ENISA's 8 Step Plan for Building a Risk Aware Cybersecurity Culture

ENISA's 8 Step Plan for Building a Risk Aware Cybersecurity Culture

There is almost universal recognition that traditional security awareness raising campaigns, such as those which leverage legacy CBT and phishing simulations are not, in themselves, affording sufficient protection against cyber attacks.

A cybersecurity culture is broader than just security awareness, designed to make cybersecurity an integral part of an employees’ behaviour and conduct, embedding itself into their day-to-day activities.

With this in mind, ENISA (The European Union Agency for Network and Information Security) the European government department tasked with raising the standards for network and cybersecurity across the Union, produced an in-depth report into cyber security culture in organisations across the union. 

One of the highlights of the report is its 8 step plan for creating a risk based and effective cybersecurity culture. These steps are listed below:


Effective Cybersecurity Culture 8 Step Plan


1. Set Up Your Own Core Cybersecurity Culture Group - This group should be tasked with strategy, ensuring evidence-based approach to cybersecurity culture and the implementation of cybersecurity culture activities.

2. Business Understanding and Risk Assessment - Talk to your employees and staff members to understand and identify the existing cybersecurity culture, beliefs and practices; this will drive and shape subsequent activities.

3. Define Main Goals, Target Audience and Success Criteria for Your Cybersecurity Culture Programme - Your cybersecurity culture group should define their main goal and what steps should be taken to get there. This could be an awareness campaign via visual aid, such as posters. It could include simulation tools such as phishing simulations; or it could include interactive training sessions.

4. Gap Analysis Between Goals and At Your Goal - Develop a plan on how you will calculate your cybersecurity culture at milestones to quantify the impact of cybersecurity culture activities.

5. Select One or More Activities - To close the gap between the current cybersecurity culture and your goal Create or buy tools to run training scenarios, delivery content and simulate. Multiple activities using different methodologies or vectors is recommended.

6. Run Your Selected Activities - ...plus talk to your employees to determine the change in cybersecurity culture between activities; this will

drive and shape subsequent activities.

7. Re-Run Training Activities and Analyse the Results - Where there are heightened levels of risk or poor assessment results, consider re-running activities. 

8. Review and Consider Your Results Before Deciding on Next Actions - Do not just re-run activities endlessly, the devil is in the detail or in this case the results. Continued poor results may require a different strategy or activity.


How OutThink Can Help

Using an innovative cognitive learning methodology and robust socio-technical principles, OutThink empowers you to build a risk aware culture and enables the implementation of ENISA’s Cyber Security Culture framework.

With OutThink you can:

  • Recruit cyber security champions - members of the cybersecurity culture work group, responsible for implementation of cybersecurity culture activities.
  • Use advanced metrics to support an evidence-based approach.
  • Identify the target audience, associated risk profiles and core training requirements; success criteria and goals defined at onboarding stage.
  • Assess the current cybersecurity culture state - knowledge, attitudes, people's perception, current level of protection etc.
  • Leverage security awareness training, phishing simulations, policy attestation, live workshops, executive briefing sessions.
  • Deliver relevant, tailored cognitive security awareness training via the OutThink social platform, enabling two-way communication.
  • Assess human factor risk with relevant metrics and dashboards to track short and long term cybersecurity culture improvement.
  • Review actionable intelligence and metrics data.
  • Produce meaningful reports for the executive management team.

The ultimate goal of security awareness is to achieve lasting behavioural change and build a risk aware cybersecurity culture in your organisation. The OutThink platform is successfully used by organisations around the world to enable this transformation.

Download the PDF version of this blog post here.


OutThink Cybersecurity Cultural Change - Key to GDPR Compliance