Day 30 サイバーセキュリティ文化は本当に存在するのか? Understanding Cybersecurity Culture - Does It Really Exist?
Day 30 サイバーセキュリティ文化は本当に存在するのか?
「サイバーセキュリティ文化は実在するのか?」
「もし存在するなら、それを"変革"することは可能なのか?」
この2つの問いは、今日のテーマの核心です。
今日はサイバーセキュリティ文化そのものを"定義"し、全体像をつかむ日。
明日は、そこから一歩進んで、どうやってそれを育て、変革していくのかを探っていきます。
セキュリティ文化は存在するのか?- いまも続く大論争
サイバーセキュリティの世界では、いまも意見が割れています。
「セキュリティ文化なんて幻想だ」という懐疑派。
「むしろ最重要の要素だ」という実践派・研究者。
しかし、文献と現場の両方を見ると、答えは次第に鮮明になってきます。
"確かに文化は存在する。そして、それはセキュリティの根幹を支えている。"
サイバーセキュリティ文化の定義
SECURIT の定義
サイバーセキュリティ文化とは、
「内外の影響によって形づくられ、集団内で共有・継承され、情報セキュリティに影響を与える思考・行動・価値観のパターン」
要するに──
組織の人々が"どう考え、どう動くか"を決める文化的エンジン。
Eloff(2010)
「何が"望ましいセキュリティ行動"なのかという組織の前提」
つまりCIA(機密性・完全性・可用性)が日常の行動に織り込まれている状態。
Awareness(知る)→ Behavior(行動する)→ Culture(皆で実践する)
Narayanan(2012)はこの変化を非常に適切に表現しました。
Awareness(私は知っている)
→ Behavior(私はやる)
→ Culture(私たちは知り、やる)
文化とは「習慣化された集団の意思」。個人の理解が、集団の行動へと昇華したとき、文化が生まれます。
セキュリティ行動には"7つのモード"がある
Alfawaz, Nelson & Mohannak(2010)のモデルに"動機の有無"を加えて7つに拡張しました。
- Knowing-Doing(知っていて、やる)理想
理解し、行動し、習慣化されている状態。
- Knowing-Not Doing(知っていて、やらない)最難関
理解していても、意図的に破る。最大の課題。
- Not Knowing-Doing(知らないのに、できている)
直感的に良い行動ができている稀有な状態。
- Not Knowing-Not Doing(知らないし、やらない)
典型的な"文化の不在"。リスクの温床。
- Not Willing to Know-Not Willing to Do(知ろうとせず、やる気もない)
「自分には関係ない」と感じている段階。
- Not Willing to Know-Doing(知ろうとはしないが、やる)
"仕方なく遵守"。文化はまだ育っていない。
- Knowing-Not Willing to Do(知っているが、やる気がない)
怠慢や無関心による不実行。
この"行動地図"を分析することで、組織の文化のギャップが一気に見えてきます。
文化はどこから育つのか?- セキュリティ文化の三本柱
Hall の氷山モデル、Eloff、Schlienger、Alnatheerらの研究を横断すると、セキュリティ文化には目に見える部分と見えない部分があります。
その土台を支える三本柱は、次の3つ。
① トップマネジメントの関与(本気を見せること)
予算、時間、メッセージ──すべてが文化をつくる。
② ポリシーの一貫した運用(例外を作らない)
文化は"例外"から壊れる。
③ 継続的な教育(理解を行動へ変える)
単発の研修では文化は生まれない。
セキュリティ文化は、組織・チーム・個人の3層で動く
Eloff & Martinsi(2006)は、文化を"動的プロセス"として捉えます。
- 組織レベル:制度・ガバナンス・リスク管理
- グループレベル:信頼・チームダイナミクス
- 個人レベル:意識・倫理・日々の判断
それぞれが外部環境の変化によって揺さぶられ、その結果として"文化"がアウトプットされる。
では、サイバーセキュリティ文化とは何か?
組織におけるサイバーセキュリティ文化とは──
「情報資産に向き合うときの、集団として共有された態度・価値観・行動のパターン」
そして最も望ましい状態は、
Knowing-Doing(知っていて、実践する)
技術は武器。文化はその武器を選び、使いこなす"判断の土台"、それは組織が無意識に選び続けるデジタル世界での在り方。
その状態を支えるのが、
- トップの本気
- ポリシーの徹底
- 継続的な教育
という三本柱です。
サイバーセキュリティ文化は存在します。
では、それを"意図的に"育てることはできるのか?
変革は可能なのか?
明日、その問いを見つめてみます。
ーー
Day 30 Understanding Cybersecurity Culture - Does It Really Exist?
"Does a cybersecurity culture truly exist?
And if it does, can we actually transform it?"
These fundamental questions lie at the heart of today's exploration. Today, we'll examine the concept of cybersecurity culture itself. Tomorrow, I'll discuss practical approaches to managing and transforming it.
The Great Debate: Does Cybersecurity Culture Exist?
The cybersecurity community remains divided. Skeptics argue that "cybersecurity culture" is merely a buzzword--an artificial construct without substance. However, a growing body of practitioners and researchers insist not only that it exists, but that it represents the most critical factor in any effective cyber security program.
Let's examine the evidence through academic research and practical frameworks.
Defining Cybersecurity (Information Security) Culture
SECURIT provides a foundational definition: Cybersecurity culture comprises "shared patterns of thought, behaviour, and values that arise and evolve within a social group, based on communicative processes influenced by internal and external requirements, are conveyed to new members and have implications on information security."
Eloff (2010) offers a more organizational perspective, defining information security culture as assumptions about which types of information security behaviors are accepted and encouraged--essentially incorporating the CIA triad (confidentiality, integrity, availability) into "the way we do things around here."
From Awareness to Culture: The Transformation Journey
Narayanan (2012) illustrates this progression elegantly:
Awareness ("I know") → Behavior ("I do") → Culture ("We know and do")
This simple model captures a profound truth: culture is the collective embodiment of individual knowledge transformed into shared practice.
The Seven Modes of Security Behavior
Building on Alfawaz, Nelson, and Mohannak's (2010) research framework, I've expanded their four original modes to seven, incorporating dimensions of motivation and willingness:
1. Knowing-Doing ✓
The ideal state. Users understand security rules, possess necessary skills, and consistently follow protocols. Security policies are well-communicated and effectively practiced.
2. Knowing-Not Doing ✗
Willful violation. Users understand requirements but intentionally disregard them. Policies exist and are communicated, yet users deliberately violate rules--the most challenging behavior to address.
3. Not Knowing-Doing ✓
Accidental compliance. Despite lacking formal training or awareness, users naturally exhibit secure behaviors. They voluntarily report violations and share security knowledge--a surprisingly positive state revealing intuitive security consciousness.
4. Not Knowing-Not Doing ✗
Ignorant non-compliance. Users lack awareness of security requirements and consequently engage in risky behaviors: sharing credentials, downloading unauthorized software, visiting malicious websites. This represents poor policy enforcement and communication.
5. Not Willing to Know-Not Willing to Do ✗
Complete disengagement. The most concerning state: zero motivation for information security. Characterized by attitudes like "security is someone else's problem" or "this will never happen to us."
6. Not Willing to Know-Doing ~
Forced compliance. Users follow security protocols only because they're mandated, without understanding or internal motivation. This achieves behavioral change without deeper cultural transformation.
7. Knowing-Not Willing to Do ✗
Negligence. Users possess knowledge but lack motivation to act. This represents a failure of engagement rather than awareness.
Mapping Security Behaviors: From Analysis to Transformation
The Alfawaz, Nelson, and Kavoos (2010) framework provides a methodology for surveying and mapping these behavioral modes across organizational units. This mapping reveals:
- Gap analysis between current and desired behaviors
- Behavioral variations across departments, teams, and levels
- Targeted intervention points for cultural change initiatives
Understanding where your organization sits on this map is essential for designing effective transformation strategies.
The Two Pillars of Behavioral Transformation
According to Alfawaz, Nelson, and Kavoos (2010), successful transformation requires:
- Identifying environmental factors that encourage or inhibit appropriate security behaviors among employees and managers
- Implementing effective management strategies that address both internal and external factors critical to information security
The Architecture of Security Culture
Drawing inspiration from Hall's Iceberg Model of Culture and research by Schlienger and Iimt (2007), security culture can be visualized as having visible and invisible dimensions.
Based on Alnatheer, Chan, and Nelson's (2012) research "Understanding and Measuring Security Culture," I propose a refined model emphasizing two key insights:
1. The Components of Security Culture
Security culture manifests as the interplay between:
- Security Awareness (knowledge and recognition)
- Security Ownership (responsibility and accountability)
These elements cultivate and continuously improve information security culture.
2. The Foundation: Three Critical Factors
- Top Management Involvement - visible commitment and resource allocation
- Security Policy Enforcement - consistent application of standards
- Information Security Training - ongoing education and skill development
These form the bedrock upon which all security culture initiatives must build.
An Alternative Framework: The Multi-Level Model
Eloff and Martinsi (2006) propose viewing security culture as a dynamic process operating across three organizational levels:
- Organizational Level: Policy, procedures, risk analysis, governance
- Group Level: Management trust, team dynamics
- Individual Level: Awareness, ethical conduct
Change inputs (technological, economic, customer demands, human factors, financial pressures, competition) trigger transformations that are processed at each level, ultimately producing security culture as the output.
Synthesis: What Is Cybersecurity Culture?
From this exploration, we can define information security culture as:
Collective and shared attitudes, beliefs, and values toward information assets that govern behaviors when interacting with those assets.
The most desirable state is the Knowing-Doing mode: users understand the rules and consistently act accordingly.
The essential foundation comprises:
- Top management support
- Robust policy enforcement
- Comprehensive awareness training
Tomorrow's Question: If cybersecurity culture exists and can be defined, how do we intentionally cultivate and transform it?
References 出典
Elm, M. S. (2007). Understanding and Studying Internet Culture(s): hybridity and interdisciplinarity. Nordicom Review, 29, 85-90.
SECURIT. (n.d.). Security Culture and Information Technology. Retrieved https://www.foi.se/en/our-knowledge/information-security-and-communication/information-security/projects/security-culture-and-information-technology.html
Narayanan, Anup. (2012). A model for reducing information security risks due to human error Retrieved from https://www.slideshare.net/NarayananAnup/a-model-for-reducing-information-security-risks-due-to-human-error
Da Veiga, Adele, Nico Martins, and Jan HP Eloff. "Information security culture-validation of an assessment instrument." Southern African Business Review 11.1 (2007): 147-166.
Information Security Culture, January 2002IFIP Advances in Information and Communication Technology, DOI:10.1007/978-0-387-35586-3_16, SourceDBLP
Conference: Proceedings of the IFIP TC11 17th International Conference on Information Security: Visions and Perspectives
Alfawaz, S., Nelson, K., & Kavoos, M. (2010). Information security culture : A Behaviour Compliance Conceptual Framework, 105(Aisc).
Dojkovski, S., Lichtenstein, S., Warren, M., Schlienger, T., & Teufel, S. (2007). Fostering information security culture in small and medium size enterprises: an interpretive study in Australia. Ecis, 31(2007), 1560-1571. Retrieved from http://dro.deakin.edu.au/view/DU:30008152
Schlienger, Thomas. (2009).The AR Conference Calls .Electronic version found at GmbH, T., 2018. Steigern Sie die IT- und Informationssicherheit Ihres Unternehmens. [online] Treesolution.ch. Available at: <http://www.treesolution.ch> .
Alnatheer, M. A. (2014). A Conceptual Model to Understand Information Security Culture. International Journal of Social Science and Humanity, 4(2), 104-107. https://doi.org/10.7763/IJSSH.2014.V4.327
Alnatheer, M., Chan, T., & Nelson, K. (2012). Understanding And Measuring Information Security Culture. Association for Information Systems, 7. Retrieved from http://aisel.aisnet.org/pacis2012