Abstract
Industrial control systems (ICS) are a key element of a country’s critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees’ security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ani, U.D., He, H., Tiwari, A.: Human factor security: evaluating the cybersecurity capacity of the industrial workforce. J. Syst. Info. Tech. 21(1), 2–35 (2019). https://doi.org/10.1108/JSIT-02-2018-0028
Critical Infrastructure Sectors | CISA: https://www.cisa.gov/critical-infrastructure-sectors . Accessed 27 Nov 2021
Ani, U.P.D., He, H., Tiwari, A.: Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective. J. Cyber Security Technol. 1(1), 32–74 (2017). https://doi.org/10.1080/23742917.2016.1252211.
Walker, G.H., Stanton, N.A., Salmon, P.M., Jenkins, D.P.: A review of sociotechnical systems theory: a classic concept for new command and control paradigms. Theor. Issues Ergon. Sci. 9(6), 479–499 (2008). https://doi.org/10.1080/14639220701635470
Suaboot, J., et al.: A taxonomy of supervised learning for IDSs in SCADA environments. ACM Comput. Surv. 53(2), 40:1–40:37 (2020). https://doi.org/10.1145/3379499
Qassim, Q.S., Jamil, N., Daud, M., Patel, A., Ja’affar, N.: A review of security assessment methodologies in industrial control systems. ICS 27(1), 47–61 (2019). https://doi.org/10.1108/ICS-04-2018-0048
Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016). https://doi.org/10.1016/j.cose.2015.09.009
SANS 2019 State of OT/ICS Cybersecurity Survey | SANS Institute. https://www.sans.org/white-papers/38995/. Accessed 23 Jul 2021
APT attacks on industrial organizations in H1 2021 | Kaspersky ICS CERT: Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team, 26 Oct 2021. https://ics-cert.kaspersky.com/reports/2021/10/26/apt-attacks-on-industrial-organizations-in-h1-2021/. Accessed 27 Nov 2021
Miller, T., Staves, A., Maesschalck, S., Sturdee, M., Green, B.: Looking back to look forward: lessons learnt from cyber-attacks on industrial control systems. Int. J. Crit. Infrastruct. Prot. 35, 100464 (2021). https://doi.org/10.1016/j.ijcip.2021.100464
Florida Hack Exposes Danger to Water Systems | The Pew Charitable Trusts. https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2021/03/10/florida-hack-exposes-danger-to-water-systems. Accessed 2 Aug 2021
ENISA: Cyber Security Culture in organisations. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations. Accessed 31 May 2021
NCSC: A positive security culture. https://www.ncsc.gov.uk/collection/you-shape-security/a-positive-security-culture. Accessed 27 Nov 2021
DCMS: Water Sector Cyber Security Strategy, p. 12
Frey, S., Rashid, A., Zanutto, A., Busby, J., Follis, K.: On the role of latent design conditions in cyber-physical systems security. In: 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS), May 2016, pp. 43–46. https://doi.org/10.1109/SEsCPS.2016.015.
Reegård, K., Blackett, C., Katta, V.: The concept of cybersecurity. Culture (2019). https://doi.org/10.3850/978-981-11-2724-3_0761-cd
Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: extending the end-user perspective. Comput. Secur. 26(1), 56–62 (2007). https://doi.org/10.1016/j.cose.2006.10.008
da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 92, 101713 (2020). https://doi.org/10.1016/j.cose.2020.101713
Gcaza, N., Solms, R.: Cybersecurity culture: an ill-defined problem, p. 109 (2017). https://doi.org/10.1007/978-3-319-58553-6_9
Glaspie, H.W., Karwowski, W.: Human factors in information security culture: a literature review. In: Advances in Human Factors in Cybersecurity, Cham, pp. 269–280 (2018). https://doi.org/10.1007/978-3-319-60585-2_25
Uchendu, B., Nurse, J.R.C., Bada, M., Furnell, S.: Developing a cyber security culture: current practices and future needs. Comput. Secur. 109, 102387 (2021). https://doi.org/10.1016/j.cose.2021.102387
Chan, M., Woon, I., Kankanhalli, A.: Perceptions of information security in the workplace: linking information security climate to compliant behavior. J. Inf. Priv. Secur. 1(3), 18–41 (2005). https://doi.org/10.1080/15536548.2005.10855772
Beautement, A., Sasse, A., Wonham, M.: The compliance budget: managing security behaviour in organisations, Jan 2008. https://doi.org/10.1145/1595676.1595684
Nasir, A., Arshah, R.A., Hamid, M.R.A., Fahmy, S.: An analysis on the dimensions of information security culture concept: a review. J. Inf. Secur. Appl. 44, 12–22 (2019). https://doi.org/10.1016/j.jisa.2018.11.003
Levy, Y., Ellis, T.J.: A systems approach to conduct an effective literature review in support of information systems research. InformingSciJ 9, 181–212 (2006). https://doi.org/10.28945/479
Green, B., Prince, D., Roedig, U., Busby, J., Hutchison, D.: Socio-technical security analysis of Industrial Control Systems (ICS). In: Presented at the 2nd International Symposium for ICS & SCADA Cyber Security Research 2014, Sep 2014. https://doi.org/10.14236/ewic/ics-csr2014.2
Madnick, S., et al.: Measuring stakeholders’ perceptions of cybersecurity for renewable energy systems. In: Data Analytics for Renewable Energy Integration, Cham, 2017, pp. 67–77. https://doi.org/10.1007/978-3-319-50947-1_7
Zanutto, A., Shreeve, B., Follis, K., Busby, J., Rashid, A.: The Shadow Warriors: in the no man’s land between industrial control systems and enterprise IT systems, p. 6 (2017)
Michalec, O., Milyaeva, S., Rashid, A.: Reconfiguring governance: how cyber security regulations are reconfiguring water governance. Regul. Gov. https://doi.org/10.1111/rego.12423.
Shapira, N., Ayalon, O., Ostfeld, A., Farber, Y., Housh, M.: Cybersecurity in water sector: stakeholders perspective. J. Water Resour. Plann. Manage. 147(8), (ASCE)WR.1943-5452.0001400, 05021008 (2021). https://doi.org/10.1061/(ASCE)WR.1943-5452.0001400
Skotnes, R.: Division of cyber safety and security responsibilities between control system owners and suppliers. In: Critical Infrastructure Protection X, Cham, 2016, pp. 131–146. https://doi.org/10.1007/978-3-319-48737-3_8
Nævestad, T.O., Meyer, S.F., Honerud, J.H.: Organizational information security culture in critical infrastructure: developing and testing a scale and its relationships to other measures of information security. In: Safety and Reliability – Safe Societies in a Changing World. CRC Press (2018)
Nævestad, T.O., Honerud, J.H., Meyer, S.F.: How can we explain improvements in organizational information security culture in an organization providing critical infrastructure? In: Safety and Reliability – Safe Societies in a Changing World. CRC Press (2018)
Piggin, R.S.H., Boyes, H.A.: Safety and security — a story of interdependence. In: 10th IET System Safety and Cyber-Security Conference 2015, Oct 2015, pp. 1–6. https://doi.org/10.1049/cp.2015.0292
Dewey, K., Foster, G., Hobbs, C., Salisbury, D.D.: Nuclear security culture in practice, p. 46 (2021)
Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, A.: Productive security: a scalable methodology for analysing employee security behaviours, pp. 253–270 (2016) [Online]. Available: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement
Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study. Inf. Comput. Secur. 24(2), 139–151 (2016). https://doi.org/10.1108/ICS-12-2015-0048
Tuptuk, N., Hazell, P., Watson, J., Hailes, S.: A systematic review of the state of cyber-security in water systems. Water 13(1) 1 (2021). https://doi.org/10.3390/w13010081
IAEA: Nuclear Security Culture (2008). https://www.iaea.org/publications/7977/nuclear-security-culture. Accessed 27 Nov 2021
IAEA: Self-assessment of nuclear security culture in facilities and activities (2017). https://www.iaea.org/publications/10983/self-assessment-of-nuclear-security-culture-in-facilities-and-activities. Accessed 27 Nov 2021
Ocloo, C.M., da Veiga, A., Kroeze, J.: A conceptual information security culture framework for higher learning institutions. In: Human Aspects of Information Security and Assurance, pp. 63–80, Cham, 2021. https://doi.org/10.1007/978-3-030-81111-2_6
Kirlappos, I., Parkin, S., Sasse, A.: Learning from “shadow security:” why understanding non-compliant behaviors provides the basis for effective security, Feb 2014. https://doi.org/10.14722/usec.2014.23007
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Evripidou, S., Ani, U.D., D McK. Watson, J., Hailes, S. (2022). Security Culture in Industrial Control Systems Organisations: A Literature Review. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-12172-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-12171-5
Online ISBN: 978-3-031-12172-2
eBook Packages: Computer ScienceComputer Science (R0)