The concept of Cybersecurity Culture (CSC) refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in people’s behaviour with information technologies. CSC encompasses familiar topics including cybersecurity awareness and information security frameworks but is broader in both scope and application, being concerned with making information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions. To assist in promoting both the understanding and uptake of CSC programmes within organisations, this report draws from multiple disciplines, including organisational sciences, psychology, law and cybersecurity. It is complemented by knowledge and experiences gathered from existing CSC programmes implemented within organisations, and contains good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s own Cybersecurity Culture programme. There are multiple drivers behind the rise of CSC as a recognised need within organisations. It reflects the acceptance that how an organisation behaves is dependent on the shared beliefs, values and actions of its employees, and that this includes their attitudes towards cybersecurity. There is the recognition that cyber threat awareness raising campaigns are not, in themselves, affording sufficient protection against ever evolving cyber attacks. There is also the recognition that technical cyber security measures do not exist in a vacuum, and need to operate in harmony with other business processes to avoid that employees are placed in the untenable position of being forced to choose between ‘doing their job’ or ‘complying with security policies’. Finally, it is about responding to the view that humans represent the weakest link in cyber security chains, and replacing this with an environment where employees become robust human firewalls against cyber attacks. It is against this backdrop that ENISA has undertaken research into Cybersecurity Culture to provide this guidance, applicable to organisations regardless of structure, size or industry. This is achieved by presenting tools and practices designed to be contextualised to the needs and circumstances of individual organisations. While it has been targeted at those employed in security functions and/or tasked within increasing the cyber security resilience threshold of all employees, the language has been crafted to ensure all employees, regardless of role or seniority, can gain sufficient understanding of what is required to produce and kick-start their own CSC programme. The following resources have been included: Good practices identified from those organisations that have already implemented mature CSC programmes, and specifically categorised and tailored to different audiences within an organisation, from senior management to the information security team; - To facilitate the development and delivery of a Cybersecurity Culture programme, an eight-step Implementation Framework is presented alongside detailed guidance for each of the constituent steps. This Framework encompasses the entire lifecycle of an organisation’s Cybersecurity Culture programmes. - Methods to produce a CSC for an organisation, as well as guidance on suitable metrics for measuring the impact of CSC activities; and - Strategies for building a robust business case for the allocation of internal resources towards future Cybersecurity Culture activities. The study will identify good practices, methodological tools and step by step guidance for those seeking to commence or enhance their organizations own Cybersecurity Culture programme, including resources to produce a business case to secure funding for such a programme. The success of a CSC programme rests on a number of key elements, these elements are identified and described below.