While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.
翻译:虽然数十年来一直在研究和讨论创建强大的安全文化,但许多企业仍然未能参与其中。我们面临的挑战之一是通过应用PRISMA系统文献审查技术,确定和分析过去10年(2010-2020年)的58篇研究文章。在本篇文章中,我们的目标是通过对组织网络安全文化研究进行最先进的研究来解决这一问题。这项工作调查了四个问题,包括如何界定网络安全文化,哪些因素对建设和维护这种文化至关重要,哪些因素对培养和维护这种文化至关重要,为培养安全文化建议的框架和衡量标准。通过应用PRISMA系统文献审查技术,我们发现和分析过去十年(2010-2020年)的58篇研究文章。我们的研究结果表明,尽管术语(例如信息安全文化和网络安全文化)的使用发生了显著变化,但各种文件中的许多最有影响的因素是相似的。高层管理支持、政策和程序以及实例意识对于培养网络安全文化至关重要。许多经过审查的框架揭示了共同的基础,组织文化在设计适当的网络安全文化模式方面发挥着重大作用,但我们更需要的是一种动态管理模式和调查。 调查和调查显示,在构建网络安全文化方面是否最需要的是一种衡量网络安全因素的工具。