Cybersecurity Culture (CSC) Overview
- Cybersecurity Culture is the set of shared values, beliefs, practices, and behaviors that shape how organizations secure digital assets.
- Research highlights its multi-dimensional nature, aligning human cognition, organizational policies, and technical controls to support effective security.
- Assessment methods combine surveys, questionnaires, and mixed-method approaches to measure both self-reported attitudes and observable security behaviors.
Searching arXiv for the cited CSC papers and closely related work. Cybersecurity Culture (CSC) denotes the shared values, conventions, practices, knowledge, beliefs, attitudes, perceptions, and behaviours through which cybersecurity is interpreted and enacted in organizations. Across the literature, it is treated as broader than awareness alone and broader than compliance alone: it shapes how policies, procedures, training, technical controls, reporting channels, and everyday routines actually work in practice. Recent work also treats CSC as an organizational condition that influences “the deployment and effectiveness of the cybersecurity management resources, policies, practices and procedures,” while remaining deeply dependent on human cognition, organizational realities, and the surrounding work environment (Georgiadou et al., 2020, Uchendu et al., 2021, Bach et al., 12 Jun 2026, Kürtz, 9 Mar 2026).
1. Definition and conceptual scope
There is no universally agreed definition of cyber security culture, information security culture, or security culture. A PRISMA-based review of 58 papers from 2010 to August 2020 found recurring definitional elements—values, attitudes, beliefs, assumptions, perceptions, behavior, and the protection of organizational assets—while also showing that terminology remains fragmented. In that review, “information security culture” remained the dominant term, with 42 papers, compared with 10 on “cyber security culture” and 7 on “security culture,” even though later work increasingly widened the scope from protecting information to addressing privacy, human behavior in cyberspace, organizational posture, and broader socio-technical risk (Uchendu et al., 2021).
Several strands of research place CSC explicitly inside organizational culture theory. Dhillon’s formulation emphasized human attributes such as behaviors, attitudes, and values; Martins and Eloff emphasized assumptions, perceptions, and attitudes embedded in “the way things are done”; and later work treated security culture as a subculture of organizational culture. One enterprise-scale study, drawing on Berger and Luckmann together with Schein’s three-layer model, characterized CSC through artefacts, espoused values, and deeper assumptions, so that visible practices such as locking a workstation, explicit beliefs such as rejecting password sharing, and deeper assumptions about acceptable conduct are all part of the same cultural formation (Bach et al., 12 Jun 2026).
A complementary line of work treats CSC as an overarching organizational theme rather than a narrow variable. A review of everyday cyber security in organisations identified four behavioural sets—compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour—and argued that security culture overlaps with and frames all four (Ertan et al., 2020). Another integrative model placed “culture in the organization or social group with regard to cybersecurity” alongside awareness, norms and regulations, role, motivation, skills, usability, agency, situation, and behavior. In that account, culture includes leadership, security and error culture, visibility of role models, knowledge sharing, and perceived coercion or voluntariness, which makes CSC an environmental and causal driver rather than a mere backdrop (Kürtz, 9 Mar 2026).
2. Constituent dimensions and mechanisms
Operationalizations of CSC vary, but they converge on the claim that cyber performance emerges from interacting organizational and individual dimensions. A crisis-oriented framework for critical infrastructures organized CSC into two levels, organizational and individual, further analyzed into 10 dimensions, 52 domains, and more than 500 controls. The organizational level comprised Assets, Continuity, Access and Trust, Operations, Defense, and Security Governance; the individual level comprised Attitude, Awareness, Behaviour, and Competency. In this formulation, CSC spans network infrastructure, business continuity, access management, communication, malware defense, training, employee climate, policy awareness, security behaviour, and skills evaluation (Georgiadou et al., 2021).
Other models compress the construct differently but preserve the same breadth. One global organisational assessment used nine CSC dimensions—Password Management, Email Use, Internet Use, Social Media Use, Mobile Devices, Incident Reporting, Integrity, Governance, and Leadership—while a mixed-methods pilot in a safety-critical industrial organisation used eight dimensions plus a standalone priority item on whether the business area had prioritized raising cybersecurity awareness in the past year (Bach et al., 12 Jun 2026, Bach et al., 28 Aug 2025). These variants differ in granularity, but all treat CSC as multi-dimensional and explicitly organizational.
The incident-response literature makes the same point through a maturity lens. One study defined seven socio-organisational capability areas—risk management, incident handling best practices, training and awareness, adequate staffing, information security governance, internal and external communication, and information security culture—and showed that lower maturity is associated with ad hoc, reactive, inconsistent, and improvised response, whereas higher maturity is associated with documented, communicated, measured, proactive, and continuously improved practices. Common weaknesses included inadequate training, poor communication, lack of coordination, weak governance, inadequate staffing, and insufficient preparedness; best practices included regular training programs, clear communication protocols, and well-documented response procedures (Gulay et al., 2024).
At the mechanism level, CSC is repeatedly tied to leadership, policy and procedures, awareness and training, communication, accountability, trust, and change management. The literature review of organizational CSC found top management support in 34 studies, policy and procedures in 27, awareness in 24, and training in 21. The same review also highlighted trust, motivation, security champions, rewards and sanctions, and national culture as recurring factors, while stressing that CSC cannot be “plug and play” because it must align with wider organizational culture and actual work practices (Uchendu et al., 2021).
3. Assessment and measurement
Assessment research is dominated by questionnaires and surveys. The 58-paper review found that questionnaires and surveys are the most used tools for measuring CSC, but also argued that they capture knowledge, awareness, perceptions, and self-reported attitudes more readily than actual behavior over time, which is why the field continues to call for more dynamic and mixed-method approaches (Uchendu et al., 2021).
A prominent example is the critical-infrastructure survey designed during COVID-19. It reduced a framework of 10 dimensions, 52 domains, and 500+ controls to a short questionnaire of no more than 23 questions, depending on branching. Questions Q1–Q10 targeted the organizational level to “heartbeat the overall technological and security readiness and adaptability,” Q11–Q12 targeted the individual level to probe security behaviour, attitude and competency, Q13–Q16 gathered demographic and profile information, and Q17 was a comments field. The instrument was explicitly intended as a pulse-check rather than an in-depth information security assessment, and its contribution lay in linking each question back to specific dimensions and domains of the underlying CSC framework (Georgiadou et al., 2020).
Large-scale enterprise assessment has moved further toward scalable benchmarking. In one global organisation supporting safety-critical and critical-infrastructure sectors, a survey was sent to all internal and external employees in a sampling frame of , with responses, yielding a 30.75% response rate. The questionnaire used a 5-point Likert scale and assessed nine CSC dimensions; analysis relied on Shapiro–Wilk normality checks, Kruskal–Wallis tests, Dunn’s post hoc comparisons, Holm correction, and rank-based effect sizes. The reported Cronbach’s alpha values were low to moderate, which the authors framed as a pragmatic tradeoff required by industrial constraints and the need to keep the survey short (Bach et al., 12 Jun 2026).
Mixed-methods assessment can expose what survey benchmarks miss. In a pilot study of a global safety-critical organisation, the survey contained 62 substantive items across eight dimensions, followed by 30 semi-structured interviews across two countries chosen for contrasting phishing simulation performance. The overall CSC profiles were similar, but the interviews revealed that both countries’ employees strongly associated cybersecurity with phishing, often lacked clarity on how to handle non-phishing incidents, and relied on line managers as default contacts while remaining uncertain about follow-up. The study therefore showed that high phishing awareness does not, by itself, demonstrate broad CSC maturity (Bach et al., 28 Aug 2025).
The strongest methodological challenge concerns behavior. An empirical analysis of 37,075 records combined self-reported security behaviours across the EU with observed phishing-related behaviours from security awareness training programmes, arguing that actual secure behaviour should be studied directly rather than inferred from intention or awareness alone. In that work, contextual antecedents at national, industry, and organisational levels were modeled alongside individual variables, making CSC measurable not only as opinion but as observable action (Bruin et al., 2024).
4. Contextual variation across sectors, demographics, and regions
CSC is not uniform across national cultures, industries, organization types, or workforce groups. The 37,075-record empirical analysis identified national culture, industry type, and organisational security culture as influential variables at contextual level, while demographics and security-specific variables operated at individual level. The study’s practical implication was explicit: organisations can tailor security training, awareness efforts, and policy communication according to group susceptibility and national culture characteristics (Bruin et al., 2024).
Demographic variation also appears within single enterprises. In the 6,502-response global organisational study, CSC was broadly consistent across the organisation, yet significant demographic differences appeared across all dimensions, with mostly small and occasionally moderate effects. Full-time, internal, permanent, older employees, Merge and Acquisition recruits, and line managers consistently scored higher across multiple dimensions; part-time, younger, external employees, and those with 6 to 20 years of tenure often scored lower. The authors interpreted higher-scoring groups as possible “CSC carriers” and lower-scoring groups as candidates for tailored improvement measures (Bach et al., 12 Jun 2026).
SME research shows a different cultural profile. A survey of 130 organisations in Iceland, including public and private organisations and critical infrastructure providers, found that management strongly emphasized human factors as cybersecurity challenges. Reported barriers included lack of adequate training or awareness, hiring issues, poor cybersecurity culture, and time and/or financial resource constraints. Only 27% of organisations reported mandatory cybersecurity awareness training in the past year, 68% said no such training had been offered, and 83% said they had not hired or attempted to hire professionals with cybersecurity skills in the past year. The paper recommended targeted rather than generic training, external government support for financially constrained organisations, and constructive communication around shared responsibilities (Cicėnaitė et al., 1 Jun 2026).
Critical-infrastructure and regional studies add further variation. The COVID-era survey work emphasized that living routine was seriously disturbed and working reality fundamentally affected, which made remote-work readiness, endpoint management, employer-issued guidelines, and employee support central indicators of CSC in essential services (Georgiadou et al., 2020). A later study of organisations in Inner Scandinavia similarly treated readiness as shaped by awareness, leadership attention, training continuity, and the distinction between organisational security and product security, stressing that organizations need role-specific and continuous competence development rather than one-off awareness (Fischer-Hübner et al., 8 Oct 2025).
Inclusion research broadens the picture beyond established enterprise environments. A design study with eight participants aged 16–30 from the Gambia, Eritrea, and Syria found that the influence of culture and social constructs, literacy and language competence, the way of introducing cybersecurity terms and concepts, and the need for reflection are essential when designing cybersecurity awareness solutions for young people in developing-country contexts. That work implies that CSC cannot be transplanted intact across settings; it must be made culturally legible, linguistically accessible, and reflective if it is to become behaviour (Quayyum et al., 2023).
5. Operational roles in incident response, governance, and organisational design
One of the most consequential developments in CSC research is its move from background explanation to operational decision support. The incident-prioritisation study on incident response maturity proposed a five-step process in which organisations first assess socio-organisational maturity across seven areas, then use the output to inform incident prioritisation. The core logic is that lower capability increases incident urgency: if training, communication, staffing, governance, and culture are weak, then the same technical incident should be treated as higher priority because the organisation is less able to cope. In this formulation, culture influences operational risk in real time rather than merely shaping long-run resilience (Gulay et al., 2024).
CSC also appears in the design of security architectures. A socio-technical analysis of Zero Trust Architecture argued that “never trust, always verify” can alter the meaning environment of work by signaling institutional distrust. The study claimed that ZTA may disrupt knowledge-sharing, disproportionately hinder low-altruism employees, and allow surveillance to erode collective psychological ownership, thereby creating fragmentation risks in networked organizations. Proposed mitigations included adaptive authorization frameworks using behavioral analytics, transparent communication that reframes security as shared responsibility, participatory security design, and social network mapping to preserve trust pathways (Oladimeji, 20 Apr 2025).
The leadership literature exposes a symbolic layer of CSC. In an interview study with 15 CISOs and six senior organisational leaders, cyber security was described as an expert system that appears mystical, unknown, and fearful to the uninitiated, positioning the CISO as a modern-day soothsayer for senior management. The paper argued that threat narratives, standards, executive war games, and public reference to the CISO role contribute to organizational identity work, while also creating conditions for “cyber sophistry,” namely self-serving rhetorical exploitation of interpretive authority. CSC, in this account, includes who gets to define cyber reality, how fear is mobilized, and whether security becomes collaborative or alienated (Silva et al., 2022).
Strategic and sectoral work further embeds CSC into governance. A multidimensional strategic-foresight framework treated the Cultural domain as one of six cybersecurity domains—Physical, Cultural, Economic, Social, Political, and Cyber—and characterized it as dealing with people, cognition, mental models, communities, groups, national and organisational shared values, behaviors, and practices. A value-driven innovation framework for transportation and infrastructure likewise sought to foster a culture of self-innovation and continuous improvement in which cybersecurity acts as a business enabler, supported by a repeatable governance process and a Cybersecurity Innovation Value Proposition Score across six dimensions: Revenue Enhancement Potential, Cost Efficiency Potential, Operational Efficiency Potential, Risk Mitigation Potential, Trust Building Potential, and Strategic Alignment (Onwubiko et al., 2022, Alevizos et al., 2024).
6. Debates, limitations, and research directions
The field remains marked by definitional and methodological debate. Reviews of both CSC and everyday organizational cyber behaviour emphasize that security culture is a contested concept with no consensus definition, and that most measurement still relies on questionnaires rather than strong behavioural or longitudinal evidence. This leaves unresolved how best to connect culture, awareness, compliance, usability, and actual behavior, as well as how to benchmark change over time (Uchendu et al., 2021, Ertan et al., 2020).
A recurring controversy concerns the awareness–behavior gap. A study of CS, IT/Cybersecurity, and non-CS students reported that users were alert to cyber threats but often took only the most elementary and easy-to-implement precautions, while technical specialization did not guarantee stronger security habits. In enterprise research, training volume also did not consistently predict stronger observed secure behaviour, even where awareness and knowledge variables were positively associated with it. These findings suggest that CSC cannot be reduced to knowledge acquisition; it also depends on routines, incentives, usability, and contextual reinforcement (Kshetri et al., 2023, Bruin et al., 2024).
Intervention design is another unresolved area. The Icelandic SME study warned that generic or poorly designed phishing simulations may fail to produce lasting behavioural change and can even backfire by creating annoyance, fatigue, stress, mistrust, and lower self-efficacy. The safety-critical industrial pilot showed the complementary problem that phishing can become too dominant within CSC discourse, leaving employees unclear about non-phishing incidents, escalation routes, and follow-up processes. Both findings point toward more targeted, role-relevant, and context-sensitive interventions (Cicėnaitė et al., 1 Jun 2026, Bach et al., 28 Aug 2025).
Trust is perhaps the sharpest conceptual fault line. Zero Trust work argues that verification-heavy security can damage collaboration, knowledge sharing, and psychological ownership if it is interpreted as suspicion rather than shared protection. Organizational behavior models likewise distinguish security culture from both awareness and usability, arguing that strong culture may in principle compensate for lower individual awareness but only when norms, roles, agency, and practical workflow conditions align. A plausible implication is that future CSC research will increasingly focus on calibration problems: how to combine verification, accountability, autonomy, and trust without collapsing into either laxity or surveillance (Oladimeji, 20 Apr 2025, Kürtz, 9 Mar 2026).
Open issues repeatedly identified across the literature include change management, national culture, real-world validation of frameworks, more dynamic and behavioral measures, and more explicit links between maturity assessment and operational decisions. In the incident-prioritisation literature, detailed methodologies that convert maturity assessment outputs into quantitative incident-prioritisation metrics are still described as sparse. In the broader CSC literature, the most consistent conclusion is that robust cybersecurity culture depends on leadership, embedded norms, informed and supported employees, workable policies, and sustained organizational change rather than on technology or awareness campaigns alone (Gulay et al., 2024, Uchendu et al., 2021).