An Analysis Of Cybersecurity Culture On Organizations Managing Critical Infrastructure

Year
2020
Author(s)
Michelle Govender - University of South Africa
Abraham Parbhunath - Eskom Holdings SOC Ltd
Abstract

Abstract: An analysis of cybersecurity culture on organizations managing Critical InfrastructureAuthored by Michelle Govender and Abraham Parbhunath, Eskom Holdings SOC Ltd.IT OT convergence is a fast-growing reality for many organisations managing critical infrastructure .Environments that were traditionally entirely independent are now connecting in ways that is exposing criticalinfrastructure to a new level of cyber risks that need to be managed.Considering that up to 67% of breachesreported in the Willis Towers report was due to employee negligence, the importance of cybersecurity culture isno longer in question in today's threat landscape, it impacts on those elements that have a human influence oncyber attacks [1]. Organizations therefore need to instill a strong culture of cybersecurity, across allorganizational levels. Developing an understanding of the risky behaviors and attitudes of employees workingwith critical infrastructure is key to developing a relevant cybersecurity culture transformation program.Cybersecurity culture transformation in an Industrial plant environment requires first understanding personnelbehaviors, values and attitudes. It was noted through observation that people working in the plant environmenthave very diverse understanding of cyber risk. The study endeavors to investigate employee perceptions atvarious levels in the organization of their attitude towards cybersecurity and how these potentially impact theirbehavior. What are these common cyber risky behaviors’ and attitudes on site and how could personnel attitudesand behaviors increase the sites exposure to cyber threat?A cybersecurity culture survey was developed to gain insight into people’s beliefs, attitudes and behaviors tovarious cyber risks across people, process and technology. Both technical (Engineering and IT) and nontechnical(business support staff) staff on site were surveyed. The survey was grouped into four (4) sectionsdealing with the individual, processes and technology, leadership and organization also aligning with otherculture transformation initiatives. We have gained insight into the perception of what cybersecurity is and thevulnerabilities this introduces to the industrial site. A key outcome of this research is to address the behaviorsand attitudes that create vulnerabilities of employees working in organisations managing critical infrastructure.[1] N. H.-C. L. Centers, “90% of cyberattacks traced back to human error: Making cybersecurity aworkplace culture,” Online, 2017.