{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T13:58:06Z","timestamp":1762869486918,"version":"3.41.2"},"reference-count":42,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T00:00:00Z","timestamp":1737072000000},"content-version":"vor","delay-in-days":16,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1932769"],"award-info":[{"award-number":["1932769"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>While many cybersecurity culture studies have focused on identifying and measuring an organization's cybersecurity culture\u2014assumptions, values, behaviors, and artifacts\u2014less research has focused on how cybersecurity culture is enacted in the daily workplace in ways that lead to cultural change. In this paper, I approach cybersecurity culture as a meaning-making activity, or practice within an organization. Organizational theory on narrative practices\u2014including storytelling, sensemaking, and sensegiving\u2014provide a conceptual framework to better understand cultural meaning-making practices, as well as how those practices shape decision-making and organizational actions. Using ethnographic observation and interview data, I conducted a narrative analysis of interdisciplinary communication between IT and Facilities professionals working with Internet of Things vendors and their associated risks. The findings demonstrate that storytelling, sensegiving, and sensemaking practices were key to developing an emerging narrative that shaped professional and organizational decision-making to improve cybersecurity. The results of this study suggest that a narrative approach to cybersecurity culture can illuminate practices of cultural meaning-making and organizational decision-making, and suggests that organizations should provide resources for IT and Facilities professionals to engage in interdisciplinary work to create a more robust cybersecurity culture in Facilities departments.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae030","type":"journal-article","created":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T13:02:18Z","timestamp":1737118938000},"source":"Crossref","is-referenced-by-count":3,"title":["Telling stories about vendors: narrative practices to negotiate risk and establish an organizational cybersecurity culture"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9347-4656","authenticated-orcid":false,"given":"Laura D","family":"Osburn","sequence":"first","affiliation":[{"name":"Department of Construction Management, University of Washington , Seattle, WA 98103 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,1,17]]},"reference":[{"key":"2025021914443737300_bib1","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2021.102387","article-title":"Developing a cyber security culture: current practices and future needs","volume":"109","author":"Uchendu","year":"2021","journal-title":"Comput Secur"},{"volume-title":"Sensemaking in Organizations","year":"1995","author":"Weick","key":"2025021914443737300_bib2"},{"key":"2025021914443737300_bib3","first-page":"243","article-title":"Argument and narration in organizational communication","volume":"12","author":"Weick","year":"1986","journal-title":"J Manag"},{"key":"2025021914443737300_bib4","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1007\/978-3-319-58553-6_9","article-title":"Cybersecurity culture: an ill-defined problem","volume-title":"Information Security Education for a Global Digital Society","author":"Gcaza","year":"2017"},{"key":"2025021914443737300_bib5","doi-asserted-by":"crossref","first-page":"4036","DOI":"10.3850\/978-981-11-2724-3_0761-cd","article-title":"The concept of cybersecurity culture","volume-title":"Proceedings of the 29th European Safety and Reliability Conference (ESREL 2019)","author":"Reeg\u00e5rd","year":"2019"},{"volume-title":"Organizational Culture and Leadership","year":"2010","author":"Schein","key":"2025021914443737300_bib6"},{"key":"2025021914443737300_bib7","doi-asserted-by":"crossref","DOI":"10.4135\/9781483328478","volume-title":"Organizational Culture: Mapping the Terrain","author":"Martin","year":"2002"},{"key":"2025021914443737300_bib8","doi-asserted-by":"crossref","DOI":"10.1093\/oso\/9780195071634.001.0001","volume-title":"Cultures in Organizations: Three Perspectives","author":"Martin","year":"1992"},{"key":"2025021914443737300_bib9","doi-asserted-by":"crossref","first-page":"1006","DOI":"10.1109\/SAI.2016.7556102","article-title":"A cybersecurity culture research philosophy and approach to develop a valid and reliable measuring instrument","volume-title":"Proceedings of 2016 SAI Computing Conference (SAI)","author":"Da\u00a0Veiga","year":"2016"},{"key":"2025021914443737300_bib10","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1016\/j.cose.2017.05.002","article-title":"Defining and identifying dominant information security cultures and subcultures","volume":"70","author":"Da\u00a0Veiga","year":"2017","journal-title":"Comput Secur"},{"key":"2025021914443737300_bib11","doi-asserted-by":"crossref","first-page":"101713","DOI":"10.1016\/j.cose.2020.101713","article-title":"Defining organisational information security culture\u2014perspectives from academia and industry","volume":"92","author":"Da\u00a0Veiga","year":"2020","journal-title":"Comput Secur"},{"key":"2025021914443737300_bib12","doi-asserted-by":"crossref","first-page":"6398","DOI":"10.24251\/HICSS.2019.769","article-title":"For what technology can't fix: building a model of organizational cybersecurity culture","volume-title":"Proceedings of the 52nd Hawaii International Conference on System Sciences. Manoa, HI: HICSS","author":"Huang","year":"2019"},{"key":"2025021914443737300_bib13","first-page":"193","article-title":"Building organizational risk culture in cyber security: the role of Human factors","volume-title":"Advances in Human Factors in Cybersecurity","author":"Corradini","year":"2019"},{"key":"2025021914443737300_bib14","doi-asserted-by":"crossref","first-page":"108","DOI":"10.1016\/j.giq.2015.02.001","article-title":"Cyber Gurus\u2019: a rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection","volume":"32","author":"Quigley","year":"2015","journal-title":"Gov Inf Q"},{"key":"2025021914443737300_bib15","article-title":"Sensemaking in cybersecurity incident response: the interplay of organizations, technology and individuals","volume-title":"A Virtual AIS Conference","author":"Lakshmi","year":"2021"},{"key":"2025021914443737300_bib16","article-title":"Creative and set in their ways: challenges of security sensemaking in newsrooms","volume-title":"Proceedings of the 7th USENIX Workshop on Free and Open Communications on the Internet. USENIX Association","author":"Watkins","year":"2017"},{"key":"2025021914443737300_bib17","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/cybsec\/tyaa011","article-title":"Exploring the security narrative in the work context","volume":"6","author":"Busse","year":"2020","journal-title":"J Cybersecur"},{"key":"2025021914443737300_bib18","doi-asserted-by":"crossref","first-page":"611","DOI":"10.1353\/anq.2021.0037","article-title":"The cultural construction of cybersecurity: digital threats and dangerous rhetoric","volume":"94","author":"Bernal","year":"2021","journal-title":"Anthropol Q"},{"key":"2025021914443737300_bib19","doi-asserted-by":"crossref","first-page":"204","DOI":"10.1108\/09534811211213892","article-title":"The omnipresent personal narrative: story formulation and the interplay among narratives","volume":"25","author":"Hawkins","year":"2012","journal-title":"J Organ Change Manag"},{"key":"2025021914443737300_bib20","doi-asserted-by":"crossref","DOI":"10.4135\/9781849209502","volume-title":"Narratives in Social Science Research","author":"Czarniawska-Joerges","year":"2004"},{"key":"2025021914443737300_bib21","doi-asserted-by":"crossref","DOI":"10.4135\/9781849209496","volume-title":"Narrative Methods for Organizational and Communication Research","author":"Boje","year":"2001"},{"key":"2025021914443737300_bib22","doi-asserted-by":"crossref","first-page":"106","DOI":"10.2307\/2393432","article-title":"The Storytelling Organization: a study of story performance in an office-supply firm","volume":"36","author":"Boje","year":"1991","journal-title":"Adm Sci Q"},{"key":"2025021914443737300_bib23","doi-asserted-by":"crossref","DOI":"10.1075\/sin.8","volume-title":"Small Stories, Interaction and Identities","author":"Georgakopoulou","year":"2007"},{"key":"2025021914443737300_bib24","doi-asserted-by":"crossref","first-page":"582","DOI":"10.1177\/1350507614553547","article-title":"Fragmented work stories: developing an antenarrative approach by discontinuity, tensions and editing","volume":"46","author":"Humle","year":"2015","journal-title":"Manag Learn"},{"key":"2025021914443737300_bib25","doi-asserted-by":"crossref","first-page":"96","DOI":"10.1017\/CBO9780511676512.006","article-title":"The Situated Production of Stories","volume-title":"Organization, Interaction and Practice: Studies in Ethnomethodology and Conversation Analysis","author":"Greatbatch","year":"2010"},{"key":"2025021914443737300_bib26","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1177\/0170840614559259","article-title":"Making sense of sensemaking in organization studies","volume":"36","author":"Brown","year":"2015","journal-title":"Org Stud"},{"key":"2025021914443737300_bib27","first-page":"377","article-title":"Small stories as a new perspective in narrative and identity analysis","volume":"28","author":"Bamberg","year":"2008","journal-title":"Text Talk Interdiscip J Lang Discourse Commun Stud"},{"key":"2025021914443737300_bib28","first-page":"275","article-title":"Introduction: narrative analysis in the shift from texts to practices","volume":"28","author":"de\u00a0Fina","year":"2008","journal-title":"Text Talk Interdiscip J Lang Discourse Commun Stud"},{"key":"2025021914443737300_bib29","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.emj.2020.10.007","article-title":"Reflexive sensegiving: an open-ended process of influencing the sensemaking of others during organizational change","volume":"39","author":"Robert","year":"2021","journal-title":"Eur Manag J"},{"key":"2025021914443737300_bib30","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1016\/j.jbusres.2018.03.009","article-title":"sensegiving and absorptive capacity in complex procurements","volume":"88","author":"Prior","year":"2018","journal-title":"J Bus Res"},{"key":"2025021914443737300_bib31","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1177\/0170840609357380","article-title":"Narrative construction as sensemaking: how a Central bank thinks","volume":"31","author":"Abolafia","year":"2010","journal-title":"Org Stud"},{"key":"2025021914443737300_bib32","first-page":"248","article-title":"Organization, narrative and strategy","volume-title":"Towards a New Theory of Organizations","author":"Law","year":"1994"},{"key":"2025021914443737300_bib33","doi-asserted-by":"crossref","first-page":"751","DOI":"10.1177\/13505084030104002","article-title":"Narratives of change: discourse, technology and organization","volume":"10","author":"Doolin","year":"2003","journal-title":"Organization"},{"key":"2025021914443737300_bib34","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1177\/135050840071005","article-title":"Narrative infrastructure in product creation processes","volume":"7","author":"Deuten","year":"2000","journal-title":"Organization"},{"key":"2025021914443737300_bib35","first-page":"220","article-title":"Ethnographies of work and the work of ethnographers","volume-title":"Handbook of Ethnography","author":"Smith","year":"2014"},{"volume-title":"The Interpretation of Cultures: Selected Essays","year":"1973","author":"Geertz","key":"2025021914443737300_bib36"},{"key":"2025021914443737300_bib37","doi-asserted-by":"crossref","DOI":"10.4135\/9781412983235","volume-title":"A Narrative Approach to Organization Studies","author":"Czarniawska","year":"1998"},{"key":"2025021914443737300_bib38","first-page":"384","article-title":"Narrative analysis in ethnography","volume-title":"Handbook of Ethnography","author":"Cortazzi","year":"2014"},{"volume-title":"Basics of Qualitative Research: Grounded Theory Procedures and Techniques","year":"1990","author":"Strauss","key":"2025021914443737300_bib39"},{"key":"2025021914443737300_bib40","doi-asserted-by":"crossref","DOI":"10.1201\/9781003379584-19","article-title":"Doing Online Ethnography: Reflections on Methods and Challenges in Hybrid Environments","volume-title":"Embracing Ethnography: Doing Contextualised Construction Research","author":"Osburn","year":"2024"},{"key":"2025021914443737300_bib41","doi-asserted-by":"crossref","DOI":"10.4324\/9780203946268","volume-title":"Using Narrative Inquiry as a Research Method","author":"Webster","year":"2007"},{"key":"2025021914443737300_bib42","first-page":"113","article-title":"Exploring the security culture of operational technology (OT) organisations: the role of external consultancy in overcoming organisational barriers","volume-title":"Proceedings of the Nineteenth Symposium on Usable Privacy and Security","author":"Evripidou","year":"2022"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyae030\/61484213\/tyae030.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyae030\/61484213\/tyae030.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,19]],"date-time":"2025-02-19T14:45:01Z","timestamp":1739976301000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae030\/7959398"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae030","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyae030"}}