Papers
Topics
Authors
Recent
Search
2000 character limit reached

When technology is not enough: Insights from a pilot cybersecurity culture assessment in a safety-critical industrial organisation

Published 28 Aug 2025 in cs.CY | (2508.20811v1)

Abstract: As cyber threats increasingly exploit human behaviour, technical controls alone cannot ensure organisational cybersecurity (CS). Strengthening cybersecurity culture (CSC) is vital in safety-critical industries, yet empirical research in real-world industrial setttings is scarce. This paper addresses this gap through a pilot mixed-methods CSC assessment in a global safety-critical organisation. We examined employees' CS knowledge, attitudes, behaviours, and organisational factors shaping them. A survey and semi-structured interviews were conducted at a global organisation in safety-critical industries, across two countries chosen for contrasting phishing simulation performance: Country 1 stronger, Country 2 weaker. In Country 1, 258 employees were invited (67%), in Country 2, 113 were invited (30%). Interviews included 20 and 10 participants respectively. Overall CSC profiles were similar but revealed distinct challenges. Both showed strong phishing awareness and prioritised CS, yet most viewed phishing as the main risk and lacked clarity on handling other incidents. Line managers were default contacts, but follow-up on reported concerns was unclear. Participants emphasized aligning CS expectations with job relevance and workflows. Key contributors to differences emerged: Country 1 had external employees with limited access to CS training and policies, highlighting monitoring gaps. In Country 2, low survey response stemmed from a "no-link in email" policy. While this policy may have boosted phishing performance, it also underscored inconsistencies in CS practices. Findings show that resilient CSC requires leadership involvement, targeted communication, tailored measures, policy-practice alignment, and regular assessments. Embedding these into strategy complements technical defences and strengthens sustainable CS in safety-critical settings.

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.