Assessing and improving information security culture of essential service providers: Analysis of organisational factors in resilience against cyber threats

Contemporary, increasingly digitalised society is inextricably linked to the constant use of information and communication technologies (ICTs), which is exposing individuals, organisations and countries to cyber threats. We are witnessing an exponential increase in cyber attacks worldwide, resulting in immense, even devastating financial, business, reputational and other losses. Given the finding that the large majority of cyber attacks on organisations are a result of human factors – employees being inattentive or practising the insecure use of ICTs – it has become clear that resilience against cyber threats cannot be achieved through technical means alone. Instead, we need to address the social science aspects of information security, which are inextricably connected to the technical tools and processes of information security. The narrative regarding the human layer of information security currently revolves around the concept of security awareness. This concept assumes that knowledge about information security will result in more careful behaviours of employees and better resilience against cyber threats. Industry statistics and research show that this type of approach has limited value. The field obviously needs to go beyond simplified psychological models. In recent years, the concept of information security culture (ISC) has started to gain attention both in academia and industry. ISC refers to the formation of appropriate information security beliefs and values that guide employees in their use of ICT, as well as the establishment of an organisational environment that is resilient to cyber threats. However, this definition is somewhat limited for research purposes, as it lacks explanatory mechanisms for linking the socio-technical properties of organisations with organisational communication and management processes, with individual behaviour as the key dependent variable. The field understands ISC in very different ways and frequently fails to offer clear definitions, which poses issues for getting reliable results in research. This project builds on the assumption that a good ISC is the best human firewall that an organisation can build to resist cyber threats. The main purpose of the project is to build a revised model of ISC on the basis of which it will be possible to make an assessment of resilience against cyber threats and make recommendations to improve it. Under the renewed EU directive on information security (NIS2), organisations that are categorised as essential service providers (more than 400 in Slovenia) will need to regularly assess their resilience against cyber threats. Measuring and assessing ISC will thus become a necessity for these organisations. Providing tools to carry out a high-quality assessment of ISC and guidelines is one of the major aims of this project. Specifically, the project will pursue the following objectives: Build an organisational, situation-specific socio-technical model of ISC that combines organisational factors, technological artefacts and information security behaviour into an explanatory model; Build a methodological apparatus for valid and reliable measurement of ISC in essential service provider organisations; Provide assessment of ISC among essential service providers in Slovenia; Develop a set of recommendations for improving the ISC of essential service providers. The project will pursue theoretically grounded research that will result in a revised conceptualisation of ISC. This research will also be used for the project’s applicative objectives, which are to conduct an assessment of ISC among essential service providers and to develop a set of recommendations. The latter two objectives are important for the Government Information Security Office of the Republic of Slovenia, the project‘s co-financier, which will use the project deliverables to facilitate the implementation of the new NIS2 at the national level.