External Culture, Corporate Values, and Cyber Security of the "New Normal"

For almost a year, our planet has been living in conditions of the global pandemic. This pandemic, caused by the 2019 coronavirus disease (i.e., COVID-19), affected all facets of human life, including the day-to-day functioning of businesses around the globe. While it is hard to fully appreciate the economic impact of COVID-19, it is evident that most nation-state economies have already shrank, showing high spikes in unemployment rates. With millions of people infected and more than a million dead; it is clear that the global community is fighting one of the largest threats to health, wellbeing, and economic development in the human history. Naturally, an important question concerns the longer-term far-reaching effects of the pandemic on business and society. It is, therefore, important to formulate and test a new approach to understanding and mapping the future, so-called “new normal”, strategic priorities for businesses around the globe with particular emphasis on cybersecurity and information systems using corporate values as well as factors of internal and external business culture.

The Covid-19 Corporate Cyber Challenge

COVID-19 is a disease caused by a new form of coronavirus, distinct from existing coronaviruses such as the Middle East Respiratory Syndrome (MERS) and the Severe Acute Respiratory Syndrome (SARS). First reported at the end of 2019 in Wuhan City, China, the virus quickly spread across the planet. The virus is particularly dangerous for elderly people as well as people with certain health predispositions (such as high blood pressure, obesity, diabetes, etc.). Despite the fact that many efforts have been devoted to the development of the vaccine against the disease, the virus continues spreading and many countries around the globe are talking about the second wave of the pandemic. Furthermore, much remains unknown about the characteristics of COVID-19. It is also uncertain whether and to what extent various behavioural design guidelines (such as facial masks, physical distancing, handwashing, etc.) have an effect on the COVID spread and prevention, especially considering the fact that some people tend to sabotage these guidelines or not follow them closely.

Under these circumstances, many businesses require or recommend that their employees (dependent on the local area pandemic situation) work from home. Naturally, many companies are concerned about cyber security of remote work. The main problem with remote work cyber security is that remote business systems still rely on personal cyber hygiene of employees. In addition, many businesses do not have a clear plan of what happens in case of a cyber security breach. As a result, employees do not know whom to contact to report cyber incidents, especially during a cyber emergency, and this is exasperated in a remote work environment. Who-does-what and who-reacts-to-what is not clearly identified.

As companies get comfortable with work-from-home arrangements, their boundaries have now extended to their employee’s home and the personal technologies in their homes. This is a vulnerability companies now must manage. Employees rarely have a good understanding of how secure their home systems are and whether they have the basic equipment to protect themselves. For example, many people do not realise that their home Wi-Fi systems need to be correctly secured, which makes them vulnerable to so-called "snooping" attacks when adversaries interfere with the online traffic inside the house.

Work from home also implies that employees are often not very careful with anti-viruses and security tools, which tend to come from untrusted sources or may be outdated. Another problem (especially in hi-tech businesses) is that people do not separate devices for work and leisure purposes, making it possible for malware accessed during leisure to cross over to work processes, and creating additional uncertainties and risks for their organizations. Even in large corporations which, prior to the pandemic, implemented strict cybersecurity rules and required that personal computers or smartphones were not used for work purposes, currently tend to issue new protocols and processes allowing the so-called “bring-your-own device” (BYOD) options – mobile devices from the employees, which require separate and special secure environments and networks.

Nevertheless, businesses are already starting to prepare for the end of the pandemic and the “new normal” by creating a set of processes and routines that will persist beyond the pandemic, and help them be better prepared for the future. Much of the success of the “new normal” business design and implementation heavily depends on the acceleration of the Industrial Revolution 4.0 technological advances such as AI, data-driven analytics and processes, as well as intelligent automation supported by the next-generation information systems. At the same time, in their formulation of what the “new normal” after the pandemic could look like, businesses can learn a lot from the social experiences in dealing with natural disasters, where information systems may be used to foster resilience against the crisis. Businesses can also achieve greater resilience through nurturing the new virtual sense of togetherness through the use of the web conferencing systems.

Yet, a question arises - how one would go about understanding and measuring cybersecurity culture within organizations to learn what this "new normal" should look like? One possible approach has been developed by the Massachusetts Institute of Technology (MIT) Cybersecurity at MIT Sloan (CAMS) group. The model specifically targets aspects which "cannot be fixed by technology". Its goal is to link cybersecurity behaviours with managerial influences.

The model suggests that organizational culture influences the way people approach cyber security risks. Organizational culture can be described as the values, attitudes and beliefs held by leaders, groups, and individuals who make up the organization. These values, attitudes and beliefs are shaped by external influences such as country norms, industry norms, regulations and other constructs that are outside of direct managerial influence, and by managerial mechanisms (such as training, awareness programs, performance reviews, rewards, consequences, and corporate communications) that are directly under the control of organizational leaders. The MIT CAMS model was successfully applied to many contexts and case studies as well as achieved real-world impact in public and private sectors, becoming a hit amongst practitioners. The main advantage of the MIT CAMS model is that it allows to capture the factors of corporate culture and establish the causal links between these factors and observed behaviours in highly uncertain conditions with many unknowns.

MIT CAMS Culture of Cybersecurity Model

adapted from Huang and Pearlson, 2019


Reaching a successful new normal requires businesses to concentrate on management of risks, risk and uncertainty aversion, as well as on tackling (digital) fraud. To accomplish this task, they need to focus on cybersecurity culture. This requires understanding how organisational beliefs, values and attitudes towards cyber security could interact with managerial practises. Such cultural understanding allows managers to better formulate priorities in their COVID and post-COVID strategies in order to reach the new cyber security normal more efficiently and quickly.

#creativity #cybercrime #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #ransomware #phishing #dataprotection #informationsecurity #COVID #resilience #robustness


© 2020 by Ganna Pogrebna and Boris Taratine