| dc.description.abstract | Despite significant technological advancements and the increasing sophistication of cyber- attacks in today’s modern society, organizations underestimate the human link in cybersecu- rity. Many still overlook that human behavior and decision-making are crucial in protecting sensitive information and mitigating risks. Organizations seemingly prioritize investigating time and resources into improving their technological cybersecurity measures rather than increasing the employees’ cybersecurity knowledge. These actions significantly impact the cybersecurity culture of the company.
Cybersecurity culture refers to the shared values, beliefs, and actions of the employees in an organization that emphasize the importance of safeguarding digital assets, data, and systems against cyber threats. It encompasses the organization’s dedication, awareness, protocols, and ability to manage cybersecurity risks and promote a security-focused environment. Re- cent studies have primarily focused on discussing cybersecurity culture as a singular concept within an organization.
This qualitative research aims to investigate the impact of cybersecurity subcultures within organizations. A systematic literature review was conducted to gain an overview of the existing theoretical background on cybersecurity subcultures. This process proved that there is a research gap in the topic of subcultures, as most of the current literature encompasses cybersecurity culture as a collective concept. Data was collected through semi-structured interviews with ten employees from two IT companies. Cybersecurity leaders from each company agreed that the sales and IT subcultures had the most significant differences; hence, employees from each subculture in both companies were interviewed.
The results prove that the security leaders’ suspicions were correct. The sales subcultures need to gain more knowledge about cybersecurity. Cybersecurity measures are seen more as obstacles instead of improving their cybersecurity. There is also a significant need for more responsibility. They believe that someone better qualified will take care of their mistakes if they cause a cybersecurity incident. On the other hand, the IT subculture seems to understand cybersecurity better. They have comprehensive knowledge of the topic. However, they also share this uncertainty regarding responsibilities, stating they feel pressured to share their expertise with colleagues. This leaves them with limited time to complete their actual work tasks. They point to a lack of management responsibility as one of the critical reasons for this.
This research sheds light on cybersecurity subcultures and challenges the notion that orga- nizations have only one cybersecurity culture. Organizations need to allocate their time and resources differently and acknowledge the significance of subcultures in maintaining overall cybersecurity. The findings and insights are meant to assist organizations in enhancing their cybersecurity operations and protocols. | |
