Skip to main content
SpringerLink
Log in

Security Culture in Industrial Control Systems Organisations: A Literature Review

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2022)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 658))

Abstract

Industrial control systems (ICS) are a key element of a country’s critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees’ security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ani, U.D., He, H., Tiwari, A.: Human factor security: evaluating the cybersecurity capacity of the industrial workforce. J. Syst. Info. Tech. 21(1), 2–35 (2019). https://doi.org/10.1108/JSIT-02-2018-0028

    Article  Google Scholar 

  2. Critical Infrastructure Sectors | CISA: https://www.cisa.gov/critical-infrastructure-sectors . Accessed 27 Nov 2021

  3. Ani, U.P.D., He, H., Tiwari, A.: Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective. J. Cyber Security Technol. 1(1), 32–74 (2017). https://doi.org/10.1080/23742917.2016.1252211.

  4. Walker, G.H., Stanton, N.A., Salmon, P.M., Jenkins, D.P.: A review of sociotechnical systems theory: a classic concept for new command and control paradigms. Theor. Issues Ergon. Sci. 9(6), 479–499 (2008). https://doi.org/10.1080/14639220701635470

    Article  Google Scholar 

  5. Suaboot, J., et al.: A taxonomy of supervised learning for IDSs in SCADA environments. ACM Comput. Surv. 53(2), 40:1–40:37 (2020). https://doi.org/10.1145/3379499

  6. Qassim, Q.S., Jamil, N., Daud, M., Patel, A., Ja’affar, N.: A review of security assessment methodologies in industrial control systems. ICS 27(1), 47–61 (2019). https://doi.org/10.1108/ICS-04-2018-0048

  7. Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016). https://doi.org/10.1016/j.cose.2015.09.009

    Article  Google Scholar 

  8. SANS 2019 State of OT/ICS Cybersecurity Survey | SANS Institute. https://www.sans.org/white-papers/38995/. Accessed 23 Jul 2021

  9. APT attacks on industrial organizations in H1 2021 | Kaspersky ICS CERT: Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team, 26 Oct 2021. https://ics-cert.kaspersky.com/reports/2021/10/26/apt-attacks-on-industrial-organizations-in-h1-2021/. Accessed 27 Nov 2021

  10. Miller, T., Staves, A., Maesschalck, S., Sturdee, M., Green, B.: Looking back to look forward: lessons learnt from cyber-attacks on industrial control systems. Int. J. Crit. Infrastruct. Prot. 35, 100464 (2021). https://doi.org/10.1016/j.ijcip.2021.100464

    Article  Google Scholar 

  11. Florida Hack Exposes Danger to Water Systems | The Pew Charitable Trusts. https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2021/03/10/florida-hack-exposes-danger-to-water-systems. Accessed 2 Aug 2021

  12. ENISA: Cyber Security Culture in organisations. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations. Accessed 31 May 2021

  13. NCSC: A positive security culture. https://www.ncsc.gov.uk/collection/you-shape-security/a-positive-security-culture. Accessed 27 Nov 2021

  14. DCMS: Water Sector Cyber Security Strategy, p. 12

    Google Scholar 

  15. Frey, S., Rashid, A., Zanutto, A., Busby, J., Follis, K.: On the role of latent design conditions in cyber-physical systems security. In: 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS), May 2016, pp. 43–46. https://doi.org/10.1109/SEsCPS.2016.015.

  16. Reegård, K., Blackett, C., Katta, V.: The concept of cybersecurity. Culture (2019). https://doi.org/10.3850/978-981-11-2724-3_0761-cd

    Article  Google Scholar 

  17. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: extending the end-user perspective. Comput. Secur. 26(1), 56–62 (2007). https://doi.org/10.1016/j.cose.2006.10.008

    Article  Google Scholar 

  18. da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 92, 101713 (2020). https://doi.org/10.1016/j.cose.2020.101713

    Article  Google Scholar 

  19. Gcaza, N., Solms, R.: Cybersecurity culture: an ill-defined problem, p. 109 (2017). https://doi.org/10.1007/978-3-319-58553-6_9

  20. Glaspie, H.W., Karwowski, W.: Human factors in information security culture: a literature review. In: Advances in Human Factors in Cybersecurity, Cham, pp. 269–280 (2018). https://doi.org/10.1007/978-3-319-60585-2_25

  21. Uchendu, B., Nurse, J.R.C., Bada, M., Furnell, S.: Developing a cyber security culture: current practices and future needs. Comput. Secur. 109, 102387 (2021). https://doi.org/10.1016/j.cose.2021.102387

    Article  Google Scholar 

  22. Chan, M., Woon, I., Kankanhalli, A.: Perceptions of information security in the workplace: linking information security climate to compliant behavior. J. Inf. Priv. Secur. 1(3), 18–41 (2005). https://doi.org/10.1080/15536548.2005.10855772

    Article  Google Scholar 

  23. Beautement, A., Sasse, A., Wonham, M.: The compliance budget: managing security behaviour in organisations, Jan 2008. https://doi.org/10.1145/1595676.1595684

  24. Nasir, A., Arshah, R.A., Hamid, M.R.A., Fahmy, S.: An analysis on the dimensions of information security culture concept: a review. J. Inf. Secur. Appl. 44, 12–22 (2019). https://doi.org/10.1016/j.jisa.2018.11.003

    Article  Google Scholar 

  25. Levy, Y., Ellis, T.J.: A systems approach to conduct an effective literature review in support of information systems research. InformingSciJ 9, 181–212 (2006). https://doi.org/10.28945/479

    Article  Google Scholar 

  26. Green, B., Prince, D., Roedig, U., Busby, J., Hutchison, D.: Socio-technical security analysis of Industrial Control Systems (ICS). In: Presented at the 2nd International Symposium for ICS & SCADA Cyber Security Research 2014, Sep 2014. https://doi.org/10.14236/ewic/ics-csr2014.2

  27. Madnick, S., et al.: Measuring stakeholders’ perceptions of cybersecurity for renewable energy systems. In: Data Analytics for Renewable Energy Integration, Cham, 2017, pp. 67–77. https://doi.org/10.1007/978-3-319-50947-1_7

  28. Zanutto, A., Shreeve, B., Follis, K., Busby, J., Rashid, A.: The Shadow Warriors: in the no man’s land between industrial control systems and enterprise IT systems, p. 6 (2017)

    Google Scholar 

  29. Michalec, O., Milyaeva, S., Rashid, A.: Reconfiguring governance: how cyber security regulations are reconfiguring water governance. Regul. Gov. https://doi.org/10.1111/rego.12423.

  30. Shapira, N., Ayalon, O., Ostfeld, A., Farber, Y., Housh, M.: Cybersecurity in water sector: stakeholders perspective. J. Water Resour. Plann. Manage. 147(8), (ASCE)WR.1943-5452.0001400, 05021008 (2021). https://doi.org/10.1061/(ASCE)WR.1943-5452.0001400

  31. Skotnes, R.: Division of cyber safety and security responsibilities between control system owners and suppliers. In: Critical Infrastructure Protection X, Cham, 2016, pp. 131–146. https://doi.org/10.1007/978-3-319-48737-3_8

  32. Nævestad, T.O., Meyer, S.F., Honerud, J.H.: Organizational information security culture in critical infrastructure: developing and testing a scale and its relationships to other measures of information security. In: Safety and Reliability – Safe Societies in a Changing World. CRC Press (2018)

    Google Scholar 

  33. Nævestad, T.O., Honerud, J.H., Meyer, S.F.: How can we explain improvements in organizational information security culture in an organization providing critical infrastructure? In: Safety and Reliability – Safe Societies in a Changing World. CRC Press (2018)

    Google Scholar 

  34. Piggin, R.S.H., Boyes, H.A.: Safety and security — a story of interdependence. In: 10th IET System Safety and Cyber-Security Conference 2015, Oct 2015, pp. 1–6. https://doi.org/10.1049/cp.2015.0292

  35. Dewey, K., Foster, G., Hobbs, C., Salisbury, D.D.: Nuclear security culture in practice, p. 46 (2021)

    Google Scholar 

  36. Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, A.: Productive security: a scalable methodology for analysing employee security behaviours, pp. 253–270 (2016) [Online]. Available: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement

  37. Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study. Inf. Comput. Secur. 24(2), 139–151 (2016). https://doi.org/10.1108/ICS-12-2015-0048

    Article  Google Scholar 

  38. Tuptuk, N., Hazell, P., Watson, J., Hailes, S.: A systematic review of the state of cyber-security in water systems. Water 13(1) 1 (2021). https://doi.org/10.3390/w13010081

  39. IAEA: Nuclear Security Culture (2008). https://www.iaea.org/publications/7977/nuclear-security-culture. Accessed 27 Nov 2021

  40. IAEA: Self-assessment of nuclear security culture in facilities and activities (2017). https://www.iaea.org/publications/10983/self-assessment-of-nuclear-security-culture-in-facilities-and-activities. Accessed 27 Nov 2021

  41. Ocloo, C.M., da Veiga, A., Kroeze, J.: A conceptual information security culture framework for higher learning institutions. In: Human Aspects of Information Security and Assurance, pp. 63–80, Cham, 2021. https://doi.org/10.1007/978-3-030-81111-2_6

  42. Kirlappos, I., Parkin, S., Sasse, A.: Learning from “shadow security:” why understanding non-compliant behaviors provides the basis for effective security, Feb 2014. https://doi.org/10.14722/usec.2014.23007

Download references

Author information

Authors and Affiliations

  1. Centre for Doctoral Training in Cybersecurity, University College London, London, UK

    Stefanos Evripidou

  2. School of Computing and Mathematics, Keele University, Keele, UK

    Uchenna D. Ani

  3. Department of Science Technology Engineering and Public Policy, University College London, London, UK

    Jeremy D McK. Watson

  4. Department of Computer Science, University College London, London, UK

    Stephen Hailes

Authors
  1. Stefanos Evripidou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Uchenna D. Ani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jeremy D McK. Watson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stephen Hailes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefanos Evripidou .

Editor information

Editors and Affiliations

  1. University of Plymouth, Plymouth, UK

    Nathan Clarke

  2. University of Nottingham, Nottingham, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Evripidou, S., Ani, U.D., D McK. Watson, J., Hailes, S. (2022). Security Culture in Industrial Control Systems Organisations: A Literature Review. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-12172-2_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-12171-5

  • Online ISBN: 978-3-031-12172-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation