The Influence of Usable Security on Security Culture

Abstract

Cybersecurity threats are becoming more complex, and organizations must implement security measures that are technically robust and practical. The lack of usability of these measures can lead to uncompliant behavior, risky workarounds, and a weak security culture, making the organization susceptible to security breaches. To improve cybersecurity posture and resilience, organizations need to understand and strengthen their security culture. This study adopts a mixed-method approach to explore the influence of usable security on security culture. It centers on three core objectives. First, it seeks to understand the concepts of usability, usable security, and security culture by examining their representation in studies and authoritative sources. It also formulates a comprehensive set of definitions to identify the factors that influence these key elements. Second, it aims to characterize the relationship between usable security and security culture by framing the study variables and investigating whether usable security can positively impact security culture, drawing on both quantitative and qualitative analyses. To achieve this, a survey was conducted with over 200 participants, followed by interviews with a smaller sub-population. The study then employed statistical descriptive analysis and thematic analysis to understand the relationship between usable security and security culture. Third, it sought to design a means that leverages the influence of usable security, identifying specific areas where usability improvements can promote a stronger and positive security culture. A thorough review of previous and related studies informs the study’s direction and methodology, laying the groundwork for developing the instruments required to investigate the impact of usable security on security culture. An important outcome of this research is the development of a framework for fostering a strong security culture by employing usable security alongside other necessary elements. This framework, which forms a key contribution to the study, was validated by two groups: participants who completed the survey and interviews and a group of experts. The validation process highlighted the framework's practical value and contributed to enhancing the framework's clarity, presentation, and potential for integration. The research intends that organizations may overcome pitfalls that hinder the development of a positive security culture by establishing a structured approach that addresses common usability barriers. Ultimately, the study has the potential to help organizations achieve greater compliance, reduce cybersecurity risks, and enhance their resilience to evolving threats.