ACADEMIA Letters
Security Culture as Organisational Weakness
Phil Wood
In the constantly evolving organisational environment, driven by competitive forces, governed
and regulated, and populated by diverse and constantly refreshing workforces, the mainte-
nance of effective, efficient security is a significant challenge. Alongside the need to protect
assets; it is generally agreed and understood that security culture is an essential component
for success. To contribute to that: ‘The underlying premise of establishing a security culture
is that organisations have a much greater chance of protecting their assets if everyone plays an
active part’ (Furnell and Clarke, 2005:67)1 . Also, it is essential that those who are required to
manage organisations understand that they have a part to play; whilst inaccurate managerial
perceptions of the effectiveness of security measures can have a deleterious effect (Taylor and
Brice, 2012)2 . In organisations where a wide range of behaviours, attitudes and mores may
not be straightforwardly summarised or encompassed by the single term ‘culture’, managers
should recognise this and understand that ‘unitarist’, ‘pluralist’ and even ‘anarchist’ cultures
may build and develop (Willcoxson and Millet, 2000)3 .
If it is assumed that those responsible for organisational performance need to ensure that
its assets need to be secured and protected; it is not necessarily a following assumption that
there is an understanding of how that may be achieved. Moreover, it is not necessarily a sound
or supporting assumption that a culture to develop and maintain effective security truly exists.
Although it is probable that organisations should aspire to the cultural paradigm that: ‘open
and generative culture will mean better uptake of innovations and better response to danger
1
Furnell, S., & Clarke, N. (2005). Organizational security culture: Embedding security awareness, education,
and training. Proceedings of the IFIP TC11 WG, 11, 67-74.
2
Taylor, R. G., & Brice Jr, J. (2012). Fact or fiction? A study of managerial perceptions applied to an analysis
of organizational security risk. Journal of Organizational Culture, Communications and Conflict, 16(1), 1.
3
Willcoxson, L., & Millett, B. (2000). The management of organisational culture. Australian Journal of
Management and Organisational Behaviour, 3(2), 91-99.
Academia Letters, June 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0
Citation: Wood, P. (2021). Security Culture as Organisational Weakness. Academia Letters, Article 1275.
https://doi.org/10.20935/AL1275.
1
�signals’ (Westrum, 2004)4 , the perception and assumption that such cultures are in place may
not reflect the organisational truth. If organisational management, with the understandable
need to meet responsibilities, assume that culture is a ‘given’; there is scope for gaps, failures,
and omissions. This, alongside an organisational culture (or more likely cultures) that may not
engage with the concept of security as a business enabler, has a potential to lead to security
failures.
Organisations themselves are inherently vulnerable. As society continues to evolve; and
with information flow, access and transparency with diversity, inclusion and knowledge shar-
ing absolute fundamentals, change has been rapid. Organisations are now open, and focal
points for development of personal, professional, and corporate excellence. In the wider con-
text where social media drives unitarist, pluralist and any number of culture typographies
at societal levels; organisations will rationally need to reflect the society in which they are
embedded and that provides its workforce. In cultural terms, regardless of the overall man-
agement style that the organisation may wish to develop, freedom of thought and dissent and
the ability to share thoughts, ideas and beliefs are clear attributes of the networked organisa-
tional workforce. This connectivity can even enhance organisational capability if recognised
as a positive by employers (Hanna, Kee and Robertson, 2017)5 and (Shujaat, Rashid and
Muzaffar, 2019)6 .
However, it is also a reasonable assumption to make that organisations in their reflection
of wider society, suffer from the same issues related to criminality by both external and inside
malicious acts as any other organisation. Even relatively unsophisticated and less complex
organisations tend to be rich in equipment and infrastructure; and the less tangible assets will
also be valuable; for example, research and development information linked to organisations
in either the private or public sectors. While organisations continue to go about their business;
they face a wider and growing range of potential threats which will vary from those more obvi-
ous and widely mentioned in the news issues to those which may be less tangible. The concept
of mitigation needs to incorporate a confirmatory concept of anticipation, and the ability to
understand and evaluate emergent and future risks is something that will also be of prime
importance for organisations that are looking towards their own future developments and to
being ready to anticipate where the potential issues may arise. It is also instructive to consider
4
Westrum, R. (2004). A typology of organisational cultures. BMJ Quality & Safety, 13(suppl 2), ii22-ii27.
5
Hanna, B., Kee, K. F., & Robertson, B. W. (2017). Positive Impacts of Social Media at Work: Job Sat-
isfaction, Job Calling, and Facebook Use among Co-Workers. Paper presented at theSHS Web of Conferences.
10.1051/shsconf/20173300012
6
Shujaat, A., Rashid, A., & Muzaffar, A. (2019). Exploring the Effects of Social Media Use on Employee
Performance: Role of Commitment and Satisfaction. International Journal of Human Capital and Information
Technology Professionals (IJHCITP), 10(3), 1-19. http://doi.org/10.4018/IJHCITP.2019070101
Academia Letters, June 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0
Citation: Wood, P. (2021). Security Culture as Organisational Weakness. Academia Letters, Article 1275.
https://doi.org/10.20935/AL1275.
2
�the inherent risks that come from running an organisation and the potential implications and
risk caused by self-inflicted problems and issues.
The evidence on any given day’s news and business reports of physical and digital security
breaches and their impacts indicates perhaps that organisations struggle to focus on the need
to be fully aware and to mitigate the effects of the multiple issues that can impact upon them
the broad range of risks that can face the organisation, and their long-term and short-term
impacts are something that the organisation must particularly consider and manage images to
remain competitive and effective in dealing with the issues concerned. An effective and viable
organisation will consider that it has the understanding, capability, and moral and integral
management authority to consider, and deal with current and emerging threats. This may
involve various and multiple methods, at multiple levels, of dealing with the issues that may
be concerned. Such an organisation will potentially look beyond its local externalities and
scope issues much more widely and further to ensure that it is able to anticipate and, more
importantly understand where the issues may arise and impact upon it.
Cyber is a prevalent security threat (UK Government 2021)7 ; and clearly will remain
so while organisations and society rely upon digital technology to support and enable their
activities. The impacts of the Coronavirus pandemic continue to be felt and have indicated
secondary impacts including attitudinal and behavioural changes and expectations at indi-
vidual and societal levels. The ‘pivot’ from workplace presenteeism to remote working as a
viable, empowering, balanced and more productive business enabler seems to be gathering
pace. Organisations that have recognised and embraced this shift change in culture, driven
not top-down by management but by individual preference, are becoming more numerous.
The rewards may outweigh the risks, although McKinsey (2020)8 assess that the pivot has yet
to be fully evaluated as the true future of businesses; and even if it were to be, there are some
organisations that will necessarily remain ‘in person’ due to the nature of what they do.
Organisational security management faces a fundamental challenge that, if not addressed,
has the potential to weaken rather than strengthen capability; and could provide opportunity
for adversaries to exploit managerial and, by consequence, organisational failings. The con-
tention that organisational (security) culture can be imposed, impelled, embedded and ‘put in
place’ by management is one that bears challenge; particularly in the context of the digitally
empowered, connected and Coronavirus-liberated workforce behaviour. Rich Lyons (Forbes,
2017)9 highlighted that one of the three key reasons why cultural efforts fail is that culture
7
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-
survey-2021
8
McKinsey What’s Next for Remote Work
9
https://www.forbes.com/sites/richlyons/2017/09/27/three-reasons-why-culture-efforts-
Academia Letters, June 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0
Citation: Wood, P. (2021). Security Culture as Organisational Weakness. Academia Letters, Article 1275.
https://doi.org/10.20935/AL1275.
3
�change lacks ‘distinction and flexibility’.
Organisational cultural management approach has probably not yet caught up with the
societal changes where security risks are sourced. Organisational security will be compro-
mised by management’s lack of understanding of how its people think and behave. There
may be a few people in management with loud voices who believe that they understand their
organisational culture, the positives, the negatives, and the risks. However, emergent change
accelerated by technology, connectivity, attitudinal and behavioural shifts and the yet to be
fully appreciated effects of Coronavirus will confound those loud voices. The much quieter,
unheard, and unnoticed movement away from what can be managed in conventional ways has
yet to be fully recognised. Organisations are at risk; as always, from their own experience-
based approaches and hubris in the face of change.
Change trumps organisational ‘culture’ every time it happens, which is constantly.
fail/?sh=756af873e077
Academia Letters, June 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0
Citation: Wood, P. (2021). Security Culture as Organisational Weakness. Academia Letters, Article 1275.
https://doi.org/10.20935/AL1275.
