Cybersecurity has become a top priority as the world becomes increasingly interconnected and digitized. Yet, despite the growing reliance on advanced technologies, one of the most significant risks to organizational security remains: human error. According to a recent study from Universitas Indonesia (UI)’s Faculty of Computer Science, the human factor must be more effectively integrated into efforts to build a strong cybersecurity culture. Their findings shed light on how organizations can better address this pressing issue to protect their data and systems from persistent threats.

The researchers emphasize that cybersecurity is not solely about having the latest technology in place. Instead, it requires embedding security practices and awareness deeply into the organizational culture. While many organizations understand the importance of cybersecurity, there’s a common misconception that technology alone can solve all security problems. However, incidents of insider threats, whether intentional or accidental, highlight the need for a more human-centered approach to cybersecurity. Shockingly, insider-related breaches account for nearly a quarter of all cyber incidents globally, underscoring that people can often be both the weakest link and the first line of defense.

The study identifies 31 critical success factors that contribute to building a robust cybersecurity culture. These factors are organized into three layers of organizational culture, also known as the Edgar Schein Model:

1. Artifacts – Tangible aspects like governance and security technologies.

2. Espoused values – Consciously adopted beliefs such as leadership and compliance.

3. Underlying assumptions – Deeply ingrained attitudes and behaviors.

By focusing on these areas, organizations can transform cybersecurity from a technical task into an ingrained cultural practice.

One of the most compelling insights from the study is the realization that awareness and training programs, while crucial, are insufficient on their own. Many organizations invest heavily in security training, yet employees still fall prey to phishing scams and social engineering attacks. The problem lies deeper, within the core beliefs and attitudes of individuals. For example, an employee may know the right protocol but lack the confidence or self-efficacy to take action when faced with a suspicious situation. This suggests that improving cybersecurity must go beyond training and involve changing mindsets and fostering an environment of trust and proactive vigilance.

Ideas for Strengthening Cybersecurity in Indonesia

Given the findings of this study, there are several strategic actions that Indonesia can consider to strengthen its cybersecurity defences:

1. National Cybersecurity Awareness Campaigns: The Indonesian government and private sector can collaborate on large-scale awareness initiatives to educate the public and workforce on cybersecurity best practices. These campaigns should be continuous and updated regularly to keep up with evolving threats.
   
   

2. Cybersecurity in Education: Integrate cybersecurity principles into the national curriculum at all educational levels. Early exposure can cultivate a generation that is more aware and prepared to handle digital threats. Universities and technical institutes should also focus on developing cybersecurity talent with specialized programs.
   
   

3. Public-Private Partnerships: Encouraging partnerships between government agencies, tech companies, and cybersecurity experts can foster knowledge-sharing and innovation. These partnerships can also be useful for simulating real-world cyberattack scenarios and enhancing collective defenses.
   
   

4. Incentives for Compliance and Training: To motivate organizations to adopt best practices, the government could offer tax incentives or subsidies for companies investing in cybersecurity training, compliance measures, or research and development.

   
   

5. Cultural Integration of Cybersecurity: Building a culture of security requires ongoing engagement. Organizations should celebrate cybersecurity achievements, recognize employees who follow best practices, and make security a part of the company's mission and vision. Leadership should play an active role in reinforcing these values.

By taking these steps, Indonesia can build a more resilient cybersecurity framework that not only protects critical infrastructure but also fosters a digital ecosystem conducive to economic growth and innovation. The study’s emphasis on integrating human factors into cybersecurity strategies is especially relevant as more Indonesians engage in online activities, making robust protection essential.

This paper, “Examining Cybersecurity Culture: Trends and Success Factors,” was published in the Journal of Internet Services and Information Security (JISIS), Volume 14, Issue 3, in August 2024. The full paper can be accessed and downloaded from the journal’s website.