Cybersecurity Culture

Author Name: Maheen Shafeeq      03 Nov 2021     Cyber

Cyberattacks have become an increasing concern due to its growing sophistication and high-profile targets. In terms of sophistication, most impactful cyberattacks according to CISCO are ransomware and spyware attacks, sending fraudulent links that appears to be reputable, man-in-the-middle attack also known as eavesdropping attacks, denial-of-service attacks, and zero-day attacks that operate silently in the background. IBM’s intelligence report assessed the cyber threat landscape and analysed that among the attacks the number one threat is a ransomware attack that enabled one ransomware gang make profits of over USD 123 million in 2020. While cyberattacks may leave a common person startled, high-profile attacks have stunned states as well. According to a Significant Cyber Incidents list published by the Center for Strategic & International Studies, even government agencies, defense and high-tech companies are not immune from cyberattacks. This indicates that the cyberattack industry is gaining strength day by day, which is alarming.

While states have attempted to develop countermeasures against cyberattacks, it seems as though the attackers and the states are playing a game of chess where the former are always making the first move and the latter is always second. In fact, states always seem to be playing catch-up. Nevertheless, attackers can be defeated by developing a robust and comprehensive cybersecurity culture. Such a culture entails policies, procedures, behaviours, attitudes, and norms, that when practiced consciously, can act as a wall of defense for private citizens businesses and governments alike.

The implementation of a cybersecurity culture could be at four levels; international, national, institutional and personnel. At the international level, an effort needs to be initiated that brings together states for a dialogue on the best practices of a global cybersecurity culture. The aim of this international dialogue would be to take measures to develop standards, practices, guidelines that can be helpful in developing a cybersecurity culture. At the state level, measures have to be adopted by governments according to the threat level. These initiatives would involve national policies, national cyber incident centers, cyber incident response teams, national cyber resources and databases, and aftermath evaluation teams that recommend ways to strengthen cybersecurity as per new updates so that the state practices could stay one-step ahead. At the state level, the implementation of cybersecurity could also adopt a hybrid approach that combines centralized as well as decentralized cybersecurity. Such an approach would be beneficial as it would meet the security requirements of the various government facilities as per their needs. For instance, a military institution could follow a decentralized approach to enact extra precautions, while schools could follow a centralized cybersecurity culture approach as their computer systems store less critical data. At the institutional level, a cybersecurity culture could be developed by the top management. Within this culture, institutions could draft institutional policies, procedures, roles and responsibilities, sanctions and rewards that make cybersecurity culture a standard practice for all employees. The standard practices would be adopted by the personnel if reinforced by the top management through training. However, these trainings should be practical rather than annual PowerPoint presentations for mere drilling or show. During these training sessions, personnel need to be reminded of the importance of cybersecurity threats and what steps they need to ensure to develop a cybersecurity culture. For example, how to use personal computers or USBs at the workplace, how to login and logoff emails securely, whom to report an incident to and so on. Cybersecurity culture can be made a habit by developing such behaviours at the organizational level. According to research, humans have two types of behaviour in an organization, in-role behaviour and extra‑role behaviours. In-role behaviours comprise their official duties while extra-role behaviours are dependent on their personality traits. In order to assess cybersecurity culture, extra-role behaviours could play an important role. This would entail the agreeableness, openness, and consciousness of the person to abide by the rule and regulations that need to be followed in order to have safe cybersecurity spaces within the organization. Furthermore, community norms and beliefs also determine the perception of personnel towards a healthy cybersecurity culture and how seriously they take it.

At the end of the day, a culture is defined by people. Similarly, a cybersecurity culture would also be defined by people taking precautions and showing responsibility towards the use of computer/IT systems. If these practices are developed, cyberattacks can be minimized or their impact can be reduced. 95% of cyber breaches take place due to human error. This demonstrates that, although proactive policies and measures are required at the international, national and institutional level, it is individuals who can protect information systems by adopting a proactive cybersecurity culture.


Maheen Shafeeq is a researcher at Centre for Aerospace and Security Studies (CASS), Islamabad, Pakistan. She holds a Master’s degree in International Relations from the University of Sheffield, UK. The article was first published in The Asian Telegraph. She can be reached at

Image Source: Shafeeq, M. 2021, "Cybersecurity Culture" The Asian Telegraph, 2 Nov.