# When technology is not enough: Insights from a pilot cybersecurity culture assessment in a safety-critical industrial organisation

**Authors:** Tita Alissa Bach, Linn Pedersen, Maria Kinck Bor\'en{\dag}, Lisa Christoffersen Temte{\dag}

arXiv: 2508.20811 · 2025-08-29

## TL;DR

This study highlights the importance of organizational culture in cybersecurity within safety-critical industries, revealing that technical controls alone are insufficient and emphasizing leadership, communication, and tailored policies for resilience.

## Contribution

First empirical pilot assessment of cybersecurity culture in a real-world safety-critical industrial organization, comparing two countries with contrasting phishing performance.

## Key findings

- Both countries showed strong phishing awareness but lacked clarity on handling other incidents.
- Leadership involvement and tailored communication are key to resilient cybersecurity culture.
- Inconsistent policies and practices can undermine cybersecurity efforts.

## Abstract

As cyber threats increasingly exploit human behaviour, technical controls alone cannot ensure organisational cybersecurity (CS). Strengthening cybersecurity culture (CSC) is vital in safety-critical industries, yet empirical research in real-world industrial setttings is scarce. This paper addresses this gap through a pilot mixed-methods CSC assessment in a global safety-critical organisation. We examined employees' CS knowledge, attitudes, behaviours, and organisational factors shaping them. A survey and semi-structured interviews were conducted at a global organisation in safety-critical industries, across two countries chosen for contrasting phishing simulation performance: Country 1 stronger, Country 2 weaker. In Country 1, 258 employees were invited (67%), in Country 2, 113 were invited (30%). Interviews included 20 and 10 participants respectively. Overall CSC profiles were similar but revealed distinct challenges. Both showed strong phishing awareness and prioritised CS, yet most viewed phishing as the main risk and lacked clarity on handling other incidents. Line managers were default contacts, but follow-up on reported concerns was unclear. Participants emphasized aligning CS expectations with job relevance and workflows. Key contributors to differences emerged: Country 1 had external employees with limited access to CS training and policies, highlighting monitoring gaps. In Country 2, low survey response stemmed from a "no-link in email" policy. While this policy may have boosted phishing performance, it also underscored inconsistencies in CS practices. Findings show that resilient CSC requires leadership involvement, targeted communication, tailored measures, policy-practice alignment, and regular assessments. Embedding these into strategy complements technical defences and strengthens sustainable CS in safety-critical settings.

---
Source: https://tomesphere.com/paper/2508.20811