{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:07:07Z","timestamp":1775470027754,"version":"3.50.1"},"reference-count":25,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2023,10,5]],"date-time":"2023-10-05T00:00:00Z","timestamp":1696464000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2024,4,17]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2023-0116","type":"journal-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T07:24:34Z","timestamp":1696317874000},"page":"179-196","source":"Crossref","is-referenced-by-count":11,"title":["Determining cybersecurity culture maturity and deriving verifiable improvement measures"],"prefix":"10.1108","volume":"32","author":[{"given":"Peter","family":"Dornheim","sequence":"first","affiliation":[]},{"given":"Ruediger","family":"Zarnekow","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2023,10,5]]},"reference":[{"key":"key2024041515464135600_ref001","article-title":"Developing cybersecurity culture to influence employee behavior: a practice perspective","volume":"98","year":"2020","journal-title":"Computers and Security"},{"issue":"2","key":"key2024041515464135600_ref002","doi-asserted-by":"crossref","first-page":"525","DOI":"10.25300\/MISQ\/2019\/15117","article-title":"Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance","volume":"43","year":"2019","journal-title":"MIS Quarterly"},{"issue":"5","key":"key2024041515464135600_ref003","doi-asserted-by":"crossref","first-page":"584","DOI":"10.1108\/ICS-08-2017-0056","article-title":"An approach to information security culture change combining adkar and the isca questionnaire to aid transition to the desired culture","volume":"26","year":"2018","journal-title":"Information and Computer Security"},{"issue":"2","key":"key2024041515464135600_ref004","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1016\/j.cose.2009.09.002","article-title":"A framework and assessment instrument for information security culture","volume":"29","year":"2010","journal-title":"Computers and Security"},{"key":"key2024041515464135600_ref005","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers and Security"},{"issue":"2","key":"key2024041515464135600_ref006","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1016\/j.clsr.2015.01.005","article-title":"Information security culture and information protection culture: a validated assessment instrument","volume":"31","year":"2015","journal-title":"Computer Law and Security Review"},{"key":"key2024041515464135600_ref007","article-title":"De ning organisational information security culture perspectives from academia and industry","volume":"92","year":"2020","journal-title":"Computers and Security"},{"key":"key2024041515464135600_ref008","article-title":"2022 Technology spending intentions survey","author":"ESG Research","year":"2022"},{"key":"key2024041515464135600_ref009","volume-title":"\u2018Human Factors in Information Security Culture: A Literature Revie\u2019","year":"2018"},{"key":"key2024041515464135600_ref010","doi-asserted-by":"crossref","unstructured":"IBM Security and Ponemon Institute (2022), \u201cCost of a data breach report 2022\u201d.","DOI":"10.12968\/S1353-4858(22)70049-9"},{"issue":"3","key":"key2024041515464135600_ref011","doi-asserted-by":"crossref","first-page":"607","DOI":"10.1177\/001316447003000308","article-title":"Determining sample size for research activities","volume":"30","year":"1970","journal-title":"Educational and Psychological Measurement"},{"issue":"3","key":"key2024041515464135600_ref012","doi-asserted-by":"crossref","first-page":"445","DOI":"10.1108\/ICS-02-2019-0025","article-title":"Response biases in policy compliance research","volume":"28","year":"2019","journal-title":"Information and Computer Security"},{"key":"key2024041515464135600_ref013","first-page":"203","article-title":"Information security culture","volume":"86","year":"2002","journal-title":"Security in the Information Society"},{"issue":"1","key":"key2024041515464135600_ref014","doi-asserted-by":"crossref","first-page":"285","DOI":"10.25300\/MISQ\/2018\/13853","article-title":"Toward a uni ed model of information security policy compliance","volume":"42","year":"2018","journal-title":"MIS Quarterly"},{"key":"key2024041515464135600_ref015","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/j.jisa.2018.11.003","article-title":"An analysis on the dimensions of information security culture concept: a review","volume":"44","year":"2019","journal-title":"Journal of Information Security and Applications"},{"key":"key2024041515464135600_ref016","first-page":"4036","article-title":"The concept of cybersecurity culture","volume-title":"29th European Safety and Reliability Conference","year":"2019"},{"key":"key2024041515464135600_ref017","first-page":"101","article-title":"State of the art in information security policy development","volume":"88","year":"2020","journal-title":"Computers and Security"},{"key":"key2024041515464135600_ref018","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1016\/j.cose.2017.01.004","article-title":"The human aspects of information security questionnaire (hais-q): two further validation studies","volume":"66","year":"2017","journal-title":"Computers and Security"},{"key":"key2024041515464135600_ref019","unstructured":"SAP Qualtrics (2023), \u201cQualtrics homepage\u201d, available at: www.qualtrics.com\/"},{"issue":"3","key":"key2024041515464135600_ref020","article-title":"Analysis of cybersecurity competencies: recommendations for telecommunications policy","volume":"46","year":"2022","journal-title":"Telecommunications Policy"},{"key":"key2024041515464135600_ref021","article-title":"Developing a cyber security culture: current practices and future needs","volume":"109","year":"2021","journal-title":"Computers and Security"},{"issue":"4","key":"key2024041515464135600_ref022","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1080\/10580530701586136","article-title":"An information security governance framework","volume":"24","year":"2007","journal-title":"Information Systems Management"},{"key":"key2024041515464135600_ref023","doi-asserted-by":"crossref","unstructured":"Verizon (2022), \u201cData breach investigations report 2022\u201d.","DOI":"10.12968\/S1361-3723(22)70578-7"},{"key":"key2024041515464135600_ref024","article-title":"More than the individual: examining the relationship between culture and information security awareness","volume":"88","year":"2020","journal-title":"Computers and Security"},{"key":"key2024041515464135600_ref025","article-title":"Measuring cyber secure behavior of elementary and high school students in The Netherlands","volume":"186","year":"2022","journal-title":"Computers and Education"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2023-0116\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2023-0116\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:06Z","timestamp":1753406586000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/32\/2\/179-196\/1229163"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,5]]},"references-count":25,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,10,5]]},"published-print":{"date-parts":[[2024,4,17]]}},"alternative-id":["10.1108\/ICS-07-2023-0116"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2023-0116","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,5]]}}}