Insights from this research will generate recommendations that will be part of a cybersecurity culture transformation journey. The work in this thesis is based on the research conducted at the Computer Science Department of the University of Cape Town as part of the completion of my master's degree.
Introduction
Aim, Objectives and Research Questions
- Aim of the study
- Objectives
- Research Questions
- Ethics Clearance
- Dissertation Outline
The purpose of this study is to assess the level of cyber security culture by investigating how knowledge, attitudes, behaviors and perceptions in the OT environment can affect the cyber exposure of the enterprise. During the literature review, OT and IT will be contextualized in terms of the energy sector.
Cybersecurity culture literature review
Cybersecurity
- Cybersecurity mandate in Eskom
- Security differences
- OT Cybersecurity incidents
16 operations, information security, law enforcement, diplomacy, military and intelligence missions as they relate to the security and stability of global information and communications. Reegard et al also state "In information security, reference to the human factor usually relates to the human role in the security process.
Cybersecurity Culture
- What is cybersecurity culture?
- Cybersecurity culture in OT and its transformation
Although this may be the case from their research, the implementation of cyber security culture transformation in Eskom, especially in OT, is still ongoing. Top management approach is considered critical to a cybersecurity culture, as seen in.
![Figure 5: Organisational mechanisms for cybersecurity culture [45]](https://thumb-ap.123doks.com/thumbv2/pubpdfnet/10370106.0/23.893.207.690.730.974/figure-5-organisational-mechanisms-cybersecurity-culture-45.webp)
IT Security
Information security culture is seen as a subset of organizational culture and should be aligned with the culture of the organization. Da Veiga and Eloff developed a comprehensive information security framework (CISF) that looked at people process and technology and how these affect the creation of an ISC [65].
Operational Technology
Furthermore, their failure can directly lead to the failure of the plant or network asset or its ability to meet its purpose and performance criteria. Such equipment generally meets the above criteria and qualifies as OT, as their design, operation or maintenance can directly lead to the failure or impact of the plant/network asset or its ability to meet its purpose and performance criteria” [70].
OT-IT Convergence
In some cases, apparent failures of operational systems may not directly result in the failure of the purpose or performance of the plant or network asset, but because of the way it is designed, the normal operation or maintenance of the operational system may result in risk for the plant or network asset. A recent resilience exercise conducted by resilience at Eskom highlighted the erratic response to a potential cyber attack in the OT environment.
![Figure 11: 4th Industrial Revolution [26]](https://thumb-ap.123doks.com/thumbv2/pubpdfnet/10370106.0/37.893.235.659.476.757/figure-11-4th-industrial-revolution-26.webp)
Cybersecurity Maturity Models and Frameworks
It is this reality that must be embraced by IT, that not everything can be restored or restored from a DRP backup [73]. This non-standardized approach to cyber security does not enable NERC-CIP's assurance function as it is not uniform in its very nature.
Legislative Environment
While GDPR was originally developed for the EU, it is rapidly being adopted worldwide [78]. Although there is no explicit mention of cybersecurity culture in the regulation, it is considered a critical resource in the field.
Summary
The law aims to minimize financial fraud, identity theft and protection of privacy, which is a fundamental human right and the South African equivalent of the GDPR [81]. The law also takes into account what infrastructure is considered critical and, according to the definition, Eskom is considered critical to the stability of the country. Maturity frameworks were also visited, as culture, training and awareness are part of the frameworks.
We also observed that the level of culture integration depends on the organization's risk profile. The purpose of this study is to obtain a test assessment of Eskom's cyber security culture in order to develop a business case for a cyber security culture programme. A comprehensive view of the cyber security culture was required in a short period of time, as project budgets had to be submitted by January 2020.
We chose a questionnaire that met these criteria quite well, but going forward we will use a combination of the previously mentioned ways to implement and evaluate the effectiveness of the implementation.
Tool Selection and design
Cognition and group dynamics, as described in Chapter 2, emphasize the impact of culture in small groups because of the effect of imitation, instruction, and collaboration. While this may be the case, this was omitted as an important category, but elements of group dynamics were captured in some questions [6], [89]. My experience in the nuclear industry and exposure to nuclear safety culture transformation and broader exposure of teams to safety culture translates into familiarity with the tools and methods used to measure and transform culture. We thought it would be a good idea to join this approach, as it was more comprehensive than the methods used in most of the culture measures we examined and found that it aligns with Schlienger's 2006 organizational model as well as Schein's organizational or corporate culture theory. from 1985 (referenced in 12 articles) [63].
Typically, most of the academic literature focuses on information security and the measurement of individual culture. These are the four main touchpoints of cybersecurity culture as it focuses on the areas in which we implement cybersecurity. With the introduction of a new cybersecurity operating model, this may be a reality as IT and OT cybersecurity centers of excellence are considered to merge under joint executive-level leadership.
The scope of the questions is presented below and is not exhaustive, but describes the types of questions that were created.
Questionnaire Execution
Depending on the responses at the management level, one could also gain insight from their observations. This offers an opportunity to also gain insight into the dependence on technology in OT. Once the design and tool were selected, they were deployed to an internal SharePoint platform, keeping respondents' identities anonymous.
At the end of the one-month period in which it was open, the questionnaire was closed, exported and then archived. It's fairly good, and it's easy to get an initial "feel" for the data, but it's not detailed enough to provide the insights needed for deeper analysis. With this in mind, a process for processing the information was designed, bearing in mind that the questions should ultimately be linked back to the main categories and subcategories and relationships between them shown where possible through numerical scoring to give the organization a picture of how it works in accordance with the cyber security culture.
Then, analysis was performed by category and across categories to describe the story that the data was obfuscating.
Data Processing
Some of the questions were worded in a neutral or reader-friendly way and when converted to a Likert scale had to be reordered or reversed. At this point errors in data cleaning were also highlighted as certain fields were unable to calculate summary statistics. Some of the responses had to be reversed so that one was consistently a low or 'unpreferred' response and five a high or preferred response.
The Access database file (Culturedatabase.accdb) was used as the source of the analyzed data and a connection was made to it from Power BI. Once the connection was established, the data model had to be configured and the relationships between the various tables established. 48 MastNum and bound to the data model; however, Power BI had some problems resolving searches that resulted in a lot of extra work and circular references.
Search was supposed to be used to sort and sort the data, but it didn't work properly and ended up being solved at the database level.
Data Analysis
- Demographics
- Individual Knowledge
- Individual Attitude and Perceptions
- Individual Behaviour
- Organisation
- Leadership
- Process and Technology
- Summary of analysis
In the end, four different Power BI files were created due to the memory intensive nature of the application and the number. It was interesting to note that in the OT area the number of responses from men was significantly higher, while in the category "Other" the number of responses to the questionnaire was almost the same in the age group under 55 years. The challenge is spreading awareness of the standard across the OT Organization, as a comprehensive list of these resources is not available for every business area.
Again, when analyzing the data, there is no correlation to any of the other measures in Figure 20. 58 Insider threat is considered to be one of the biggest threats to the safety of Eskom and the need for. Many of the respondents also supported the need for better collaboration between OT and IT.
It is still one of the most critical components, but it must be adapted to the different needs of the organization at different levels. White, "Community Cybersecurity Maturity Model", in 2007 40th Annual Hawaii International Conference on System Sciences (HICSS pp. Available: https://www.kuppingercole.com/blog/kuppinger/its -not- about-security-vs -security-is-about-security-and-security.
Ethics Approval
Voluntary Consent
Questionnaire as implemented
They may need a check at 12 just to see if they've done the outer, maybe more mature on the Bradley curve. I strongly agree 21 I get angry when. prompted to enter a stronger password. refers to an emotional state Attitude I do not agree at all. It is about teamwork and interdependence. from a company to evaluate my plant control systems.
If we look at the sense of ownership for. of cyber security to see if it is clear who is responsible – the spread needs to be analysed. If you approached your. manager with a potential cyber risk, would he/she:. you can select more than one option). Report a call with IT. Report to my supervisor. Report to risk specialist. Report to Security Solutions (Cyber) 37 Eskom Cyber Security.
Questionnaire Results
MS Access queries and data clean-up (sample)
Power BI
Reliability Statistics
Since the diagonal is already set to NA, we can obtain the average correlation of each. However, these values allow us to examine a range of characteristics about the relationships between the items. We can examine the mean item-total correlation in a similar way to the correlations between items.
In the case of a unidimensional scale (like extraversion here), we define a one-factor CFA, and. then use the factor loadings to calculate our internal consistency estimate. I won't go into details. but we can interpret a composite reliability score in the same way as any of the other metrics covered here. closer to one indicates better internal consistency). Below is the original method I had posted that involves a "manual" extraction of the factor loadings.
Examples of Maturity scales
![Figure 3: Typical cyber kill chain [25], [26]](https://thumb-ap.123doks.com/thumbv2/pubpdfnet/10370106.0/21.893.219.633.206.458/figure-3-typical-cyber-kill-chain-25-26.webp)
![Figure 8: Diagram of theory of planned behaviour [50]](https://thumb-ap.123doks.com/thumbv2/pubpdfnet/10370106.0/27.893.211.685.289.584/figure-8-diagram-theory-planned-behaviour-50.webp)
![Figure 9: HP Tools and Nuclear Safety Culture Traits (Eskom) [57]](https://thumb-ap.123doks.com/thumbv2/pubpdfnet/10370106.0/30.893.179.717.234.549/figure-hp-tools-nuclear-safety-culture-traits-eskom.webp)
