Building Organizational Risk Culture in Cyber Security: The Role of Human Factors

Experts stress the importance of human beings in cyber security prevention strategies, given that people are often considered the weakest link in the chain of security. In fact, international reports analyzing cyber-attacks confirm the main problem is represented by people's actions, e.g. opening phishing mail and unchecked attached files, giving sensitive information away through social engineering attacks. We are instead convinced that employees, if well-trained, are the first defense line in the organization. Hence, in any cyber security educational plan, the first required step is an analysis of people's risks perception, in order to develop a tailor-made training program. In this paper we describe the result of a two-stage survey regarding risk perception in a sample of 815 employers working in a multinational company operating in the financial sector. The results highlight the need of a strong organization's risk culture to manage cyber security in an efficient way.