SİBER SALDIRILARA KARŞI DAYANIKLI ÖRGÜTLER İÇİN SİBER GÜVENLİK KÜLTÜRÜNÜN OLUŞUMU

Yıl 2024, Cilt: 7 Sayı: 1, 96 - 110, 19.01.2024

Cenk Aksoy

https://doi.org/10.33416/baybem.1374001

Öz

Siber güvenlik, artan siber tehdit sıklığına yanıt olarak 7/24 gözetim gerektiren kritik bir alan olarak ortaya çıkmıştır. Eş zamanlı olarak hem ayrılan bütçede hem de bu alana olan akademik ilgide dikkate değer bir artış bulunmaktadır. Bu siber risk ortamında, örgütlerin başarısı en zayıf halka olan insan faktörüne bağlıdır. Örgütleri korumak amacıyla çalışan davranışlarını yönlendiren inanç, değer ve tutumlara odaklanarak insan hataları azaltılabilir. Bu kapsamda örgütlerde siber dayanıklılığı güçlendirmenin anahtarı olarak siber güvenlik kültürü kavramı karşımıza çıkmaktadır. Bu çalışmada, siber güvenlik kültürünün tanımı, önemi ve bu kültürü oluşturmak ve sürdürmek için önemli görülen faktörleri belirlemek amacıyla literatür taramasından elde edilen bulgular sunulmuştur. Çalışmada siber güvenlik kültürü, bir örgütün siber güvenliğe yaklaşımını şekillendiren inanç, değer ve tutumların oluşturduğu davranışlar kümesi olarak tanımlanmıştır. Dayanıklı ve sürdürülebilir bir siber güvenlik kültürü oluşturmak, siber güvenliğin teknik yönleri kadar insani yönlerine odaklanmakla mümkündür. Siber güvenlik kültürüne etki eden temel unsurlar arasında liderin bilgi, beceri ve yetenekleri, örgüt genelinde siber güvenlik farkındalığının geliştirilmesi, etkili bir iletişim ve bu dönüşümün sürekli bir öğrenme deneyimi olduğunun kabul edilmesi sıralanmıştır.

Anahtar Kelimeler

Siber Güvenlik, Örgüt Kültürü, Siber Güvenlik Kültürü

BUILDING A CYBER SECURITY CULTURE FOR RESILIENT ORGANIZATIONS AGAINST CYBER ATTACKS

Öz

Cybersecurity has emerged as a critical area requiring 24/7 surveillance, in response to the rapidly increasing frequency of cyber threats. Concurrently, there is a notable amplification in both the allocated budget and the academic interest within this domain. In this cyber risk environment, the success of organizations depends on the weakest link, the human factor. Human errors can be reduced by focusing on the beliefs, values and attitudes guiding employee behavior to protect organizations. In this context, the concept of cybersecurity culture emerges as the key to strengthening cyber resilience in organizations. In this study, the findings obtained from the literature review are presented to determine the definition of cybersecurity culture, its importance and the factors considered important for creating and maintaining this culture. In the study, cybersecurity culture is defined as the set of behaviors formed by beliefs, values and attitudes that shape an organization's approach to cybersecurity. Creating a resilient and sustainable cybersecurity culture is possible by focusing on the human aspects of cybersecurity as much as the technical aspects. Leadership knowledge, skills and abilities, developing cybersecurity awareness throughout the organization, effective communication and acceptance of this transformation as a continuous learning experience are listed among the main factors affecting the cybersecurity culture.

Anahtar Kelimeler

Cybersecurity, Organizational Culture, Cybersecurity Culture

Kaynakça

• Alnatheer, M., Chan, T., & Nelson, K. (2012). Understanding and measuring information security culture. Proceedings of the Pacific Asia Conference on Information Systems PACIS içinde, 144.
• Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98, 102003. https://doi.org/10.1016/j.cose.2020.102003
• Astakhova, L. V. (2014). The concept of the information-security culture. Scientific and Technical Information Processing, 41, 1, 22-28.
• Berman, S. J., & Bell, R. (2011). Digital transformation: Creating new business models where digital meets physical. IBM Institute for Business Value, 17(3), 1-17.
• Bharadwaj, A., El Sawy, O. A., Pavlou, P. A., & Venkatraman, N. (2013). Digital business strategy: Toward a next generation of insights. MIS Quarterly, 37(2), 471-482.
• Burrell, N. N. (2021). Cybersecurity leadership from a talent management organizational development lens. (Unpublished Exegesis). Capitol Technology University, Maryland, USA.
• Cameron, K. S., & Quinn, R. E. (2006). Diagnosing and changing organizational culture: Based on the competing values framework. John Wiley & Sons.
• Carpenter, P. & Roer, K. (2022). The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer. Wiley, New Jersey, US.
• Comptia (2018). Building a culture of cybersecurity: A guide for corporate executives and board members, Comptia White Paper, Erişim Tarihi: 13.01.2023, Erişim Adresi: https://comptiacdn.azureedge.net/webcontent/docs/default-source/research-reports/04917-ccab-whitepaper-online7a673748134243a5a75fe5369914dea0.pdf?sfvrsn=8c25744d_0
• Corradini, I. (2020). Building a cybersecurity culture in organizations: How to bridge the gap between people and digital technology. Springer Nature, Berlin/Heidelberg, Germany.
• Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713.
• Dawson, J. & Thompson, R. (2018). The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Front. Psychol., 9, 744.
• Deloitte (2023). Global future of cyber survey, Deloitte Global, Erişim adresi: https://www2.deloitte.com/content/dam/Deloitte/at/Documents/presse/at-deloitte-global-future-of-cyber-survey-2023.pdf
• Denison, D. R., Nieminen, L. R., & Kotrba, L. (2020). Diagnosing organizational cultures: A conceptual and empirical review of culture effectiveness surveys. European Journal of Work and Organizational Psychology, 29(1), 1-22.
• Fitzgerald, M., Kruschwitz, N., Bonnet, D., & Welch, M. (2013). Embracing digital technology: A new strategic imperative. MIT Sloan Management Review, 55(2), 1-12.
• Gibson, C. B., & Gibbs, J. L. (2006). Unpacking the concept of virtuality: The effects of geographic dispersion, electronic dependence, dynamic structure, and national diversity on team innovation. Administrative Science Quarterly, 51(3), 451-495.
• Glaspie, H. W. & Karwowski, W. (2018). Human Factors in Information Security Culture: A Literature Review. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2017. Advances in Intelligent Systems and Computing, vol 593. Springer.
• Glynn, M. A., Giorgi, S. & Lockwood, C. (2013). Organization culture. Obo in Management. doi: 10.1093/obo/9780199846740-0059
• Hofstede, G. (1991). Cultures and organizations: Software of the mind. McGraw-Hill.
• Hofstede, G. (2011). Dimensionalizing Cultures: The Hofstede Model in Context. Online Readings in Psychology and Culture, 2(1). https://doi.org/10.9707/2307-0919.1014
• Huang, K. & Pearlson, K.E. (2019). For what technology can't fix: Building a model of organizational cybersecurity culture. 52nd Hawaii International Conference on System Sciences.
• IBM, (2014). IBM security services 2014 cybersecurity intelligence index, IBM Global Technology Services, Erişim Tarihi: 15.01.2023, Erişim Adresi: https://i.crn.com/sites/default/files/ckfinderimages/userfiles/images/crn/custom/IBMSecurityServices2014.PDF
• Kane, G. C., Palmer, D., Phillips, A. N., Kiron, D., & Buckley, N. (2015). Strategy, not technology, drives digital transformation. MIT Sloan Management Review and Deloitte University Press.
• Kuusisto, R. & Kuusisto, T. (2013). Strategic communication for cyber-security leadership. Journal of Information Warfare, 12(3), 41–48. https://www.jstor.org/stable/26486840
• Lehto, M. & Limnell, J. (2020). Strategic leadership in cyber security, Case Finland. Information Security Journal: A Global Perspective, 30, 1-10. 10.1080/19393555.2020.1813851.
• Linnenluecke, M. K., & Griffiths, A. (2010). Corporate sustainability and organizational culture. Journal of World Business, 45(4), 357-366.
• Martins, E. C. & Terblanche F. (2003). Building organizational culture that stimulates creativity and innovation. European Journal of Innovation Management, 6,1, 64-74.
• Matveev, A.V. & Nelson, P. E. (2004). Cross cultural communication competence and multicultural team performance. International Journal of Cross Cultural Management, 4, 2, 253-270.
• Merriam-Webster (2023). Cybersecurity. Merriam-Webster.com Dictionary. Erişim Adresi: https://www.merriam-webster.com/dictionary/cybersecurity
• Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., & Giannakopoulos, G. (2014). The human factor of information security: Unintentional damage perspective. Procedia Soc. Behav. Sci., 147, 424–428.
• National Institute of Standards and Technology (NIST) (2018). Framework for improving critical infrastructure cybersecurity, National Institute of Standards and Technology (NIST), Version 1.1, Erişim Adresi: https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf
• Nel, F. ve Drevin, L. (2019). Key elements of an information security culture in organisations. Information & Computer Security, 27(2), 146-164.
• NIST (2013). Glossary of Key Information Security Terms, NISTIR 7298 Rev.2., Erişim Adresi: https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
• Nobles, C. (2018). Botching human factors in cybersecurity in business organizations. Holistica–Journal of Business and Public Administration, 9(3), 71-88.
• Parenty, T. J. & Domet, J. J. (2019). A leader’s guide to cybersecurity: Why boards need to lead—and how to do, Harvard Business Review, Press: Boston, MA, USA.
• Pettigrew, A. M. (1979). On studying organizational cultures. Administrative Science Quarterly, 24(4), 570–581, https://doi.org/10.2307/2392363.
• Pollini, A., Callari, T. C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., & Guerri, D. (2021). Leveraging human factors in cybersecurity: An integrated methodological approach. Cogn. Technol. Work, 24, 371–390.
• Reegård, K., Blackett, C., & Katta, V. (2019). The concept of cybersecurity culture. 29th European Safety and Reliability Conference, October. doi: 10.3850/978-981-11-2724-3
• Reid, R. & Van Niekerk, J., (2014). From information security to cyber security cultures organizations to societies. Inf. Secur. South Africa (ISSA), IEEE, 1-7.
• Roer, K., Petrič, G., Eriksen, A. C., Paglia, J., Ulimoen, T., Huisman, J., Smothers, R. L., & Carpenter, P. (2022). The security culture report, KnowBe4 Research, Erişim Tarihi: 20.01.2023, Erişim Adresi: https://www.knowbe4.com/organizational-cyber-security-culture-research-report#focus-form
• Rotherberger, K. E. (2016). A quantitative study of perceptions about leadership competencies of IT project managers. Ph.D. Thesis, Cappella University, Minneapolis, MN, USA.
• Sandhu, J. S. (2021). Cybersecurity for executives: Advancing leaders to practical cyber risk management, Notion Press, Tamil Nadu, India.
• Schein, E. H. (1985). Organizational culture and leadership. Jossey-Bass.
• Schultz, E. (2005). The human factor in security. Comput. Sec., 24, 425–426.
• Schwartz, R. B., & Murnane, R. J. (2018). The digital transformation of education: Connecting schools with the changing world. Penguin.
• Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41. https://doi.org/10.1108/09685220010371394
• Triplett, W. (2021). Establishing a cybersecurity culture organization. Acta Scientific Computer Sciences, 3, 8, 44-49.
• Triplett, W.J. (2022). Addressing human factors in cybersecurity leadership. Journal of Cybersecurity and Privacy, 2, 573–586. https://doi.org/10.3390/jcp2030029
• Uchendu, B., Nurse, J.R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computer Security, 9, 109.
• Verma, S., & Bhattacharyya, S. S. (2017). Perceiving organizational culture for digital transformation: A cybernetic study. Vikalpa, 42(4), 220-233.
• Von Solms (2010). The 5 waves of information security – from kristian beckman to the present, in Rannenberg, K, Varadhajaran, V and Weber, C. (Eds.) SEC2010, IFIP Advances in Information and Communication Technology, Vol 330, pp 1‐8.
• Von Solms, R. & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102. https://doi.org/10.1016/j.cose.2013.04.004
• Ware, W. H. (1970). Security controls for computer systems. Technical report, Rand Corp Santa Monica, CA, USA.
• Westerman, G., Calméjane, C., Bonnet, D., Ferraris, P., & McAfee, A. (2014). Digital transformation: A roadmap for billion-dollar organizations. MIT Center for Digital Business.
• Wiegmann, D.A., Zhang, H., von Thaden, T., Sharma, G., & Mitchell, A. (2002). Safety culture: A review. Technical Report ARL-02-3/FAA-02-2. Illinois: Aviation Research Lab, Institute of Aviation.
• Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: Examining the relationship between culture and information security awareness. Computers & Security, 88, 101640. https://doi.org/10.1016/j.cose.2019.101640
• World Economic Forum (2023). Global Cybersecurity Outlook 2023, Insight Report, Erişim Adresi: https://www3.weforum.org/docs/WEF_Global_Security_Outlook_Report_2023.pdf