Assessing and improving information security culture of essential service providers: Analysis of organisational factors in resilience against cyber threats

Contemporary, increasingly digitalised society is inextricably linked to the constant use of information and communication technologies (ICT), which is consequently exposing individuals, organisations, and countries to numerous cyber threats. Industry and security reports are demonstrating exponential increase in cyber attacks world-wide, resulting in immense, even devastating financial, business, cultural, reputational and other losses. Considering the finding that a large majority of cyberattacks on organisations are a result of human factor – employees being inattentive, practicing insecure use of ICTs – it has become clear that resilience against cyberthreats cannot be achieved through technical means alone. Namely, we need to address the social science aspects of information security in an inextricable connection with the technical tools and processes of information security.

In recent years the concept of information security culture (ISC) has started to gain attention both in academia and industry. ISC refers to the formation of appropriate information security beliefs and values that guide employees in their use of ICT, as well as the establishment of an organisational environment that is resilient to cyber threats. This definition is however somewhat limited for research purposes, as it lacks the explanatory mechanisms that would link socio-technical properties of organization with organizational communication and management processes and with individual information security behaviour (ISB) as the key dependent variable. The field understands ISC in very different ways, frequently not offering clear definitions, which poses issues for content validity, measuring and getting reliable results in scientific research. The project builds on the assumption that a good ISC is the best human "firewall" an organisation can build to resist cyber threats. The main purpose of the project is to build a revised model of ISC on the basis of which it will be possible to make assessment of resilience against cyber threats and make recommendations to strengthen the resilience. Under the renewed EU directive on information security, organizations that are categorized as essential service providers in Slovenia (more than 400) will need to regularly assess the resilience against cyber threats. Measuring and assessing ISC will thus become a necessity for these organizations. Providing these companies with tools to get a high quality assessment of ISC and guidelines to act upon them is one of the major aims of this project.

Specifically, the project will pursue the following objectives:
       1. Build an organisational, situation specific socio-technical model of ISC that combines organisational factors, technological artefacts, and information security behaviour into a unified explanatory model;

       2. Build a methodological apparatus for valid and reliable measurement of ISC in organisations of essential service providers;
       3. Provide a valid and reliable assessment of ISC among essential service providers in Slovenia.
       4. Develop a set of recommendations to improve the ISC of essential service providers;
       5. Dissemination of results and recommendations in scientific and professional literature.

The project involves an interdisciplinary group of established and internationally recognized researchers in the fields of social informatics, information security, defence studies, communication, as well as methodology and statistics.

The project is divided into six interconnected work packages (WP), which include clear objectives for theoretically grounded research and methodology.

WP1 – Development of the theoretical framework: The purpose of this work package is to develop a comprehensive organisational socio-technical theoretical model of ISC that will serve as the basis for analyses and advancement throughout the entire project. The theoretical model will be based iteratively in a close feedback loop with empirical research and will proceed from initial theoretical model to the final, empirically tested model.
Tasks:
T1. Literature review of ISC conceptualizations and measurements (M2–M5): In order to progress beyond the state of the art, a detailed review of key organisational factors of ISC and ISB will be performed.
T2. Establish the initial theoretical model (M3–M7): Based on the literature review and qualitative research, the initial theoretical model of ISC will be established.
b On the basis of qualitative research and initial model, a revised and extended organisational, socio-technical model of ISC will be established, which will be a baseline for the main quantitative empirical study.
T3. Development of a situation-specific explanatory model of ISC (M13–M18): Based on the findings of the qualitative research and the initial model, a revised and expanded organizational socio-technical model of information security will be established, serving as the foundation for the main quantitative empirical study.
T4. Final, empirically tested model of ISC (M28): On the basis of quantitative test on a sample of essential service providers and employees within them, a final model of ISC will be produced, which will serve as an input for the final guidelines for improvement of ISC.
Specific objectives:
- To conduct a critical comparative literature review of the concepts of ISC and ISB and the relationship between them;
- To identify organisational, socio-technical explanatory factors of ISB on individual and organisational level;
- To develop the renewed theoretical model of ICS.

WP2 – Qualitative research: The main goal of this work package is to gain situation-specific insights into the social science aspects of information security in the organisations of essential service providers, identify relevant processes that are not addressed by current literature and assess views and needs of stakeholders with regard to NIS 2. Furthermore, the interviews will serve to advance the relationship with providers of essential services for more efficient realisation of guidelines as developed in WP4. To achieve this goal, we will conduct in-depth, semi-structured interviews with chief information security officers (CISOs) from organisations representing essential service providers in Slovenia.
Tasks:
T1. Identification of essential service providers and contact collection (M4–M7): Identification and collection of contacts for all essential service providers in accordance with the new NIS 2 Directive (approximately 1000). We aim to recruit at least one responsible person for information (corporate) security in essential service provider organizations in each sector (11) as defined by the NIS 2 Directive.
T2. Protocol and recruitment (M4–M7): Development of a protocol for semi-structured in-depth interviews, including thematic questions, invitations, an informational leaflet, informed consent forms, and sending invitations in physical and/or electronic form.
T3. In-depth interviews (M10–M12): All in-depth interviews will be conducted face-to-face and audio will be audio recorded with the respondents' permission. To increase the validity of the qualitative responses, the researcher conducting the interviews will ensure that participants have a clear understanding of the nature of the study; they will also be asked to provide written informed consent. In total, we will conduct approximately 10–15 in-depth, semi-structured interviews with CISOs of essential service providers. Participants will also be asked for further cooperation in the subsequent quantitative research.
T4. Thematic analysis (M12–M13): All interviews will be transcribed verbatim and accompanied by corresponding field notes that will be imported into the qualitative data analysis software. Pseudonyms will be used to ensure anonymity and confidentiality of the organisations. Data will be analysed using inductive thematic analysis.
T5. Implementation of qualitative eesearch findings (M14–M15): The results of the qualitative data analysis will be used to further develop and refine the initial theoretical model (WP1) and serve as a basis for the development and optimization of the process for operationalizing tools for measuring information security culture (WP3).
Specific objectives:
- To gain situation-specific insights into social aspects of information security in essential service providers;
- To analyse collected qualitative data;
- To advance the initial theoretical model;
- To provide insights for the development of measurement instruments in WP3.

WP3 – Quantitative research: The quantitative research will be composed of two data collection points. The first one will seek to gain initial insight into the ISC of providers of essential services, to test the initial theoretical model and identify potential methodological issues for the second, main data collection point. In the second data point, a web survey will be conducted on the same population of essential service providers with the intention to test the revised theoretical model with high statistical power, which will allow us to finalise the theoretical model and develop reliable guidelines for the improvement of ISC.
Tasks:
T1. Initial operational definitions of constructs and measurement instruments (M3–M7): For the initial, exploratory web survey of providers of essential services some of the existing scales for measuring ISC and ISB in organisational context will be identified and adopted to the national and situation-specific context.
T2. Initial web survey (M11–M12): Using the provided contacts of essential service providers in Slovenia (see WP2, T1), we will conduct an initial web survey among CISOs (minimum n = 30) and employees (minimum n = 300) of essential service providers to assess the current state regarding social aspects of information security according to the current NIS2 directive.
T3. Analysis of initial survey (M12–M13) and initial assessment report (M13): This phase will present preliminary findings on the current state of ISC among essential service providers. The initial assessment report will provide some practical guidelines for organisations to comply with the new NIS2 directive.
T4. Measurement instruments and questionnaire for the main survey (M15–M22): The purpose of the main web survey will be to test the revised theoretical model of ISC. Scales for existing concepts will be adopted to the national and organisational context, while in the case of novel concepts, a standard, rigorous procedure for item development will be undertaken, consisting of expert testing, content validity assessment and pilot testing.
T5. Web survey to test the comprehensive model (M24): Data collection will be conducted on the organisations that represent essential service providers in Slovenia (according to the new NIS2). Nonprobability sampling will be used. The sampling frame includes all relevant organisations and employees within them. Different techniques for raising response rate will be undertaken with the intention to get at least 30% response rate among organisations and 15% response rate within organisations. Some parts of the data collection tasks will be outsourced to adequate survey agencies.
T6. Analysis of web survey (M25–M27): The purpose of this task is to prepare the collected survey data for analysis and conduct a two-level analysis. Adequate methodological approaches will be undertaken for missing value analysis and possible imputations. Expectedly a structural equation modeling approach with two-level data will be undertaken in order to test the revised ISC model and provide the assessment of ISC in the essential service providers.
Specific objectives:
- To empirically test the initial and revised theoretical model and get assessment of ISC in the essential service providers.

WP4 – Guidelines for improving information security culture: The purpose of this work package is to establish practical guidelines for improving ISC primarily among essential service providers in Slovenia, indirectly also for other organisations in business or the public sector. The guidelines will be based on the test of the revised theoretical model and will address the question of how can organisations and their management, CISOs manipulate the organisational factors to improve their resilience against cyber threats.
Tasks:
T1. Overview of existing approaches to improve ISC in organisations (M3–M7): This task will provide an overview of existing proposals, guidelines, instructions and good practices for improving ISC in Slovenian and foreign professional and scientific literature.
T2. Initial set of guidelines (M6–M12): Based on an overview of existing approaches to improve ISC and the results of the initial web survey, the initial set of practical guidelines for organisations will be developed. This will mainly serve as a preparation for essential service providers in Slovenia to adopt the new NIS2 directive.
T3. Elaboration of a situation-specific set of guidelines (M29–M35): On the basis of the empirical test of the revised theoretical model and the initial set of guidelines, the situation-specific guidelines for improvement of ISC will be developed. The biggest emphasis will be put on improvement of the salient gaps identified during the main ISC assessment report of essential service providers in Slovenia.
Specific objectives:
- To establish practical guidelines to improve ISC that will be intended for essential service providers in Slovenia.

WP5 – Dissemination: The purpose of this work package is to disseminate the scientific findings and results obtained during the different phases of this research project. Intensive dissemination of our findings will contribute to the acquisition and sharing of new knowledge, insights, and understanding of the concept of ISC, thereby linking scientific and practical approaches in the field of behavioural information security.
Tasks:
T1. Creation and maintenance of the project’s official website (M1–M36): At the beginning of the project, we will create a website dedicated to the presentation of project activities and results to the national and international scientific community as well as industry and general public. This website will include a short project description, basic information about funding, project activities, and research results, including when these will be available at individual phases of the research project. The website will be published in both the Slovenian and English languages. Further, the website will be shared from time to time on various channels of different online social networks.
T2. Dissemination and application of the results of the project (M1–M36): The theoretical and empirical results of the project will be disseminated through a series of published scientific articles as well as by contributions to international and national scientific conferences, meetings, congresses or symposia.
T3. Dissemination of the results of the project to industry, legislators and the public (M1–M36): Outside the scientific community, the practical results of the project will be disseminated through the organisation of a public event aimed primarily at industry, but also at the general public. The event will include several activities, focusing on the presentation of the designed guidelines to strengthen ISC in organisations.
Specific objectives:
- To achieve the maximum dissemination and application of the scientific and practical results of the project;
- To publish theoretical and empirical results in international academic journals;
- To present the results at international and national scientific conferences, meetings, congresses or symposia;
- To create and maintain the official website of the project.

WP6 – Project management: Overall project management, including administrative and scientific management, will ensure the successful realisation of all project activities in the work programme.
Tasks:
T1. Monitoring of all project activities in the work programme (M1–M36): Overall project management will include monitoring the implementation of all administration duties, the execution of all project activities in accordance with the established objectives, communication with co-financier and other partners, ensuring the quality of project activities, outputs and deliverables, meeting all project deadlines, timetables and milestones, and preparing (annual) regular reports. Project management will also guarantee that challenges will be efficiently resolved and all research output appropriately handled.
T2. Coordination of research activities (M1–M36): The project management team will be in charge of coordinating research activities and ensuring the effective conveyance of research findings between individual parts of the research. They will also provide regular communication on activities and progress, as well as coordination with the co-financier. The management team will include one senior researcher and one postdoctoral (both FSS).
Specific objectives:
- Coordination of research group and research activities;
- Regular communication with co-financier;
- Monitoring the execution of project activities in accordance with established objectives;
- Monitoring the quality of project activities, output and deliverables;
- Monitoring and execution of administrative duties;
- Budget monitoring and reporting;
- Monitoring the effective transmission of findings between individual parts of the research;
- Organising meetings for the research group and potential problem solving.