CHAPTER FIVE - DISCUSSION

CHAPTER FIVE: DISCUSSION

CHAPTER FIVE: DISCUSSION

Results from research provide valuable information in terms of the influential factors of human behavior and what best practices are currently being used by other organizations to create a culture of cybersecurity. As mentioned in Chapter 2, the government is a highly desired target for cybercriminals and negligent behavior by employees has been seen to increase the risk of successful cyber-attacks and security incidents. Identifying the influential factors of human behavior and best practices provides the government with a starting point to build a strategy that targets those factors to create a positive change in their employees’ behaviors. Employees that do not meet the expectations of secure behavior and compliance can be poisonous to the government. For example, based on the influence of social proximity, poor behaviors can proliferate throughout the organization just as quickly as good ones when employees engage in non-compliance.

The case studies showed that the environmental and cognitive factors previously identified are associated with a strong cybersecurity culture and secure behavior. There is evidence suggesting that creating a culture focused on cybersecurity appears to have an impact on employees’ performances resulting in higher levels of compliance and ultimately stronger security. The case studies share similar implementation methods but also have their own unique methods while each has shown to be successful. Since case studies did not have identical implementations methods, it shows that there is no signal solution to solve the problem of secure behavior. These best practices can be incorporated into other strategies, along with other unique methods, and produce the same result. The collection of best practices is highlighted in figure 5.1. The following section will provide recommendations for the government based on the research results.

Figure 5.1 Best practices for developing a cybersecurity culture

Recommendations

Leadership Support Gaining leadership support is the first step the government must take in order to have the best chances of success. It is likely that additional resources will need to be acquired which may require new budgets and approval from leadership. To no surprise, leadership tends to prioritize efforts that support their overall mission and if they do not see the value of developing a cybersecurity culture from a mission perspective, the initiative is likely to lose leadership support and the necessary resources to be successful. Thus, the requirement for a cybersecurity culture should be communicated in a way that adds value to the mission. For example, the DoD has a mission to protect the United States and deter war by providing military forces. With that comes a significant amount of sensitive data, that if compromised, could also compromise the mission and the integrity of our military. A cybersecurity culture can provide an environment where employees are constantly thinking about data protection and exercising secure behaviors. Doing so will ensure the integrity, availability, and confidentiality of DoD assets and so that they can continue supporting their mission with reduced risk.

Once leadership support is obtained, a top-down approach is likely to be best given the hierarchical structure and culture of the government. Leadership will need to be consistently involved and will need to communicate and express the importance of creating a cybersecurity culture down the chain of command. Subordinates are likely to engage when they observe the importance it has with leadership. Each department will need to determine what their role is and how they will engage in the creation of a cybersecurity culture. Doing so will make sure the culture spreads throughout the entire organization and stays consistent with supporting the mission. Since technology is not the only defense, leadership should communicate to every employee that they play a critical role in cybersecurity and are part of the solution. Doing so may help reinforce the importance of the requirement and encourage employees to behave accordingly.

Set Expectations

Following the top-down approach, behavioral expectations should be set for each department and hierarchical level of the organization. Expectations should be derived from policies and include specific behaviors that are expected from each department employee. Oftentimes, departments have unique policies pertaining to their function, so a single set of expectations may not be applicable for the entire organization. However, expectations similar to phishing email behaviors can be an expectation set for the entire organization since everyone typically uses email. Deriving expectations using the top-down approach can simplify the process and make it easier to determine which expectations are applicable for each function of the organization. Behavioral expectations should be communicated regularly by leadership and be made easily available to employees. This approach can help establish descriptive and subjective norms by setting expectations of approved behavior and which helps create a pattern of secure behavior and compliance.

Communicate

Communication is arguably one of the most critical pieces to this solution. As mentioned earlier, communicating the requirement to leadership is critical. It is also critical that the same message of importance is communicated through the organization so employees understand its significance and what their role is. A good communication strategy should involve several steps. First, information should be communicated using a language that everyone understands. The government is employed with both military and civilian personnel and they may have different languages of communication. It will be important to find a common ground when communicating the information. The information should describe how it relates to the employee and how their actions impact the organization in a positive way. The second step would be to establish an internal website that consolidates policies, expected behaviors, and additional information so employees have easy access to all the information rather than having to gather information across multiple sources. This can reduce the efforts required by employees and create an efficient way to seek information regarding cybersecurity and expectations. The website should have the capability that allows employees to ask questions when they need additional information. The content on the website should remain aligned with the mission and be consistently updated to reflect the most relevant information.

Moreover, employees need to be able to recognize cybersecurity-related messages as important information from cybersecurity. One way to accomplish this is to insert a unique reference that is symbolic of cybersecurity, such as a cybersecurity logo which will be discussed further in the following section. Furthermore, leadership should encourage employees to discuss cybersecurityrelated topics with their colleagues and start building a social environment of cybersecurity. As employees engage in cybersecurity discussion more often, cybersecurity may start to become a common cognitive process while also sharing valuable information with one another. Lastly, leadership should provide feedback to their employees to inform them of their positive contributions to the mission. This can result in an increase in employee engagement, self-efficacy, and lead to positive attitudes towards cybersecurity.

Cybersecurity Team

A cybersecurity team is necessary for the government and should consist of trained personnel that understand cybersecurity and the organization’s information systems. Not only should the team be responsible for ensuring the systems are secure, but also help develop awareness activities, maintain the information on the cybersecurity hub, and develop content for cybersecurity messages. Furthermore, the team should increase their visibility and by creating a logo or mascot that can be inserted into important messages related to cybersecurity. The brand should be designed in a way it is unique to the cybersecurity team and allows for easy identification. The brand will allow employees to relate the message to cybersecurity and understand that it has significant value and is important to the organization. Examples of messages that should include the team’s branding are newsletters, flyers, training documents, and posters. Lastly, a champion network should be established across the government. Their responsibility should be to help spread messages, encourage employee engagement, and ensure the organization as a whole is consistent with its efforts.

Educate

Training and education plans should be developed to increase the knowledge gap employees have with cybersecurity and expected behaviors. Training should be offered at least once and year and more frequently if negligent behavior is not decreasing. We have seen data that shows employees may forget what behaviors are expected, or how to perform them, when not engaged for some time. As the top-down approach is being used, specific training may be required for each department or group depending on their functions. Policy awareness should be included in the training to inform employees of expected behaviors and to provide a reference to the documents so employees know which behavior is derived from what policy. Policy awareness has been seen to help increase secure behavior since employees are aware of expected behaviors. To gain a consistent presence in cybersecurity, the government should align internal campaigns with external campaigns regularly. For example, each month can consist of a unique campaign that spreads awareness of current and relevant information and encourages employees to participate in cybersecurity activities. Since the government requires employees to maintain the secrecy of specific information, a campaign can be developed that targets how employees can communicate effectively without unintentionally leaking information. Other campaigns can provide awareness that informs employees of current threats, how to identify them, and how to appropriately respond to them.

Measure Success Establishing methods to measure the effectiveness of the cybersecurity culture is necessary to determine if there have been positive impacts on the organization. Possible methods of measurement may include employee engagement in related activities, compliance, number of incidents, and employee feedback. Surveys can be used for employee feedback which can help leadership determine if there has been a shift in employee attitudes, changes in employees’ self-efficacy, and changes in social norms. Identifying these levels can be used to help target specific hindering factors that are causing poor secure behaviors and non-compliance. A reduction in security incidents, increased employee engagement, and positive feedback results may suggest that the cybersecurity culture is making a significant impact on the organization in a positive way. The data can be used to seek additional funding that supports the ongoing efforts for sustaining the cybersecurity culture within the government.

Limitations

There exists limitations to the study and proposed solutions. Research barriers such as key terms and repositories used throughout the study may have reduced the possible number of available resources. Access to limited amounts of research data may have restricted the discovery of additional SCT factors that are known to influence human behavior. Additionally, recommendations were based on recent best practices and it is possible that the best practices may change over time.

It’s important to note that SCT is not the only theory that can be applied to developing a cybersecurity culture. Attribution theory is another psychology based theory that has been used to study why specific behaviors are motivated (Graham, 2020). Attributions have been found to motivate behaviors based on an individual’s perceived cause of the outcome; a rationale of the observed behavior after it occured (Schunk & DiBenedetto, 2020). Effort and ability have been argued as attributions of higher performance; individuals that exert more effort or have greater abilities will perform better than those who lack effort and ability (Schunk & DiBenedetto, 2020). However, SCT was chosen as a research guide because it helps discover influential factors that exist or can exist within organizational cultures by looking at environmental and cognitive factors so that employees behave more securely.

Conclusion

The purpose of this research project was to discover best practices for developing a culture of cybersecurity, identify potential challenges, and use this information to provide recommendations for the government. Creating a culture of cybersecurity to influence secure behaviors has been undoubtedly challenging for many organizations but it has been recognized as adding significant value to the organization. The results of this research share valuable insight to the factors and methods that the government can adopt to develop a cybersecurity focused culture of their own. There is no single solution that works for every organization, so it is important that the government considers its environment and considers the recommendations provided as guidance to support their efforts. The government’s success will depend on the strategy of their execution, identifying the most effective ways to measure its effectiveness, and gaining support from senior leadership. A successful cybersecurity culture implementation can have a strong influence on employees engaging in secure behaviors and may help mitigate future incidents.