Understanding Federal Cybersecurity Culture: An Expert Perspective on Current and Ideal State Open Access
Downloadable ContentDownload PDF
As history has taught us, cybersecurity incidents can be devastating to individuals, organizations, and nations. Unfortunately, the U.S. federal government has not been immune from the reality of the devastation caused by cybersecurity incidents. However, it has been suggested that a stronger federal cybersecurity culture can help to avoid cybersecurity incidents. Unfortunately, the current literature is silent on what constitutes federal cybersecurity culture, which would include core elements, possible variations, development, and management. The purpose of this study was to better understand cybersecurity culture in U.S. federal organizations. To complete this study, a qualitative, exploratory inquiry regarding the core elements of U.S. federal cybersecurity culture was conducted. Specifically, interviews were conducted with 30 federal cybersecurity experts to better understand cybersecurity culture in U.S. federal organizations. The study resulted in seven significant conclusions: (1) employee lack of compliance with cybersecurity policies necessitates greater accountability; (2) U.S. federal organizations need more effective methods of cybersecurity training; (3) U.S. federal organizations should establish a cybersecurity strategic plan; (4) U.S. federal organizations should establish cybersecurity standard operating procedures; (5) U.S. federal organizations need innovative approaches to compete with the private sector in the recruitment of cybersecurity personnel; (6) U.S. federal organizations should collaborate in developing cybersecurity strategy; and (7) U.S. federal organizations need to shift their focus from cybersecurity compliance to cybersecurity maturity. The study concludes with implications for theory and practice as well as recommendations for further research. The results of this research should serve as a guide for U.S. federal leaders in their efforts to establish a stronger cybersecurity culture, which would enhance the protection of critical information technology assets and sensitive information.