Title: Telling stories about vendors: narrative practices to negotiate risk and establish an organizational cybersecurity culture

While many cybersecurity culture studies have focused on identifying and measuring an organization's cybersecurity culture—assumptions, values, behaviors, and artifacts—less research has focused on how cybersecurity culture is enacted in the daily workplace in ways that lead to cultural change. In this paper, I approach cybersecurity culture as a meaning-making activity, or practice within an organization. Organizational theory on narrative practices—including storytelling, sensemaking, and sensegiving—provide a conceptual framework to better understand cultural meaning-making practices, as well as how those practices shape decision-making and organizational actions. Using ethnographic observation and interview data, I conducted a narrative analysis of interdisciplinary communication between IT and Facilities professionals working with Internet of Things vendors and their associated risks. The findings demonstrate that storytelling, sensegiving, and sensemaking practices were key to developing an emerging narrative that shaped professional and organizational decision-making to improve cybersecurity. The results of this study suggest that a narrative approach to cybersecurity culture can illuminate practices of cultural meaning-making and organizational decision-making, and suggests that organizations should provide resources for IT and Facilities professionals to engage in interdisciplinary work to create a more robust cybersecurity culture in Facilities departments.

Oxford University Press
Journal of Cybersecurity
National Science Foundation
