Drawing on the Success of Developing a Safety Culture to Improve the Security Culture in Companies That Use Operational Technology

Companies using operational technology (OT), including critical infrastructure ones, are increasingly becoming more digitalized. This digitalization, however, has led to an extended attack surface, making cybersecurity a necessity. One approach to enhance a company's security is the development of a security culture, similar to what has already been done with safety culture in these companies. While the two cultures share many commonalities, there has been limited research into their relationship. As such, we have conducted a critical analysis of the safety and security culture literatures, as well as 35 interviews with OT security professionals on the topic of security culture development. Our findings demonstrate that both cultures share almost entirely overlapping enabling factors, such as top management leadership and involvement. Accordingly, the successful development of safety culture informs security practitioners' views on practices such as establishing security management systems and security communications. However, a few obstacles prevent security culture from reaching the level of safety culture, including differences in how safety and security risks are perceived. As security culture is still in its early maturity stages, future research could investigate ways to integrate both cultures in operational environments, as well as examine how safety and security risks are perceived by OT employees.

Keywords: Security, Safety, Cybersecurity, Security culture, Safety culture, Organizational culture, Operational technology, OT, Critical infrastructure, Industrial control systems.

Download PDF