The Role of Organizational Culture in Cybersecurity: Building a Security-First Culture

During the digital era, organizations encounter a growing risk of cyber-attacks, prompting them to adopt heightened vigilance to safeguard their assets. Alawida et al. (2022) conducted an in-depth investigation into cybersecurity challenges during the Covid-19 pandemic. The study revealed that hacking attacks were the most common cyber-attack technique, followed by spam emails (Alawida et al., 2022). It is widely recognized that COVID-19 has accelerated the adoption of technology, making it an integral part of daily life and organizational operations as more companies embrace remote working (Amankwah-Amoah et al., 2021, Battisti, Alfiero and Leonidou, 2022). As technology advances, so do the methods employed by malicious actors, making it crucial for organizations to prioritize cybersecurity (McKinsey & Company, 2020; Pranggono and Arabo, 2021). While technology and processes play a significant role in protecting against cyber threats, the role of organizational culture in cybersecurity is equally important (Everard, 2008; Michael, 2008; Ismail, 2017; Maalem et al., 2020).

The role of organizational culture in cybersecurity is well documented however has gained even more popularity in recent years due to the escalating threat landscape (Ismail, 2017; Maalem et al., 2020). Organizations now acknowledge and embrace the fact that relying solely on technology is insufficient to safeguard against cyber-attacks. They are increasingly adopting proactive and up-to-date processes to effectively prevent and mitigate cyber threats (Everard, 2008; Michael, 2008; Ismail, 2017; Maalem et al., 2020). The necessity of cultivating a security-first culture arises to prevent and efficiently mitigate cybersecurity risks, which can significantly impact organizations (McKinsey & Company 2020; Pranggono and Arabo, 2021; Samurai, 2023). To achieve cyber security in current populations and to assure continuity in future populations, Reid, van Niekerk (2014) argue that a " self-renewing " belief that influences behaviour is required. In addition, the authors argued that this need is satisfied by nurturing an information security culture (ISC).

The digital age has brought about unprecedented connectivity and technological advancements, enabling organizations to operate more efficiently and effectively (De', Pandey, 2020; Economic Commission for Latin America and the Caribbean (ECLAC), 2021; Haleem, Javaid, Qadri et al., 2022). It has also exposed them to a variety of cyber threats, such as data intrusions, ransomware attacks, and social engineering exploits (Samurai, 2023; Chigada and Madzinga, 2021; Li and Liu, 2021; Alawida et al., 2022). These threats not only compromise sensitive information but also disrupt business operations, erode customer trust, and incur substantial financial and reputational damage (Alawida et al, 2022). While organizations have traditionally focused on implementing technical measures such as firewalls, antivirus software, and intrusion detection systems, they are increasingly realizing that a comprehensive approach to cybersecurity requires addressing human factors as well (Pollini et al., 2022; Nifakos et al., 2021; Tariq et al., 2023; Jang-Jaccard and Nepal, 2014; Perwej et al. 2021).

Critical is the impact of organizational culture on employee attitudes, behaviours, and cybersecurity awareness. Building a security-first culture involves creating an environment where cybersecurity is prioritized, understood, and integrated into the fabric of daily operations (Corriss, 2010; Hassandoust and Johnston, 2023). It requires a collective commitment from leadership, employees, and all stakeholders to embrace and champion cybersecurity principles (Corriss, 2010; Hassandoust, and Johnston, 2023; Rathod, 2023).

The increasing threat of cyber-attacks in today's digital age has highlighted the need for organizations to prioritize cybersecurity (Alawida et al., 2022). While technological advancements and security measures play crucial roles in safeguarding against cyber threats, the role of organizational culture in cybersecurity practices has gained recognition (Li and Liu, 2021; Corriss, 2010; Hassandoust and Johnston, 2023; Rathod, 2023).

However, there is a lack of comprehensive understanding regarding the influence of organizational culture on building a security-first culture within organizations (Chia, Maynard and Ruighaver, 2002). The problem at hand is the limited understanding of how organizational culture shapes cybersecurity practices and the strategies needed to foster a security-first culture (Chia, Maynard and Ruighaver, 2002; Reegård, Blackett and Katta, 2019). Existing research fails to provide a comprehensive framework that addresses the multifaceted aspects of organizational culture and its impact on cybersecurity (da Veiga et al., 2020; Cano, 2021; Hassandoust and Johnston, 2023). This knowledge gap hinders organizations from effectively developing and implementing a security-first culture, leaving them vulnerable to cyber-attacks and information breaches (Cano, 2021; Hassandoust and Johnston, 2023).

Additionally, while there is a consensus on the importance of leadership commitment in cybersecurity, there is a lack of research exploring the specific role of middle management in shaping cybersecurity culture (Cano, 2021; Hassandoust and Johnston, 2023). Middle managers play a crucial role in translating organizational objectives into actionable strategies and shaping employee conduct (Cano, 2021). Without a clear understanding of their role and effective strategies to engage them, organizations may struggle to cultivate a security-first culture throughout all levels of the organization (Cano, 2021; Hassandoust and Johnston, 2023). Furthermore, the limited research on the long-term sustainability and resilience of a security-first culture poses a significant challenge (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023).

This study sought to examine the impact of organizational culture on cybersecurity and delve into the establishment of a security-first culture within organizations. The primary objective of this research is to investigate the correlation between organizational culture and cybersecurity practices within these entities.

To address the problem statement regarding the role of organizational culture in cybersecurity and building a security-first culture, a comprehensive literature review was conducted. The literature review served as a valuable research method to explore existing theories, models, and empirical studies related to organizational culture and its impact on cybersecurity practices (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). A systematic approach was employed to identify relevant literature sources. Comprehensive searches were conducted in academic databases, such as IEEE Xplore, ACM Digital Library, Scopus, and Google Scholar, using keywords and combinations related to organizational culture, cybersecurity, security-first culture, and related concepts (Cremer et al., 2022; Rohan et al., 2023). The search strategy included a combination of controlled vocabulary terms (e.g., subject headings) and free-text keywords.

This research is underpinned by two key theories, namely the Theory of Planned behaviour (TPB) and Cultural Dimensions Theory (CDT), which provide a theoretical framework for understanding the dynamics of cybersecurity within organizations. The TPB posits that individual behavioural intentions are one of three theories widely promoted or considered by many scholars in relation to information security matters (Ong and Chong, 2014; Jalali et al., 2020; Maalem et al., 2020). The TPB suggests that employees' intentions to adhere to secure practices are shaped by their attitudes toward cybersecurity, the social norms prevailing within the organization regarding cybersecurity, and their perception of the ease or difficulty of implementing secure behaviours (Onumo, Awan and Cullen, 2021).

Understanding compliance behaviour becomes essential for organizations seeking to improve their information security through their human capital (Bulgurcu, Cavusoglu and Benbasat, 2010; Safa et al., 2015). Recognizing that employees who adhere to the organization's information security rules and regulations play a crucial role in bolstering security (Safa et al., 2015). According to Safa et al. (2015), the significance of information security extends to both private and business aspects. Experts assert that relying solely on technology cannot ensure a completely secure environment for information. They emphasize the crucial role of users' behaviour as a significant factor in this context (Kando et al., 2021).

While the TPB primarily focuses on the behavioural patterns of employees and staff, the CDT, on the other hand, delves into how cultural values and norms influence individuals' behaviour within organizations. Cultural Dimensions Theory highlights dimensions such as power distance, individualism versus collectivism, and uncertainty avoidance, which vary across different cultures and can significantly influence cybersecurity practices (Alowais et al., 2022). According to Hofstede's five cultural dimensions, power distance demonstrated a significant negative association and individualism vs. collectivism displayed a significant positive relationship (Hofstede, 2011; Alshahrani, 2017). Collectivistic cultures emphasize the interdependence of individuals within groups such as families, tribes, and countries, fostering mutual obligations. Conversely, individualistic cultures emphasize the independence of individuals from one another (Alshahrani, 2017).

Understanding the cultural dimensions at play within an organization enables the tailoring of cybersecurity strategies to align with the prevailing cultural context, facilitating better acceptance and adoption of secure practices (European Union Agency for Network and Information Security (ENISA), 2017); Uchendu et al., 2021; Schoenmakers et al., 2023). In organizations with a high-power distance, employees may be more hesitant to report security incidents or vulnerabilities to higher-ups, potentially hindering timely response and resolution (Morrison, 2014). Organizations that foster positive attitudes and culture change toward cybersecurity through security awareness training and emphasizing the significance of secure practices ultimately lead to a proactive and resilient approach to safeguarding digital assets (ENISA, 2017; Akter et al., 2022). The Figure 1 below depicts two theories that this study is centred on, and the clarification of concepts used.

The interplay between Organizational Culture and Cybersecurity, particularly the importance of cultivating a security-first culture, is directly influenced by employee behaviour and leadership practices (ENISA, 2017). A security-first culture refers to an organizational environment where cybersecurity is deeply ingrained in the mindset and actions of all employees, from top leadership to frontline staff (ENISA, 2017; Uchendu et al., 2021; Schoenmakers et al., 2023). This cultural shift involves fostering a strong sense of responsibility and awareness regarding cybersecurity practices, emphasizing the protection of sensitive data and the proactive identification and mitigation of potential threats (Akter et al., 2022).

Employee behaviour plays a critical role in the effectiveness of cybersecurity measures within an organization (Kando et al., 2021; Moustafa, Bello and Maurushat, 2021). A Security-First Culture encourages employees to adopt best practices and adhere to cybersecurity protocols, reducing the likelihood of human errors and minimizing the risks associated with cyber threats (Li and Liu, 2021; Kando et al., 2021).

Organizational culture refers to the shared values, beliefs, and behaviours that shape an organization's collective mindset (Schein, 2004). It encompasses the attitudes, awareness, and actions of employees regarding security practices (de Bruijn and Janssen, 2017; Akter et al., 2022; Rathod, 2023; Rohan et al., 2023). Research shows that a positive cybersecurity culture significantly reduces the likelihood of successful cyber-attacks (Herath and Rao, 2009). Organizational culture refers to the shared values, beliefs, norms, and behaviours that define an organization's identity and regulate its members' actions (Cano, 2021; Hassandoust and Johnston, 2023). Several researchers have emphasized the influence of organizational culture on cybersecurity practices (Cano, 2021; Hassandoust and Johnston, 2023).

Organizational culture shapes employees' attitudes and behaviours toward security, influencing their adherence to security policies and procedures (Karlsson et al., 2022). This highlights the significance of a security-oriented culture in promoting cybersecurity practices within an organization (Cano, 2021; Hassandoust and Johnston, 2023). Moreover, organizational culture influences employees' perceptions of cybersecurity. Research of D’Arcy and Greene (2014) demonstrates that a strong organizational culture emphasizing the importance of security fosters positive attitudes and perceptions toward cybersecurity. When employees perceive cybersecurity as a critical aspect of the organizational culture, they are more likely to comply with security protocols and assume a heightened sense of responsibility for safeguarding organizational assets (Cano, 2021; Hassandoust and Johnston, 2023).

Leadership is instrumental in establishing and promoting a security-first culture within an organization (de Bruijn and Janssen, 2017). The behavior, actions, and priorities demonstrated by leaders significantly influence cybersecurity practices (Ubowska and Królikowski, 2022). When leaders actively participate in security initiatives, communicate the importance of cybersecurity, and allocate resources to support security measures, they set an example for employees to follow (Khando et al., 2021). Strong leadership commitment fosters a culture where security is integrated into strategic decision-making processes and becomes a shared organizational goal (Cano, 2021; Hassandoust and Johnston, 2023).

Leadership and management are key drivers in shaping organizational culture and, consequently, cybersecurity practices. Leadership commitment is vital in fostering a security-first culture by prioritizing cybersecurity, allocating resources, and leading by example. This sends a clear message to employees about the significance of cybersecurity. Additionally, middle managers also play a critical role in shaping cybersecurity culture (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). They act as intermediaries between senior leadership and frontline employees, translating organizational goals into actionable cybersecurity strategies and engaging employees at all levels (Govender and Bussin, 2020). Their active involvement significantly impacts the integration of cybersecurity practices within the organization (Govender and Bussin, 2020; Haney and Lutters, 2020; Li and Liu, 2021).

The role of organizational culture in cybersecurity is paramount, as building a security-first culture empowers employees, enhances their awareness, and promotes a proactive approach to cybersecurity (de Bruijn and Janssen, 2017; Cano, 2021; Nifakos et al., 2021; Akter et al., 2022; Hassandoust and Johnston, 2023). Organizational culture significantly influences employee behaviour and practices regarding cybersecurity (Cano, 2021; Hassandoust and Johnston, 2023). A culture that encourages open communication, knowledge sharing, and collaboration regarding cybersecurity fosters collective responsibility for protecting the organization's assets (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). Employees feel empowered to contribute to cybersecurity efforts by promptly reporting security incidents, participating in training programs, and adhering to security practices both inside and outside the workplace (Li and Liu, 2021). In contrast, a culture that lacks trust, accountability, or awareness regarding cybersecurity may result in risky behaviour, such as sharing passwords for accessing sensitive information on unsecured devices, and even sharing confidential information.

Organizational culture impacts the ability of an organization to learn from cybersecurity incidents, adapt to emerging threats, and continuously improve security practices. A culture that values learning, and adaptability encourages post-incident analysis, knowledge sharing, and the implementation of corrective measures to prevent future incidents (Cano, 2021; Hassandoust and Johnston, 2023). It encourages employees to report near-misses, share lessons learned, and contribute to the organization's collective knowledge. In contrast, a culture that avoids accountability or views cybersecurity incidents as isolated events inhibits organizational learning and hinders the development of effective security practices. Building a security-first culture requires organizational change and adaptation to evolving cyber threats de (Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). Li et al. (2016) suggest the promotion of a culture that encourages knowledge sharing among employees to enhance cybersecurity knowledge and awareness. A culture that encourages experimentation, innovation, and a proactive approach to security enhances an organization's resilience against cyber threats (Cano, 2021; Hassandoust and Johnston, 2023).

A security-first culture instils a sense of responsibility among employees, encouraging them to take proactive measures in identifying and reporting security incidents (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). It empowers employees to protect the organization's assets, including sensitive data and digital infrastructure. Organizations can cultivate a cybersecurity-centric environment throughout their operations by allocating resources to training, promoting accountability, fostering collaboration, and setting a leading example (IEA, 2021). This comprehensive approach helps mitigate the risks associated with cyber threats and bolsters overall resilience. Notably, accountability plays a critical role in reducing the likelihood of insider threats (IEA, 2021). Fostering a security-first culture facilitates open communication and collaboration among different departments and stakeholders (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). This facilitates the exchange of information about potential vulnerabilities and emerging threats, leading to a proactive response. Collaborative efforts may involve cross-functional teams such as information technology, legal, and human resources, who work together to develop effective cybersecurity policies and procedures (Van der Kleij, Kleinhuis and Young, 2017), see one for core and non-core members of a CSC working group (Alvarez-Dionisi, 2019). Involvement in organization culture is also covered extensively in the Denison Organizational Culture Model and considered dimensions such as involvement in fostering a security-first culture (Denison, 1984).

Organizational culture significantly influences cybersecurity practices within an organization. The values, beliefs, norms, and behaviours that shape the culture have a profound impact on how cybersecurity is perceived, prioritized, and integrated into daily operations (Cano, 2021; Hassandoust and Johnston, 2023). Edgar Schein's model of organizational culture provides a valuable framework for understanding the layers of culture within an organization (Schein, 2004). This model further depicts the Artifacts and behaviours within the organization and is very clear on the visible aspects of culture, while espoused values are the stated beliefs and norms (Schein, 2004). Recognizing the influence of organizational culture on cybersecurity practices is vital for organizations aiming to cultivate a security-first culture (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). Establishing inclusive structures within the organization that emphasize collaboration and hold everyone accountable is essential (Shore et al. 2018). Employees should recognize the value they contribute within these structures. Furthermore, it is important to consider the inclusion of non-core members in the working group, including individuals from external organizations or institutions who have a vested interest in the group's efforts, as well as expert consultants who offer valuable guidance and support (Kozlowski and Ilgen, 2006). Their involvement can bring fresh and independent perspectives and provide assessments from outside the organization (see Figure 2).

Moreover, one aspect that requires further exploration is the implementation of a security-first culture within a multi-party business model where certain functions are outsourced to third parties (de Bruijn and Janssen, 2017; Cano, 2021; Hassandoust and Johnston, 2023). This scenario presents unique challenges and considerations that should be thoroughly examined to ensure the effectiveness of cybersecurity practices and the alignment of a security culture across all involved parties (Cano, 2021; Hassandoust and Johnston, 2023).

Figure 3 below depicts cyber security trust gaps that can exist at many levels across the corporate ecosystem by McKinsey & Company cited in (Choi, Kaplan and Lung, 2017) who also highlight the importance of factoring external vendors and suppliers. Trust gaps in the organization could result in power dimensions that may exist between leadership and employees, in some instances third parties. Da Veiga, Astakhova, Botha, et al (2020) emphasize the importance of establishing a trusting relationship between management and employees to achieve high compliance with security policies and foster a strong commitment to information security.

One of the most prominent models that aim to bridge the trust gap in the organization is the Cultural Dimensions Theory (CDT), which is utilized to comprehend organizational cultures (Hofstede, 2011). It encompasses dimensions such as power distance and individualism vs. collectivism, making it a proposed model for promoting workplace harmony in a multicultural business environment (Cortina, Arel, and Smith-Darden, 2017). Some critics however still maintain that Geert Hofstede's CDT model can't be effectively implemented in the era of rapidly changing environment, convergence, and globalization and the model does not account for third-party models and unprecedented events such as COVID-19 (Shaiq et al., 2011).

Organizational culture plays a crucial role in cybersecurity practices, even in outsourced models where certain functions are delegated to third parties (Cano, 2021; Hassandoust and Johnston, 2023). The Denison Organizational Culture Model and similar models become highly relevant as they assess an organization's performance across multiple dimensions, providing valuable insights into its culture, including the level of involvement in fostering a security-first culture (Denison, 1984; Metz, Ilieș and Nistor, 2020). In such models, it is essential to establish a strong culture of cybersecurity that extends beyond the boundaries of the organization to encompass all parties involved (Chia, Maynard and Ruighaver, 2002; Jang-Jaccard and Nepal, 2014; Battisti, Alfiero and Leonidou, 2022).

This is further supported by Wiley and McCormac (2020), who argue that organizations should focus on security culture rather than organizational culture to improve information security awareness (ISA), saving time and resources.

Table 1 below shows some of the parameters that are of key consideration in an outsourced model setting on enhancing security culture.

Organizational culture greatly influences employee attitudes and awareness regarding cybersecurity (Hassandoust and Johnston, 2023; Rohan et al., 2023). A culture that values and prioritizes security creates an environment where employees recognize the importance of cybersecurity and their role in protecting the organization's digital assets (Akter et al., 2022). Such a culture fosters a sense of responsibility and vigilance among employees, making them more proactive in identifying and reporting potential security threats (Cano, 2021; Hassandoust and Johnston, 2023). On the other hand, a culture that downplays the significance of cybersecurity or lacks awareness regarding potential threats may result in a lackadaisical approach toward security measures (Akter et al., 2022; Hassandoust and Johnston, 2023; Rohan et al., 2023). A security-first culture also plays a crucial role in promoting security awareness and training programs (de Bruijn, Janssen, 2017; Akter et al., 2022; Hassandoust and Johnston, 2023; Rohan et al., 2023). Chang and Lin (2007), find that an organization's culture significantly influences the effectiveness of security training programs.

A culture that values continuous learning and knowledge sharing creates an environment conducive to effective cybersecurity training initiatives (Cano, 2021; Hassandoust and Johnston, 2023). This underscores the importance of embedding security awareness and training within the organizational culture to enhance cybersecurity practices (de Bruijn and Janssen, 2017; Akter et al., 2022; Hassandoust and Johnston, 2023; Rohan et al., 2023). Security leaders play a crucial role in implementing and enhancing training and awareness programs to improve security-related behaviour among users. While these programs cannot guarantee absolute security-related behaviours, they do contribute positively to the overall security posture (Blum, 2020).

The influence of organizational culture on employee compliance with cybersecurity policies and procedures is crucial. A strong security-oriented culture reinforces the importance of following established security protocols and ensures consistent adherence to cybersecurity guidelines. When cybersecurity is deeply ingrained in the organizational culture, employees understand that adherence to security measures is not optional but necessary for protecting the organization's sensitive information. Conversely, a weak or inconsistent culture may lead to lax compliance, leaving vulnerabilities that can be exploited by cybercriminals (Cano, 2021; Hassandoust and Johnston, 2023). Handy's Four types of culture model become more applicable in ensuring compliance as it takes into consideration role culture, task culture, and person culture, especially in the context of cybersecurity (Handy, 1995; Cacciattolo, 2014) This model transfers the responsibility for cybersecurity to varying hierarchies within the organization, from the process level down to the individual level.

The concept of cybersecurity culture ecosystem refers to the collective environment, practices, and mindsets concerning cybersecurity within a particular group or society (Cano, 2021; Hassandoust and Johnston, 2023). It encompasses various aspects that contribute to the development of a strong cybersecurity culture and the protection of digital systems, data, and infrastructure. Research on defining, evaluating, and enhancing cybersecurity culture, which comprises seven key elements: knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values depicted in Figure 4 (Alvarez-Dionisi, 2019), is limited (Cano, 2021; Hassandoust and Johnston, 2023). This presents an opportunity for scholars and professionals to conduct a focused study on cybersecurity culture (Cano, 2021; Hassandoust and Johnston, 2023).

The COVID-19 pandemic has had a profound effect on the cybersecurity culture ecosystem, resulting in increased awareness, improved employee education, increased collaboration, and an increased emphasis on resilience and proactive cybersecurity measures (Everard, 2008, Cano, 2021; Hassandoust and Johnston, 2023). Organizations have come to acknowledge the vital significance of cybersecurity in facilitating digital operations and safeguarding sensitive data within a highly interconnected world (Akter et al., 2022). The risk remains elevated, particularly as most organizations have embraced remote work as a permanent and preferred practice (Adekoya, Adisa, Aiyenitaju, 2022; Vyas, 2022). Webinars and virtual meetings continue to be hosted by organizations, allowing employees to connect and collaborate remotely. Table 2 below depicts some of the areas that emerged during Covid-19.

The lessons, processes, and tools developed to deal with cyber security during the pandemic are expected to be carried forward into the post-COVID world (Tasheva, 2021). The author emphasizes that, for many years, cybersecurity was considered a niche ICT issue. Nonetheless, this perception has changed considerably over time.

Organizations will certainly need to consider reinforcing their existing cybersecurity frameworks or adopting innovative strategies to further enhance their defences against cyber threats. These frameworks serve as essential guidelines and structures that enable organizations to systematically identify, assess, and mitigate cyber risks. They encompass a variety of recommended practices, controls, and procedures that aim to protect information systems and sensitive data from potential threats. In the post-COVID era, Table 3 provides an overview of the main security measures that are fundamental to cybersecurity.

A company's cybersecurity practices are heavily influenced by its organizational culture. The shared values, beliefs, norms, and behaviours that define an organization's culture influence how cybersecurity is perceived, prioritized, and integrated into daily operations (Chang and Lin, 2007; de Bruijn and Janssen, 2017; Sharma and Aparicio, 2022). Connolly et al. (2016) suggest that organizations can create a cybersecurity-conscious environment by investing in training, promoting accountability, fostering collaboration, and setting a positive example for employees. This approach ensures that cybersecurity becomes an integral part of every aspect of the organization's operations.

This comprehensive approach enhances overall resilience and effectively mitigates the risks posed by cyber threats. The literature conducted revealed that a strong organizational culture that emphasizes the importance of security fosters positive attitudes and perceptions toward cybersecurity leading to increased compliance with security protocols and a heightened sense of responsibility for safeguarding organizational assets. The study also explored the Denison Organizational Culture Model, with a focus on involvement in fostering a security-first culture, which is especially relevant in building multi-disciplinary teams that are collaborative, inclusive, and promote effective communication. Furthermore, the literature emphasizes the essential role of leadership in creating a security-first culture. This begins at the highest level, with executive leadership taking the lead (Connolly et al., 2016). However, it is regrettable that even in well-established companies, some senior executives still perceive cybersecurity matters as solely the responsibility of the IT team, failing to recognize their significance as a leadership concern (Gilliland, 2023). The author strongly emphasizes the importance of leadership in fostering a security-first culture.

Dedicating resources, and leading by example in adhering to security practices, leaders effectively convey the importance of cybersecurity to their employees (de Bruijn and Janssen, 2017; Gilliland, 2023). Additionally, middle managers play a vital role in shaping the cybersecurity culture within an organization. According to the 2017 European Union Agency for Cybersecurity report (ENISA, 2017) middle managers have the power to translate organizational objectives into practical cybersecurity strategies and engage employees across all levels. Their role as intermediaries between senior leadership and frontline employees significantly impacts the integration of cybersecurity practices (Baham, 2021).

A culture of continuous improvement and adaptability is essential in addressing emerging cybersecurity challenges. There is a need for organizations to foster a culture that encourages experimentation, innovation, and a proactive approach to security. Such a culture enhances an organization's resilience against cyber threats. To build a security-first culture, organizations must address several challenges and gaps (Cano, 2021). Future research should focus on developing comprehensive frameworks that consider the multidimensional aspects of organizational culture and their specific impact on cybersecurity practices. Additionally, research should explore the long-term sustainability of a security-first culture and the challenges organizations face in maintaining it over time (Cano, 2021).

Organizational culture plays a crucial role in cybersecurity and establishing a security-first culture within organizations. Leadership Practices are instrumental in shaping the organizational culture and setting the tone for cybersecurity. Effective leaders prioritize cybersecurity as a strategic priority, invest in cybersecurity training and awareness programs, and lead by example to demonstrate the significance of safeguarding sensitive information. When leaders prioritize cybersecurity, allocate resources, and lead by example, it sends a clear message to employees about the significance of security.

Organizations should foster a culture that encourages experimentation, innovation, and a proactive approach to security. This enables them to effectively address emerging cybersecurity challenges and enhance their resilience against threats. While progress has been made in understanding the role of organizational culture in cybersecurity, there are still challenges and gaps that need to be addressed. The theoretical contribution of this study lies in its exploration of the role of Organizational Culture in Cybersecurity, centred around the TPB and CDT. While the TPB and CDT were the main focus, the literature review revealed the potential applicability of other theoretical models for assessing the establishment of a Security-First Culture within organizations.

Among the additional theoretical models identified are the Denison Organizational Culture Model, Handy's four types of culture model, and Geert Hofstede's model, which have been extensively covered in existing literature. However, their specific application and effectiveness in unique situations, such as during unprecedented events like the COVID-19 pandemic, remain relatively unexplored. This study emphasizes the importance of further research to assess the applicability and effectiveness of alternative theoretical models in various organizational contexts, especially during times of major disruptions.

This study further makes management and practical implications, first organizational culture plays a crucial role in cybersecurity and cultivating a security-first mindset. Leadership involvement is essential in achieving this goal. Senior leaders should demonstrate commitment by allocating resources, adhering to security practices, and making cybersecurity a strategic priority. Managers should also support cybersecurity efforts and communicate effectively with employees at all levels. Comprehensive security training and awareness programs that align with the organizational culture are recommended. Collaboration and knowledge sharing among employees, suppliers, and stakeholders is essential for fostering a collective security mindset. Long-term strategies and plans focused on preventive measures are vital to sustaining a security-first culture. Integration of cybersecurity practices into policies, procedures, and performance metrics, along with ongoing training and reinforcement, are necessary for the long-term success of the security culture.

Despite considerable advancements in comprehending the significance of organizational culture in cybersecurity, there are still numerous challenges and gaps that need to be addressed. Future research endeavours should concentrate on formulating comprehensive frameworks that encompass the multidimensional aspects of organizational culture and their specific influences on cybersecurity practices, especially when involving third parties, particularly those contracted for long-term engagements.