A cyber security culture framework for assessing organisation readiness

This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, it identifies core security human-related elements and classifies them by constructing a domain agnostic security model. It then proceeds by presenting in detail each component of the model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.