Learning from Safety Culture to Optimise Cybersecurity Culture

As the cybersecurity threat landscape continues to evolve, there is a growing awareness within the industry that protection against threats depends on more than complex technology infrastructure and tools. Human error is still considered to be the cause of most cybersecurity breaches, but humans may also be the key to building a successful cybersecurity defence. Over time, it has become evident that the most common approaches to address cybersecurity e.g., awareness training and simulated phishing attacks, will not be sufficient by themselves. Successful implementation of cybersecurity measures requires both a human-centred approach and the adoption of a cybersecurity culture mindset within the organisation. Safety-critical industries have undergone a similar challenge over the past almost 40 years, when the Chernobyl nuclear accident revealed that systemic organisational issues created the conditions for human error to occur. In the wake of this and other large-scale industrial accidents, safety-critical organisations identified the need for cultural change to fully embed safe behaviours and practices so that future accidents may be avoided. Safety culture has continued to evolve in the years since, and there are several lessons learned for organisations attempting to implement a cybersecurity culture today. This paper explores the many parallels between safety culture and cybersecurity culture and considers how organisations could learn from the implementation of safety culture to support adoption of a sustainable, human-centred cybersecurity culture.

Keywords: Cybersecurity, Cybersecurity culture, Safety culture, Human factors, Nuclear.