When technology is not enough: Insights from a pilot cybersecurity culture assessment in a safety-critical industrial organisation

As cyber threats increasingly exploit human behaviour, technical controls alone cannot ensure organisational cybersecurity (CS). Strengthening cybersecurity culture (CSC) is vital in safety-critical industries, yet empirical research in real-world industrial setttings is scarce. This paper addresses this gap through a pilot mixed-methods CSC assessment in a global safety-critical organisation. We examined employees' CS knowledge, attitudes, behaviours, and organisational factors shaping them. A survey and semi-structured interviews were conducted at a global organisation in safety-critical industries, across two countries chosen for contrasting phishing simulation performance: Country 1 stronger, Country 2 weaker. In Country 1, 258 employees were invited (67%), in Country 2, 113 were invited (30%). Interviews included 20 and 10 participants respectively. Overall CSC profiles were similar but revealed distinct challenges. Both showed strong phishing awareness and prioritised CS, yet most viewed phishing as the main risk and lacked clarity on handling other incidents. Line managers were default contacts, but follow-up on reported concerns was unclear. Participants emphasized aligning CS expectations with job relevance and workflows. Key contributors to differences emerged: Country 1 had external employees with limited access to CS training and policies, highlighting monitoring gaps. In Country 2, low survey response stemmed from a "no-link in email" policy. While this policy may have boosted phishing performance, it also underscored inconsistencies in CS practices. Findings show that resilient CSC requires leadership involvement, targeted communication, tailored measures, policy-practice alignment, and regular assessments. Embedding these into strategy complements technical defences and strengthens sustainable CS in safety-critical settings.