Article Preview
TopDefining Cyber Security Culture
“Culture” is put to many different uses in research and discussion. Just looking at mentions of “Army culture,” one can easily find examples of “culture” being used as shorthand for training and doctrine (Marquez, 2008); to refer to doctrine, organization, and promotion criteria (Campbell, 2007); or to describe other, wholly different concepts.
For our working definition of cyber security culture, we draw on two sources. First, the literature on organizational culture, which fairly uniformly follows Edgar Schein (1992) in defining culture as “[a] pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems” (p. 12).
Second, we draw on the literature on information security, which considers a security culture to be something that is either present or absent in an organization, instead of talking about culture broadly as something that exists and has different features or content depending on the context. For example, Schlienger and Teufel (2003) define an information security culture as something that “should support all activities in such a way that information security becomes a natural aspect in the daily activities of every employee. Security Culture helps to build the necessary trust between the different actors” (p. 405).
Synthesizing these two approaches to discussing culture, throughout this discussion we define an Army cyber security culture as follows: “A pattern of shared basic assumptions that supports information security becoming a natural aspect of the daily activities of all Army personnel who operate in cyberspace.”
Why Pursue an Army Cyber Security Culture?
There is broad consensus that organizational improvement hinges heavily on effective culture change (Cameron & Quinn, 2006; O’Donovan, 2006). This consensus clearly extends to the area of information security (Rotvold, 2008). As van Niekerk and von Solms (2009) note, “It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security” (p. 1).
Interest in improving cyber security through changes in organizational culture or the creation of a cyber security culture extends to the U.S. Department of Defense. In 2009, Deputy Defense Secretary William Lynn II indicated in his remarks at a conference that in order to meet cyber threats, DoD must make changes in the “three C’s—culture, capability, and command” (Chabrow, 2009, p. 1).
The emphasis on culture as an aspect of cyber security stems primarily from one of the persistent sources of network vulnerability, the “human dimension.” Numerous studies point out human behavioral vulnerabilities in cyber security (Rotvold, 2008; Rowe, 2008; van Niekerk & von Solms, 2005). It follows, then, that if the human dimension (users) is a significant source of cyber vulnerability, creating a culture by which a pattern of shared basic assumptions supports information security becoming a natural aspect of the daily activities of all Army personnel who operate in cyberspace is a step toward a solution.