 European Union Agency for Network and Information Security (ENISA), Cyber Security Culture in Organizations, Greece, 2017
3 Gcaza, N.; R. von Solms; “Cybersecurity Culture: An Ill-Defined Problem,” Nelson Mandela Metropolitan University, Port Elizabeth, South Africa, 2017, p. 1-12