6533b82dfe1ef96bd1291128

RESEARCH PRODUCT

Information security culture: An investigation into the impact of a large-scale cyberattack

subject

description

Cybersecurity and cyberattack have been mentioned significantly more in the news in recent years, which has caused organisations to give higher priority to information security than ever before. Today, many organisations are vulnerable to malicious attacks like ransomware. These attacks can significantly impact an organisation's operations, especially given their reliance on technical systems. This has led to organisations emphasising technical security measures significantly, often overlooking one critical aspect of information security, namely information security culture (ISC). This empirical study examines how an organisation's ISC changes during a ransomware attack and how it has continued to change in the aftermath. We employ a case study in conjunction with a literature review to evaluate the changes in security culture. Interviews with employees from different professions in this organisation gave us their perspectives on the changes before and after the attack and their thoughts on the implemented measures. To analyse the research, the authors looked into different ISC levels and how they have specifically changed, these levels include artefacts, espoused values, shared tacit assumptions and knowledge. The study analyses how the employees and leadership perceived the changes through these levels. The research contributes to existing knowledge on information security culture by applying theory to a real-life situation and advancing the understanding of how an attack changes ISC within an organisation. By applying the theoretical framework from Van Niekerk & Von Solms, we address the empirical findings and propose measures for organisations still developing their ISC.