Toward a U.S. Army Cyber Security Culture

Published in: International Journal of Cyber Warfare and Terrorism, v. 1, no. 3, July-Sep. 2011, p. 70-80

Posted on on September 01, 2011

by Christopher Paul, Isaac R. Porche III

Read More

Access further information on this document at

This article was published outside of RAND. The full text of the article can be found at the link above.

One of the reasons offered for gaps in organizations' cyber security is the lack of a "cyber security culture." This article defines and explores the concept of cyber security culture within the context of the U.S. Army. It concludes that the Army would benefit from the creation and adoption of a cyber security culture, though it would not be a security panacea. The article concludes by identifying and describing important elements of such a culture and practical advice for approaching culture change. These include: the development of policies that can be understood, adhered to, and enforced; change management efforts that unfreeze current culture, seek change, then refreeze/institutionalize changes; a structure that offers incentives for desired behaviors but also identifies and enforces compliance; and change efforts that emphasize change in knowledge/awareness and in attitude.

This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.