A Cyber-Security Culture Framework for Assessing Organization Readiness

This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization's workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.