Exploring the information security culture within industrial control systems organisations: Expert reviews

The security of computer-automated systems governing the Critical Infrastructures sectors: Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems represent a significant challenge in the present time. These systems have seen numerous examples of malicious attacks including Stuxnet and Night Dragon attacks. Unknown cyber-security threat vectors towards the critical industrial processes and systems seem to be unavoidable due to the new technology trends such as Mobility, BYO devices, cloud storage and big data. Recognising and rapidly responding to these attacks could be possible by strengthening the information security implementations within organisations. This research paper proposes a holistic approach to cultivate awareness within the organisations by instilling an information security culture. This includes assessing the information security compliance, awareness, measures, policies and government as adapted from the Information Security Culture Model. The information is gathered through semi-structured interviews of eight IDS and SCADA systems experts and were then analysed deductively. This paper presents the results of this research study analysis to evaluate the current information security culture within SCADA organisations.