Risk Culture Lab

Cybersecurity remains a top challenge for any orga­nization that leverages technology — a reality that encompasses nearly all modern businesses, from startups to enterprises. As a result, exploiting cyber vulnerable organizations has become big business. Not surprisingly, cybersecurity remains the top-ranked risk among internal audit leaders globally, according to the Risk in Focus 2025 report. Cyber incidents often spark greater awareness of vulnerabilities and can be catalysts for strength­ening overall cyber resil­ience. Cyber incidents can also motivate greater cooperation and collabora­tion between internal audit and information security. But it doesn’t have to be that way. Effective internal audit-information security rela­tionships can support efforts to build cyber resil­ient organizations without having to go through the pain of a cyberattack. As natural allies on the cyber battlefield, internal audit and information security can team up to communi­cate the need and value of a healthy cyber culture. #riskculturelab #riskculture https://lnkd.in/deisx2ug

The current geopolitical climate, following Russia’s invasion of Ukraine and with wars raging in the Middle East and in Sudan, makes it nearly impossible not to think about such events when assessing the one global risk expected to present a material crisis in 2025: close to one-quarter of survey respondents (23%) selected Statebased armed conflict (proxy wars, civil wars, coups, terrorism, etc.) as the top risk for 2025. Compared with last year, this risk has climbed from #8 to #1 in the rankings. Geopolitical tensions are also associated with the rising risk of Geoeconomic confrontation (sanctions, tariffs, investment screening), ranking #3, which is also driven by Inequality, Societal polarization and other factors. #riskculturelab #riskculture https://lnkd.in/etw9fvCg

Risk culture can result in a competitive advantage for firms with better cultures and conducts. This is particularly with regard to client reputation and the ability to attract employees and investors. Organizations can succeed if they accept that culture is core to their business models and if they decide that fixing culture is key to their economic sustainability. A good risk culture should not just be about complying with regulations but rather creating something that will help to prevent or resolve problems. Since risk is an inherent aspect of business function, risk culture has an impact on the risk-taking propensity and policies, types of risk assessment/performance ratio, and final decisions. #riskculturelab #riskculture https://lnkd.in/dsySatfu

Culture influences behavioural norms, which send signals throughout an organization about what is, and is not, valued, important, and acceptable. Culture supports or undermines sound decision-making, prudent risk-taking, and effective risk management. This, in turn, can materially support or weaken a financial institution’s safety, soundness, integrity and security. ‘Culture risk’ refers to the misalignment between a financial institution’s stated desired culture and its actual culture that may prevent it from achieving its objectives. Culture is deliberately shaped, evaluated, and maintained through: effective leadership. talent and performance management. compensation, rewards and recognition, and incentives. accountability practices.   #riskculturelab #riskculture https://lnkd.in/dcBmG-En

People have become the primary attack vector for cyber threat actors around the world. As a result, humans rather than technology represent the greatest risk to organizations. Security awareness programs and the professionals who manage them are key to mitigating this human risk. The term security awareness program is used to describe a structured effort to engage, train, and secure your workforce and build a strong security culture. However, many organizations refer to such efforts using different terms, including security behavior and culture, security engagement and influence, security training and education, security communications, or human risk management. There is no single right or wrong term. And that’s fine, because we are more concerned about enabling you to secure your workforce and your organization than the name of your program. If security awareness programs are ultimately about managing human risks, which human risks are organizations most concerned about? 1.    Social Engineering – this category refers to the three most common social engineering attacks: email-based phishing, text based smishing, and voice-based vishing. 2.    Passwords/Authentication – how people authenticate and manage their passwords was a top risk, but we were expecting this risk to be ranked closer to social engineering. 3.    Detection/Reporting – detection and reporting as a top concern is a positive development, as it implies organizations are going beyond just the human firewall (prevention) to developing the human sensor (detection/ response) which helps organizations reduce attacker dwell time. 4.    Artificial Intelligence – this is the first year AI popped up as a risk, and unsurprisingly so. The issue we see with AI is not that it is inherently vulnerable or unsafe, it’s that AI is so new that organizations are struggling to figure out how to use it and the risks, policies, and controls that must be in place to manage those risks. #riskculturelab #riskculture https://lnkd.in/d2YAqVXt

Cybersecurity encompasses three dimensions: technical, managerial and culture. The technical address technologies, tools, and skills to detect and mitigate cyber-attacks. The managerial aspect focuses on defining data governance and establishing enterprise processes. The culture component brings values, attitudes and beliefs of an organization (Huang and Pearlson 2019). Even if an organization possesses the most sophisticated technological and managerial security measures, it remains susceptible to a cyber breach if the individuals within the organization do not exercise caution and prioritize protection. In recent years, the concept of security culture has gained significant attention in both practical and research settings. This is primarily due to organizations' efforts to counter the rising number of attacks that exploit human vulnerabilities. The Cybersecurity Culture Maturity Model was created to address three clear objectives: (1) able to articulate different levels of cybersecurity culture maturity. (2) have a roadmap with actionable insights for managers. (3) provide a model for assessing the current level of cybersecurity culture maturity. The five stages of cybersecurity culture maturity model are: Stage 1: Adhoc Cybersecurity Culture Stage 2: Defined Cybersecurity Culture Stage 3: Managed Cybersecurity Culture Stage 4: Developed Cybersecurity Culture Stage 5: Dynamic Cybersecurity Culture Cybersecurity culture is people dependent, and organizations are embracing the importance and organizations are taking actions to improve their cybersecurity culture. However, there are not many tools to measure cybersecurity culture and even less tools to provide the maturity level of the organization’s cybersecurity culture. By creating a cybersecurity culture framework, it will help provide a roadmap with actionable insights for managers. Organizations will be able to assess the current level of cybersecurity culture maturity. Having a framework will help identify the current gaps and provide a roadmap for assessing the cybersecurity culture maturity of an organization. #riskculturelab #riskculture https://lnkd.in/d-4v-eMD

Some forward-thinking organizations are experimenting with AI in their cybersecurity function, to improve risk detection and response. However, an aspect that holds great potential, but is somewhat unexplored, is how AI can help organizations to boost their cybersecurity culture, especially when it comes to cyber Human Risk Management (HRM). Cyber HRM is essential to cybersecurity culture, as the way people manage technology is the window through which threat actors can infiltrate organizations. The top two cybersecurity culture challenges are aligned to human behaviors. The number one concern is “resistance to change”, and the second, “managing human risk factors and creating a strong cybersecurity culture.” There are clear indications of how AI could be a powerful enabler for managerial mechanisms to positively influence cybersecurity values, attitudes and beliefs. AI supports an organization building a strong cybersecurity culture through five key themes — visibility, efficiency and scalability, and providing personalization and quantification capabilities that CISOs have previously struggled to achieve. #riskculturelab #riskculture https://lnkd.in/d2ybRyGB

A Zero Trust Culture is the term used to define the collective core enterprise level functions and activities required to underpin the application of Zero Trust. The success of implementing zero trust practices cannot be achieved solely through a technology-based approach. It requires organisational transformation to embed a ‘zero trust culture’ across an entity. Embedding zero trust culture does not mean we are promoting a lack of trust in our employees. An effective zero trust experience will empower employees through a clear understanding of roles and responsibilities, as well as providing a consistent experience across different IT platforms. Embedding a zero trust culture allows opportunities to better combat the current and emergent risks stemming from a rapidly evolving cyber threat landscape and expansion of the digital attack surface, by shifting from a traditional strong perimeter protection focus to a zero trust architecture, rooted in the core principle of “never trust, always verify”. #riskculturelab #riskculture https://lnkd.in/dXZr_eY7

Europe’s lack of AI adoption is not due to a want of financial resources but rather organizational cultures not being ready to embrace AI. This is worth repeating. Europe is not behind because of a lack of capital, rather a lack of culture. Therefore, the study of cultural readiness in Europe is crucial for closing the AI adoption gap. Without cultural readiness, European companies will struggle to compete. Unfortunately, even though technology is changing rapidly, culture change is not keeping pace. In fact, Gallup’s State of the Global Workplace Report revealed that engagement barely increased over the last four years from 20% engaged employees globally in 2020 to 23% in 2023. Of course, this does not mean culture cannot change rapidly when organisations focus on and invest in change intentionally. Gallup defines culture as the ways of working and how we get things done around here. To measure and understand the drivers of cultural readiness for advanced technologies, Gallup analysed four elements of readiness: 1.    SYSTEMIC READINESS: The systems, processes, and rituals that influence the entire organisation to embrace advanced technologies. 2.    LEADERSHIP READINESS: The leaders and managers who bring the organisation along and inspire adoption. 3.    TEAM READINESS: The local-level culture that integrates advanced technologies into daily work. 4.    HR READINESS: The segment of the organisation that empowers and equips the culture needed to navigate advanced technologies. #riskculturelab #riskculture https://lnkd.in/dkAdeA3E

Culture is crucial at audit firms, since it lays the foundation for the work auditors perform in capital markets. Culture is broadly defined as a set of shared attitudes, values, goals, and practices that characterize an organization. An organization’s culture influences how it establishes its reputation, manages its teams, and sustains productivity. Healthy cultures enable organizations to thrive, while unhealthy cultures can lead to underperformance or worse. An organization’s culture can determine everything from whom they hire to how long those people stay. In essence, culture is the backbone of an organization. It influences every aspect from daily operations to longterm strategy. Auditors must operate with integrity, to promote investor confidence and foster trust in the capital markets. Like any private business, audit firms aim to make a profit. Audit firm leaders – with the tone they set and the culture they foster – are responsible for ensuring that their professionals maintain independence, integrity, and professional skepticism as they also pursue growth and profitability of their audit firms. Indeed, an audit firm’s culture contributes to the audit firm’s ability to deliver a quality audit. Culture may also detract from audit quality, particularly if leadership says one thing but rewards another.   #riskculturelab #riskculture https://lnkd.in/eKZ8PJmM