Issue link: https://insights.oneneck.com/i/1476862
39 The 7 dimensions of security culture Supported by ENISA Our approach is supported by the European Agency for Network and In- formation Security (ENISA). ENISA strongly recommends measuring securi- ty culture in its 2017 report entitled Cyber Security Culture in Organisations. In which, ENISA specifically lists the same seven human-related elements of organizational security that our security culture model is based on. ENISA explains that, because organizations are complex social structures, a security culture transformation requires changing values and beliefs, al- tering behavior, and ultimately shaping underlying assumptions regarding security. It warns that "ignoring human factors in the development and de- ployment of cybersecurity policies and processes predestines [culture build- ing] activities to failure." 94 ENISA emphasizes that, "before any further steps are taken, the current state of security culture in the organisation should be assessed." 95 Further advising that, in addition to establishing the level of knowledge and aware- ness of employees [i.e. Cognition], organizations should examine employ- ee Behaviors, monitor employee activities to measure Compliance, study employee perceptions and understanding regarding some key aspects of cyber security culture, including "individual involvement and responsibili- ties regarding cybersecurity [i.e. Responsibilities], the effectiveness and openness of communication on the matter within the organisation [i.e. Communication]... employee beliefs and assumptions [i.e. Attitudes]... as well as what they perceive are the Norms of organisational conduct and practices within their company." 96 [Emphasis added.]