Developing a Culture of Cybersecurity
Abstract
In a prelude to the invasion of Ukraine in 2022, Russian hackers probed and attacked Ukrainian computer networks to find vulnerabilities and exfiltrate information that might be useful in future conflicts. In our previous article, we documented the most severe of these cyber espionage and sabotages, known as NotPetya in the case study “Cyberattack: The Maersk Global Supply Chain Meltdown.” Although technical factors were instrumental in the sophisticated success of NotPetya, less attention and scrutiny have been given to organizational failures and cultural shortcomings that opened the door for bad actors to threaten the viability of key businesses and infrastructure. As we broadened our investigation beyond NotPetya to include other cyberattacks and hacking incidents, we were able to find a consistent pattern of cultural failures linked to misaligned incentives, a disconnect between top management and technical personnel, and a general lack of awareness and engagement of the existential threat posed by cyberattacks.