How to measure security culture at Organization X

Abstract

Most information and cyber incidents involve a human component – often an employee making a simple mistake that grants attackers access to systems or data. To mitigate this risk, organizations should consider implementing an effective security awareness program focused on creating a strong security culture to better protect their assets.

The objective of this study is to investigate how security culture can be measured at Organization X. Although the organization places a strong emphasis on security culture, it has been struggling to identify the appropriate methods for assessing the impact of its annual security awareness program and the culture cultivated through its activities.

The literature review in this thesis introduces concepts and frameworks related to security culture, including information security and cybersecurity, security awareness, and organizational culture. It also explores available models for measuring security culture.

This thesis examines how security culture can be measured and how selected measurement techniques can be applied to Organization X. It aims to serve as a valuable resource for other security professionals seeking to evaluate their security culture.

The measurement methods developed to analyze the security culture of Organization X were created in 2024. The research methods included multiple interviews, workshops, and brainstorming sessions. The developed measurement techniques were implemented at Organization X in 2024, and it is recommended that they be applied on a monthly and annual basis.