Abstract

Cybersecurity culture is vital for strengthening organizational resilience by fostering proactive, security-aware mindsets. However, despite growing recognition of its importance, cyber incidents persist with alarming frequency, revealing a gap between awareness and effective cultural transformation. This paper argues that workarounds should not be dismissed as policy violations but examined as diagnostic signals of misalignments between organizational contexts and security practices. Although prior research has identified various factors influencing cybersecurity culture, it often overlooks the causal mechanisms explaining how and why these factors interact to produce specific behaviors, norms, and practices. To address this limitation, the study employs Swidler’s culture-in-action perspective within a critical realist ontology, enabling an investigation of the generative processes through which contextual conditions and cultural toolkits shape organizational action. This explanatory approach advances theoretical insight and practical guidance, supporting interventions that align cultural dynamics with security objectives and improve cyber resilience in a complex threat landscape.

Share

COinS