Proceedings of the 52nd Hawaii International Conference on System Sciences | 2019

For What Technology Can’t Fix:

Building a Model of Organizational Cybersecurity Culture
Keman Huang Keri Pearlson
Cybersecurity at MIT Sloan, MIT Cybersecurity at MIT Sloan, MIT
[email protected] [email protected]

Abstract employee behavior and increases cyber resilience. A

culture of cybersecurity underlies the practices, policies
Organizational cybersecurity requires more than and “unwritten rules” that employees use when they
just the latest technology. To secure an organization, carry out their daily activities. The Chief Information
all members of the organization must act to reduce risk. Security Officer (CISO) at Liberty Mutual, explained
Leaders have a special responsibility to understand, why he felt the need to invest in a culture of
shape and align the beliefs, values, and attitudes of the cybersecurity: “it only takes one mistake from an
entire organization with overall security goals. employee clicking a wrong link or email to erase all the
Managers need practical solutions for dealing with the good work done by our professionals. Since a hacker
human side of cybersecurity. The model presented in can potentially go wherever they want once they are
this paper describes organizational cybersecurity inside our systems, they can potentially compromise
culture, the factors that contribute to its creation, and our entire investment.”[4] The global director,
how it can be measured. A case study of a “culture of enterprise security and risk management at Johnson &
data protection” created by leaders at financial Johnson said “When I took over this role, the first thing
services firm Liberty Mutual illustrates these factors to I asked is 'what's the [people and culture] strategy that
help managers understand and apply recommendations we've been following?”[5] Creating a cyber-resilient
to create a more mature cyber security culture in their culture within an organization to mitigate this
organization. “weakest link” is on the executive agenda [3] .
However, though cybersecurity culture has a
profound impact on risk, it can be difficult to identify,
1. Introduction build, and quantify [6], [7]. Examining other kinds of
organizational culture provides a foundation for a
Every company wants to guard its assets from model of cybersecurity culture. For example, many
hackers and cyber-terrorists. Even the most advanced organizations have developed a robust safety culture [8]
technological security cannot protect an organization where every employee knows, and receives constant
from a cyber breach if the people in the organization reminders, of ways to stay safe and decrease the chance
are not careful and protective. In 2017 alone, there of accidents.
were 541 major, publicly reported data breach incidents A similar goal can be said for cybersecurity; every
in which 1,922,663,085 records were compromised [1]. employee must act in ways that keep the organization
According to the 2018 Cost of a Data Breach Study by cybersecure. This project presents a practical
Ponemon, the average cost of each lost or stolen record framework for managing the intangible factors of a
containing sensitive and confidential information also cybersecurity culture, focusing on the research question
increased to $148 [2]. However, in today’s cyber world, ‘How can leaders understand, shape and align the
it only takes one employee clicking on a phishing email beliefs, values, and attitudes of their organization with
to provide an attacker with an entry point into the cybersecurity goals?’ In this paper, we outline a model
systems running a business. Once inside, an attacker of cybersecurity culture, developed through literature
can lock up critical information, as seen in the review and workshop practice. The model outlines
WannaCry virus, or bring down critical infrastructure managerial levers through which the culture can be
as in the Ukraine, when the Petra attack took nuclear built and observed. To illustrate how this model works
radiation monitoring offline, or more commonly, result in practice, we describe how financial services firm
in a data breach incident [3]. Liberty Mutual has created a “culture of data
Insider threat from human behavior is one of the protection” which increased cyber resilience in their
most difficult aspects of security to control. Building a organization.
culture of cybersecurity within an organization guides

URI: https://hdl.handle.net/10125/60074
ISBN: 978-0-9981331-2-6 Page 6398
(CC BY-NC-ND 4.0)
 This paper contributes to information security the way things are done in the organization to protect
practice in three major ways. First, based on theoretical its information assets. This information security culture
study and workshop results, it provides a way to changes over time”. Essentially this says attitudes,
observe and measure cybersecurity culture. Second, an assumptions, beliefs, values and knowledge drive
in-depth case study provides a rich example of how one employee behaviors related to the organization’s
company created this culture. Finally, it helps information and information systems.
managers understand decisions they can make to While focused on the security of an organization’s
change cybersecurity culture. data, networks and systems, the concept of
cybersecurity culture differs in a fundamental way
2. Organizational Cybersecurity Culture from an information security culture. According to the
National Institute of Standards and Technology (NIST)
To build a model of cybersecurity culture, we [13] definition, Information security was defined as
examined three concepts: organizational culture, “the protection of information and information systems
national culture and information security culture. from unauthorized access, use, disclosure, disruption,
A common definition of organizational culture modification, or destruction in order to provide
comes from Ed Schein’s model [9]. He suggests three confidentiality, integrity, and availability,” while
components of culture: 1) the belief systems forming cybersecurity is the “ability to protect or defend the
the basis for collective action; 2) the values organization from cyber-attacks”. Information security
representing what people think is important; and 3) culture emphasizes behaviors that comply with
Artifacts and creations which are the “art, technology, information security policy, but a cybersecurity culture
and visible and audible behavior patterns as well as includes not only compliance with policy, but also
myths, heroes, language, rituals and ceremony.” personal involvement in organizational cyber safety. In
Using a different lens, Quinn’s competing values- this paper, we define organizational cybersecurity
model distinguishes between four types of culture as “the beliefs, values, and attitudes that drive
organizational culture based on the orientation of the employee behaviors to protect and defend the
values and beliefs [6], [10]: 1) The support orientation organization from cyber attacks.”
emphasizes employee’s spirit of sharing, cooperation,
trust individual growth and the decisions made through 3. Cybersecurity Culture Model
informal contacts. 2) The innovation orientation
emphasizes that the organization is open to change and The ultimate goal for manager is to drive
willing to search for new information, and creative in cybersecure behaviors. That is achieved, in part, by
problem solving. 3) The rules orientation emphasizes creating an organizational cybersecurity culture (the
the respect for authority, formal procedures, and the beliefs, values and attitudes). The culture, in turn is
importance to follow the written rules, normally influenced by both external factors outside the control
resulting into a top-down hierarchical structure. 4) The of managers, and internal organizational mechanisms
goal orientation emphasizes the clear specification of that managers use. Figure 1 summarizes the top level
the targets, the criteria for performance measurement conceptual framework of the model.
and the reward based on the attainment of goals,
reflecting the understanding of organizational goals,
individual responsibility and accountability.
National culture focuses on a cross-cultural
perspective and impacts how employees comply with
authority and follow organizational rules and policies.
The most accepted taxonomy of national culture, by
Hofstede, includes concepts such as “individualism vs. Figure 1. The conceptual framework of a
collectivism,” “long-term vs. short-term orientation” cybersecurity culture
and “indulgence vs. restraint” [11].
Information security culture, a subculture of an The rest of this section will dive deeper into the
organization’s culture, has been defined by Da Veiga model, describing each of the constructs in more detail.
and Eloff [12] as: “attitudes, assumptions, beliefs, We include our definition for each construct based on
values and knowledge that employees / stakeholders literature 1 and the outcome of interviews with focus
use to interact with the organization’s systems and
procedures at any point in time. The interaction results 1 Due to space limitations, we have not included all the related
in acceptable or unacceptable behavior (i.e. incidents) references. Instead, this paper focuses on topics that are more
evident in artifacts and creations that become part of informative for practice: the model and the case study. Additional

Page 6399
groups. Participants in the focus groups, including 60 in this figure are not meant to align individually with
senior executives, managers and researchers from large, beliefs, values and attitudes. Collectively they represent
global and US-based companies from multiple these constructs.
industries and key cyber security solution providers2, The leadership in an organization plays a
were asked to share ways their organization encourages significant role in creating and propagating the
cybersecurity behaviors. Their insights were then used organization’s culture. Top management are both the
to fine tune the constructs in our model. mechanism to stop external forces from impacting the
organization, and the decision maker for investing
3.1. Behaviors limited resources. In addition, leaders set an example
for others which influences cognitive beliefs. When
Since cybersecurity is more than a technical issue, employees see leaders prioritizing and participating in
organizations need to rely on the employees’ behaviors cyber-security activities, it influences employees own
to prevent and protect the organization from potential involvement.
cyber-attacks. Ultimately, employee behavior is what
creates or reduces cyber-based vulnerability. Two types
of behaviors are the outcomes of a cybersecure culture:
in-role and extra-role behaviors.
1. In-Role Cybersecurity Behaviors refers to the
actions and activities an employee takes as part of their
official role in the organization. These in-role
cybersecurity behaviors such as complying with formal
organizational security policies, decreasing the
computer abuse, and avoiding policy violation, are Figure 2. Three organizational levels of
critical to securing the organization. cybersecurity culture
2. Extra-Role Cybersecurity Behaviors refers to
actions and activities an employee does that are not Further, a resource-based view suggests that the
part of their job description. Two major types of extra- leader brings perspectives, skills and information to the
role behaviors include helping, referring to the organization and positively influences the development
cooperative behavior to aid others who might ask a of a shared understanding, in turn leading to strategic
cybersecurity question, and voicing, referring to alignment with the business. When leaders have
speaking up to offer comments and knowledge to information about keeping their organization cyber
improve cybersecurity. Extra-role cybersecurity secure, they act in ways that increase cybersecurity,
behaviors, particularly the voicing behavior, can be and are more likely to share that information with
very valuable since cyber space is a complex others in the organization. Hence, to understand this
environment and threats show up at every level of the aspect of a cybersecurity culture, we include three
organization. For example, security leaders value new constructs to assess the quality of cybersecurity culture
ideas, as well as knowledge about emerging among leadership:
vulnerabilities and ways to continuously improve the 1. Top Management’s Priorities: When top
organizational cybersecurity. managers believe that cybersecurity is important, they
will make cybersecurity a priority for the organization.
3.2. Beliefs, Values and Attitudes This is seen in strategic discussions, and in decisions
leaders make about allocation of resources.
At the heart of the model is the cybersecurity 2. Top Management’s Participation refers to the
culture. Values, attitudes and beliefs are unwritten rules top management’s personal involvement in the
that everyone knows but few can articulate. However, cybersecurity-related activities. Participation could be
they can be observed in actions taken by leaders, in the form of communicating cybersecurity policies
groups, and individuals in the organization. Figure 2 and attitudes or in actions that specifically secure the
summarizes nine constructs that make up the culture organization like funding/attending training, creating
for these three organizational levels. Note that the rows games, participating in other cybersecurity activities.
3. Top Management’s Knowledge refers to the
references are available from the authors. cybersecurity-related knowledge, skills and
2 Due to space limitations and the disclosure policy requirement, competencies leaders have. Leaders who know and
these practices are not publicly available nor included in this version understand their cybersecurity vulnerabilities are more
but will be available upon request though emailing to the author. likely to have values, beliefs and attitudes around
These participants are from members of Cybersecurity at MIT Sloan. building a more cyber resilient organization.
Please check https://cams.mit.edu/ for the member list.

Page 6400
 At the group level, organizations are made up of activities of cybersecurity is an indicator of higher
people who work together to execute business value placed on cyber resilience in the organization.
processes that make up the activities of the business.
The third set of constructs within an
Groups of individuals collaborate, create, and
organization’s cybersecurity culture are the individual
communicate. By doing so, they build shared values
beliefs of employees. This includes understanding of
and beliefs that are artifacts of culture. Three constructs
cyber threats, awareness of organizational
summarize the group level attitudes, values and beliefs:
cybersecurity policies, and knowledge of personal
1. Community Norms and Beliefs refers to the
capabilities to impact security (self-efficacy). When
collective set of ideas the group has about
individuals understand and know how to act, it is more
cybersecurity. All groups have norms and those
likely that they will act in a manner consistent with
influence what the individuals in the group believe.
increasing cyber resilience. Three constructs for the
Many theories, including the social control theory,
individual level are included in this model:
theory of planned behavior and technology acceptance
1. Employee’s Self-Efficacy refers to a person’s
model all emphasized the influence from social
knowledge about how well he or she can personally
environment on an individual’s beliefs and attitudes.
execute actions to increase cybersecurity. Bandura’s
We can apply this to cybersecurity culture. For
social cognitive theory, shows that people with high
example, if the group values information protection,
assurance in their capabilities consider difficult tasks as
individuals in the group will more likely value
challenges to be mastered rather than as threats to be
information protection.
avoided. For example, when an individual feels his
2. Teamwork Perception refers to the way teams
actions keep data safer, he is more likely to make the
within the organization work together to be more cyber
effort to do so, resulting in stronger cybersecurity
secure. Shared team cognition theory, emphasizing the
attitudes.
importance of team members being “on the same
2. Cybersecurity Policy Awareness is the
page,” and interactive team cognition theory, arguing
individual’s knowledge of what behaviors the company
that teams are cognitive systems in which cognition
seeks. It is knowing what to do, what is right or wrong
emerges through interactions and team situation
and why it is important. It has been shown that unless
awareness is much more than the sum of individual
employees understand a policy and what the policy
situation awareness, highlight the way team
means to them, the policy is not likely to improve
perceptions come together. To be situationally aware
cyber-safety for the organization. In strong
about a cybersecurity threat, team collaboration
cybersecurity cultures, employees understand policies
provides a way to continuously process and update
and personal implications of the policies. For example,
information. For example, a team working together on
employees who know that their organization has a
a business project might also build in cybersecurity
policy of locking a computer every time it’s left alone
considerations in their activities, which demonstrates
is more likely to believe that locking the computer is
that they value cybersecurity.
important.
3. Inter-department Collaboration refers to the
3. General Cyber Threat Awareness refers to
work done between groups of individuals from
the individual’s knowledge and understanding of
different parts of the organization. For example, there
threats. Similar to the top management team’s
might be an individual in each department participating
knowledge about cybersecurity, the employee’s
on a task force to find ways to be more cybersecure
awareness about general cyber threat is an important
across the organization. To response to the increasing
factor to keep the organization secure because a cyber
data breach incidents over these years, the information
aware individual would be suspicious of unusual
security sectors and the business sectors need to work
emails, texts, attachments, and other communications.
closely with each other. Recent research suggests that
the cybersecurity leader’s scope of responsibility now
extends beyond the IT department to logistics, business 3.3. Organization Mechanisms
continuity and corporate change management further
increasing inter-department collaboration. Beliefs, values, and attitudes comprise the
Newcomers to a group are socialized by the unwritten rules and therefore the culture of the
members, making group norms a strong component in organization, but they are created by the actions of
shaping values, beliefs and attitudes. Involvement by managers and leaders which we have labeled
the information technology organization and the management levers or organizational mechanisms.
information security organization is expected in most Figure 3, identifies six managerial levers that managers
organizations. However, involvement beyond the can use to influence the cybersecurity culture.
cybersecurity professionals in discussions, issues and Managers make decisions on each of these levers,

Page 6401
which in turn drive (and can be driven by) culture. purposely failing phishing exercises. Management
warned him several times, then let him go as concerns
rose over his actions.
4. Organizational Learning refers to the ways
the organization builds and retains cybersecurity
knowledge. Organizational learning has been defined
as “the intentional use of learning processes at the
individual, group, and system level to continuously
Figure 3. Organizational mechanisms for transform the organization in a direction that is
cybersecurity culture increasingly satisfying to its stakeholders”.
Organizational learning helps manage continuous
1. Cybersecurity Culture Leadership refers to change which is also characteristic of cybersecurity.
the appointment of an individual or team with formal Examples of organizational learning for cybersecurity
responsibility for building a cybersecurity culture. This include mentors who work with individuals to help
leader has the responsibility to cultivate cybersecurity them build skills, processes that encourage information
culture, and has the direct power and authority to sharing, consultants that bring new knowledge to the
impact the cultivation process. Though many team, or subscriptions to information sharing services.
organizations look to the CISOs to drive changes, 5. Cybersecurity Training refers to courses and
someone other than the CISO, who has a very large exercises that develop cybersecurity skills and
agenda covering all aspects of cybersecurity culture, knowledge. Training fosters information security
needs to be in this role. Without a leader with specific awareness, educates users on the importance of
responsibility for building the culture, the activities will information security, and trains insiders to take on
be haphazardly executed and sometimes skipped information security roles. Many organizations make
entirely. new hires complete a cybersecurity training module as
2. Performance Evaluations refers to the part of the onboarding process. Some organizations
inclusion of measures of cybersecurity compliance and make employees take an annual update course or online
behaviors in the employee’s formal evaluation training program to ‘refresh’ their knowledge of
processes. Expectancy theory shows that managers use cybersecurity practices. Still other organizations have
the performance evaluation process to clarify what come up with additional training offerings such as just-
behaviors are required, nice to have, and not acceptable in-time learning pop-up windows which teach a point
for the employees. For example, it might be in the learning moment. Our conversations with
unacceptable for employees to hand out system cybersecurity teams has indicated that just a single on-
passwords to vendors without specific approval from boarding training class is not sufficient to sustain long
upper management. In another example, employee term behaviors; regular and varied training is needed.
evaluations might include the results of the phishing 6. Communications Channel refers to coherent,
exercises regularly carried out by management. well-designed messages about cybersecurity
Including these measures in performance evaluations communicated using multiple methods and networks.
alerts employees about the organization’s ability to All successful business communications require that
observe cybersecurity behaviors, which can in turn the right information is heard by the right person at the
influences the employees’ values. right time over the right channel. But what works for
3. Rewards and Punishments refers to the one person may not be the same for another. Managers
managerial-generated impacts of cybersecurity must create multiple formal and informal channels for
behaviors. According to the rational choice theory, reporting cyber incidents, sharing dynamic cyber
deterrence theory and the protection motivation theory, information, and even identifying potential
the design of the rewards and punishments can impact vulnerabilities. For example, some organizations
the individual decisions in many different contexts. create cybersecurity-based marketing-like campaigns to
Sample rewards include social events, proclamations, influence behaviors by keeping the issues front and
and certificates acknowledging exemplary behaviors, center for employees. Another example is to include
while punishments include remedial training, short communication moments at the beginning of
reprimands, or at an extreme, firing the offending every company meeting to share a cybersecurity
employee. To be most effective, rewards and message.
punishments must match the severity of the behavior.
For example, failing a phishing test is probably not 3.4. External Influence
grounds for firing an employee. But in one company
we studied an employee was fired for repeatedly and The attitudes, beliefs and values an individual or an

Page 6402
organization has about cybersecurity are also shaped by culture--the beliefs, values and attitudes, in action. The
external factors. For example, the more the public press full, expanded model is shown in Figure 4. The
reports on cyber breaches, the more aware individuals framework hypothesizes a number of relationships
become of cyber risks. Furthermore, in some industries, between mechanisms that managers can use to build a
the government or another regulating body dictates cybersecurity culture. Stated another way, the absence
how companies must prepare and defend against cyber of these mechanisms is a potential indicator of a
threats. For example, General Data Protection cybersecurity environment that exposes the
Regulation (GDPR) regulations in Europe require organization to unnecessary risk. We envision
organizations to assign a data protection officer so managers using this framework to guide cybersecurity
companies subject to this regulation will be more planning activities and investments. In the next section
influenced than others. Three external influencers have of this paper, we provide a rich case study to illustrate
significant impact on the culture of an organization: how one organization operationalized these constructs.
1. Societal Cybersecurity Culture refers to the
culture of the society in which an organization resides. 4. Case Study
The differences among nations and societies can
impact individual’s perception about online threat. For To initially validate the model, we conducted an in-
example, some countries have a strong societal value of depth case study of a financial services company,
protecting data. The beliefs of the organizations Liberty Mutual Insurance. The data for this case study
operating in that country would reflect that culture. was collected over 6 months of structured interviews
Some organizations operate in a country with a more with key leaders and a small number of employees and
lasses-faire attitude, and we expect organizations in from publically available documents about the
these countries to reflect this attitude in their company. Interviewees included the CISO and several
cybersecurity culture. members of his leadership team, and employees from
2. External Rules and Regulations refers to the marketing, training, support desk, and operations.
laws, guidelines, and regulations imposed by In this section we share the case study starting with
government and other industry organizations. Given the context, including the external influences in which
the significant externalities in cyber security domain, Liberty Mutual operates. Then we share decisions
the implementation of cybersecurity policies, from managers have made on organizational mechanisms to
government agencies or powerful organizations such as drive a cybersecurity culture. The story continues with
supervisory authorities within an industry, can impact examples of the beliefs, values and attitudes created in
the organizational cybersecurity culture. For example, their environment. We end the story with the behaviors
financial services companies are subject to very strict driven by this culture.
rules and regulations about managing their information
and we expect those organizations to have different
4.1. Background, Context, and External
beliefs and attitudes towards cybersecurity than
companies in other industries. Influences at Liberty Mutual
3. Peer Institutions refers to the pressure felt by
managers in an organization from actions their peer Boston-based Liberty Mutual Holding Company
organizations have taken. Institutional mimicry theory Inc. is the parent corporation of Liberty Mutual
provides some support for this construct. It suggests Insurance group, a diversified global insurer.
that since cybersecurity is a relatively new threat with According to their website, the company was the fourth
huge uncertainties for many organizations, managers largest property and casualty insurer in the U.S. LMHC
often look to their peers for guidance on how to act. employs more than 50,000 people in over 800 offices
Trade associations, conferences, and simple social throughout the world3. As with many financial services
situations offer opportunities for managers to learn organizations, managing cybersecurity to protect their
what options their peers have adopted. Additionally, as data and their systems was a critical success factor.
customers begin to seek out vendors with strong Financial service firms invested in many
cybersecurity practices that match their supply chain technologies to protect their environment from cyber
requirements, organization are pressured to ‘up their criminals. Not only were regulations in effect that
cybersecurity game’ in order to compete. These would financial services firms had to follow, but peer
drive different attitudes about cybersecurity than those organizations invested significantly in technology to
organizations with peers who are less concerned about protect their systems and data. In 2017, technologies
these issues.
3 https://www.libertymutualgroup.com/about-liberty-mutual-
These four groups of constructs create a theoretical site/investor-relations-site/Documents/Q4_2017_LMG_Fact_
model that highlights the organizational cybersecurity Sheet.pdf

Page 6403
such as firewalls, intrusion and anomaly detection, defenses. Even with the most sophisticated tools, the
password controls, and network auto shutdown vulnerability created by human error or intent
mechanisms were commonplace solutions that sometimes made the technology defenses simply
provided some security for organizations such as inadequate. For example, phishing emails were
Liberty Mutual. However, threat actors were advancing, increasingly sophisticated and, in some cases, targeted
using techniques, tactics and processes in new and to specific individuals who held the keys to corporate
more complex ways to breach the organization’s system access (a practice called spear phishing).

Figure 4. Organizational Cybersecurity Culture Model

Liberty Mutual and others in the financial services invested a significant amount of resources to create this
industry, were subject to strict external rules and culture, establishing a global “Responsible
regulations. US policies, like the New York DefenderTM” platform of messaging, communications,
Department of Financial Services (NYDFS) rewards, activities, and processes.
Cybersecurity Regulation, provide specific and The CISO created a leadership position for
prescriptive requirements this industry. Among cybersecurity culture, called the Product Owner,
NYDFS requirements, regulations called for Cybersecurity Awareness, and charged her with
cybersecurity awareness training for all personnel, creating and managing a culture of data protection
updated to reflect risks identified in the company’s risk (their term for cybersecurity culture). She took on the
assessment. large tasks of creating messaging and other activities
Industry Peer Influence also helped shape ideas that drove a set of beliefs, values and attitudes to
strategies to protect the systems and data of financial increase cyber resiliency. She explained:
services firms. From banks to insurance firms to other “We found early on that everyone could relate to
players in the industry, protecting against cyber the term ‘data protection.’ Just a small change like
breaches and other vulnerabilities was paramount. No using this term made a big difference in our efforts.”
one wanted to do business with a firm who was not Once this leader and her team were established,
trustworthy nor capable of protecting investments. One incentives to promote security culture and behavior
executive commented: were created. Early rewards and punishments were
"At the end of the day, the reputation of an mainly associated with phishing exercises. Rewards
insurance company is everything. People don’t want to and punishments were appropriate to the behavior and
do business with an insurance company they cannot serve to motivate learning. One employee described the
trust". attitude towards the reprimands for clicking on the
wrong email links:
4.2. Managerial Decisions: The Organizational “Sometimes people do click on the phishing links
Mechanisms and then they have to take a training class. They are
generally ok with that. We believe that our team
In the case of Liberty Mutual, the Chief members want to do the right thing and we are
Information Security Officer (CISO) and his team provided with all sorts of training and learning
drove many activities to create a cybersecurity culture. opportunities”.
Their actions established and reinforced values, The team took steps to measure this progress.
attitudes and beliefs about the importance of digital and Individual performance evaluations included
data security across the enterprise. The company discussions with managers about cybersecurity
behaviors. If an employee failed a phishing exercise

Page 6404
too often, it was reflected in their performance that drove desired behaviors. To create their culture of
evaluation. If an employee went beyond their normal data protection, employees at every level within the
job requirements and helped others better understand company demonstrated characteristics that matched the
how to help create a stronger culture of data protection constructs in our model.
that was noted, too. First, executives at Liberty Mutual made
The culture leader felt that cybersecurity training cybersecurity a top management priority. Leaders
was best done through process of continual learning. supported cybersecurity initiatives. They also
The team developed training classes and demonstrated their priorities when they allocated
communication campaigns. Almost every month, there significant resources for security tools and activities.
were programs, called micro-campaigns, to increase Top management participation reinforced the
awareness and security across the organization. During importance of cybersecurity throughout the company.
Cybersecurity Awareness Month, cybersecurity was A set of regular blog posts from the CISO and his team
made a larger corporate focus. In 2017, the U.S. core were mapped out for the year to cover topics high on
team rolled out a fun 20-minute training module across the security priority list. The CISO himself was the
the enterprise. An Instructional Designer at Liberty ‘face’ of the campaign. Employees saw a senior
Mutual, responsible for developing digital security executive willing to be highly visible and personally
training programs, elaborated: involved in communicating the message and this
"We made a decision to keep it light, engaging encouraged them to pay attention. The management
and not pedantic. We also use recent cultural regularly worked to increase their cybersecurity
references...our training also has to be fresh, current knowledge of activities to protect their data. For
and relevant”. example, executives understood that out of date
Messaging was a key part of the Responsible software left an entryway for cyber criminals. Top
DefenderTM Program. Liberty Mutual used multiple management supported decisions to use the latest
communications channels to transmit cybersecurity security software, use secure applications and install
information. Traditional and instant learning updates as often as possible to keep their technologies
opportunities, dynamic and engaging marketing up to date.
campaigns, executive leadership, and highlighting At the group level, attitudes also reflected the
rewards and consequences worked together to send a culture of data protection. Slogans such as the
message of the importance of data protection. “Responsible DefenderTM” and “Our Information. Our
Messages were delivered using videos, digital displays, Responsibility” reinforced the general belief that
blogs, alerts, emails, post cards, events, and training. cybersecurity is everyone’s responsibility, not just the
Although many different channels were used, responsibility of the technologies or cybersecurity
communications were orchestrated to express professionals. These activities helped create strong
consistent messaging. The culture leader and her team community norms and beliefs. At Liberty Mutual,
used the Responsible DefenderTM brand and traditional employees felt worked together to protect data. An
marketing techniques to spread cybersecurity messages employee elaborated on her perception of team work at
throughout the company. the company:
Additionally, major news stories often generated "One example is the phishing exercises conducted
questions about cybersecurity which leaders at Liberty throughout the year. We talk about them and compare
Mutual used with employees to raise awareness. This notes like ‘did you click on that one?’"
kind of organizational learning helped employees This kind of group support went beyond single
build and retain knowledge. For example, when the departments. Inter-department collaboration generated
Equifax breach occurred in the summer of 2017, the a strong sense of group culture. One cybersecurity
information security team provided insight into what leader described how:
the breach meant, how it might impact an employee’s "the success of creating a culture of data
personal financial accounts, and what an employee protection hinged on partnerships built with others
might do to protect themselves. This made an impact across the enterprise…Being able to build alliances is
on employees and helped them understand the value of a key to success in my role, and when it’s time to get
cybersecure activities. the work done, we have gotten strong support from
across the enterprise. … Everyone on the core team
4.3. Liberty Mutual’s Culture of Data ‘gets it’".
Protection At the individual level, cybersecurity was clearly
on the mind of a large number of employees. Many
The result of leadership and managerial decisions examples showed that employees personally did things
encouraged cybersecure values, attitudes and beliefs to keep their data secure. Employee self-efficacy was

Page 6405
demonstrated in interviews with employees who don’t feel bad about it. It provides more motivation to
indicated that they felt empowered to protect the get it right in the future.”
company’s data and information systems and they
understood actions they could take to do so. One 5. Discussion and Conclusion
employee shared stories about reporting suspicious
emails to corporate authorities regularly. Liberty Mutual leaders wanted to minimize human
Employees knew what to do in part because of a behaviors that create cybersecurity vulnerability and
model called the Pillars of Data Protection, a simple to increase behaviors that protect their company. In
follow set of guidelines for all employees to follow. addition to installing the latest security software, and
The Pillars were core concepts and behaviors keeping their technologies up to date, etc., leaders
information security leaders wanted all employees to made decisions that influenced attitudes, beliefs and
adopt and interviews with employees demonstrated values around cybersecurity. Communications focused
high levels of Cybersecurity Policy Awareness. The on awareness and action. The goal was for all
cybersecurity culture leader said: employees to understand their individual responsibility
"The Pillars of Data Protection give all of our for cybersecurity, and early indicators suggested that
employees a clear set of expected behaviors and things these investments were paying off. Table 1
that need to be done continuously to protect our summarizes examples for each of the model constructs
company,” from the Liberty Mutual case study.
Their information security policy was written to Becoming a cyber-resilient organization is a
make the policies more accessible and was further combination of both technology and organizational
clarified with a section about “what this means to me” investment. All the technology available to secure
to translate policies into personal impacts. General systems will not keep an organization secure if the
cyber threat awareness was high at Liberty Mutual. people in the organization make bad or uninformed
In earlier surveys, information security managers found decisions that open up the system to threat actors. Yet
that most employees did not know who to ask managers continue to invest in upgraded technologies
questions of or what phishing was, among other issues. and, in many cases, resist investments in organizational
Managers regularly held discussions about mechanisms that would increase resilience.
cybersecurity issues that made newspaper headlines This research suggests a number of ways managers
and communications campaigns sought to better inform can help build a culture of cybersecurity, and how an
employees of threats and of actions to take. Managers organization can evaluate if their culture drives cyber
reported improvement in subsequent survey results. secure behaviors. Behaviors are driven by unwritten
rules, which are difficult to see. But the artifacts of
4.4. Behaviors those unwritten rules are apparent in the values, beliefs
and attitudes displayed by management, teams and
Ultimately, Liberty Mutual leaders sought to instill individuals in the organization. This research
the kinds of behaviors that would reduce risk and articulates a model of constructs that managers can use
increase security. Initially the goal was to generate to observe their cybersecurity culture, and the Liberty
awareness of cyber resilience for every employee, not Mutual Case Study describes specific ways one leading
just in those in the IT department. Later the project organization operationalizes this model.
moved beyond simply increasing awareness to Managers can further strengthen the values, beliefs
encourage every employee to embed security actions and attitudes around cybersecurity through decisions
into their in-role behaviors. Their investments paid off. they make about performance, control, and governance
Employees increasingly demonstrated behaviors in systems. This work highlights six levers for managers
their day-to-day activities such as reporting suspicious to use such as building cybersecurity expectations in
activity, reduced clicks on phishing emails and performance evaluations and reward systems, enforcing
securing personal technologies. consequences for insecure performance, creating strong
Additionally, since the Responsible DefenderTM communications plans, and providing ongoing training
Program emphasized cooperative helping and voicing and updated opportunities for learning about increased
behavior employees exhibited extra-role behaviors in cybersecurity activities. All are actions any manager in
the larger community. The cybersecurity leader an organization can take to strengthen cyber resiliency.
described how this played out: Further, when management creates a position
“Everyone thinks of themselves as ‘first specifically dedicated to creating a cybersecurity
responders’ and they will alert us if they see a culture, they can expect to see results that increase
suspicious email or other activity...They see it as resilience in the organization.
learning more about what to do or not to do and they Increasing cyber-resilience is on every executive

Page 6406
agenda, and this project will help leadership teams and of Information Technology Culture Conflict,” MISQ Rev., vol.
all levels of management identify specific ways they 30, no. 2, pp. 357–399, 2006.
can aid their organization in achieving this objective. [7] A. Da Veiga, “A cybersecurity culture research
philosophy and approach to develop a valid and reliable
measuring instrument,” in Proceedings of 2016 SAI
References Computing Conference, pp. 1006–1015.
[8] R. A. Carrillo, “Positive Safety Culture,” Prof. Saf., vol.
[1] P. R. Clearinghouse, “Data Breaches,” 2018. [Online]. 55, no. 5, p. 47, 2010.
Available: https://www.privacyrights.org/data-breaches. [9] E. H. Schein, Organizational culture and leadership, vol.
[2] Ponemon Institute LLC, “2018 Cost of Data Breach Study, 2. John Wiley & Sons, 2010.
Global Overview,” IBM Secur., no. July, pp. 1–34, 2018. [10] J. J. van Muijen and E. Al, “Organizational Culture: The
[3] K. Huang, M. Siegel, and S. Madnick, “Systematically Focus Questionnaire,” Eur. J. Work Organ. Psychol., vol. 8,
Understanding the Cyber Attack Business: A Survey,” ACM no. 4, pp. 551–568, 1999.
Comput. Surv., vol. 51, no. 4, 2018. [11] G. Hofstede, “Cultural dimensions in management and
[4] K. Pearlson and K. Huang, “Liberty Mutual: Creating a planning,” Asia Pacific J. Manag., vol. 1, no. January, pp.
Culture of Data Protection,” 2018. 81–99, 1984.
[5] B. Gardiner, “Johnson & Johnson champion people-based [12] A. Da Veiga and J. H. P. Eloff, “A framework and
security strategy.,” CIO (13284045), 24-Mar-2015. [Online]. assessment instrument for information security culture,”
Available: https://www.cio.com.au/article/569021/johnson- Comput. Secur., vol. 29, no. 2, pp. 196–207, 2010.
johnson-champion-people-based-security-strategy/. [13] NIST, “Glossary of Key Information Security Terms,”
[6] D. E. Leidner and T. Kayworth, “Review: A Review of NISTIR 7298 Rev.2. [Online]. Available: https://csrc.nist.gov
Culture in Information Systems Research: Toward a Theory /publicat-ions/detail/nistir/7298/rev-2/final.

Table 1. Case Study Examples of Cybersecurity Culture Elements

Cybersecurity Culture Example from Case Study

Top Management Executives at Liberty Mutual made cybersecurity a strategic-level priority. For example, they authorized a
Leadership

Priority significant budget for security activities, tools and professionals

Top Management A set of regular blog posts on cybersecurity topics from the CISO or his team were mapped out for the year. The
Participation CISO himself was often considered the "face" of the campaign
Beliefs, Values and Attitudes

Top Management Top management regularly engaged in discussions about cybersecurity issues both as part of their leadership
Knowledge team meeting and individually with cyber experts in the company to keep their knowledge current.
Community Norms Slogans such as the “Responsible DefenderTM”and “Our Information. Our Responsibility” were part of the
and Belief everyday conversation.
Group

Team Work
Employees would regularly compare notes on phishing exercises and discuss other cyber topics.
Perception
Inter-department The core team working with cybersecurity leaders included members from across the enterprise, not just the tech
Collaboration departments
Employee's Self- Employees indicated that they knew what to do when they received a suspecious email, and knew who to contact
efficacy should they notice any other potential cyber incident brewing.
Individual

Cybersecurity Marketing-like campaigns regularly shared cybersecurity policies and employees indicated they knew what these
Policy Awareness policies were.
General Cyber Employees were regularly told about cyber threats and were encouraged to take steps to both protect the
Threat Awareness company asset and their own personal assets.
In-Role Cybersecurity
Behaviors

Phishing exercises and subsequent surveys indicated a trend towards stronger security behaviors of all
Behaviors employees.

Extra-Role Cybersecurity Some employees volunteered to be cybersecurity "first responders" tol alert others of suspicious emails or other
Behaviors activity.
Incentive Leadership

Cybersecurity
The the CISO added a role to his team for Cybersecurity Awareness and charged her with building a culture of
Culture
data protection.
Leadership
Organizational Mechanism

Performance Individuals who repeatedly failed phishing exercises were subject to notations in their performance evaluations
Evaluations and repeated offences could result in poor scores in performance reviews.
Rewards and Failed phishing exersizes would result in retraining. Employees who got involved in cyber-related activities were
Punishments praised and given 'status' in the organization.
Organizational The entire organization was continually updated on cybersecurity news and issues through campaigns designed
Learning to facilitate long-term retention of cybersecurity practices and behaviors.
In addition to employee onboarding, where cybersecurity training was included in new-hire procedures and
Process

Cybersecurity processes, micro-campaign programs were created to increase awareness. Cybersecurity awareness month made
Training the issue a corporate focus for that period. The team strove to create training that was "engaging and not
pedantic."
Messaging was a big part of management activities to encourage cybersecure behaviors. The team created a
Communications
brand and used traditional marketing techniques to spread the message through the company. They used
Channel multiple channels including videos, digital displays, blogs, alerts, emails, post cards, events, and training.
The corporation was part of the financial services industry which, by it's nature of managing client information,
External Influences

Societal Cybersecurity
created a need and set of values and beliefs about how important it was to protect data. Execs reflected this in
Culture their prioritization of building a culture of data protection.
External Rules and The organization of the highly regulated industry. For example, regulations and policies like the New York
Regulations Department of Financial Services Cybersecurity Regulation provide specific and prescriptive requirements.
Executives made it clear that their company reputation was dependent on the trust they received from customers,
Peer Influence clients, and in general. They articulated that the industry as a whole had to have a high standard for protecting
information assets.

Page 6407