ST4063CEM The Security Professional

Submitted by: Submitted to:

Rajeev Kumar Shrestha Ganesh Bhusal
Student Id: 240186
How can organizations ensure that employees are aware of the risks and
maintain a strong cybersecurity culture that fosters security awareness and risk
perception? Additionally, how can organizations effectively communicate and
educate employees about security issues and activities, while still maximizing
productivity? Provide a real-world case scenario and discuss the role of
attitudes, behaviors, communication, compliance, norms, and responsibilities in
building and maintaining a strong cybersecurity culture.
Ans:

Building a Strong Cybersecurity Culture in Nepal

To ensure employees are aware of cybersecurity risks and maintain a strong cybersecurity
culture, organizations must prioritize awareness, communication, and behavioral change
while balancing productivity.

Key Steps to Build Cybersecurity Culture

1. Awareness and Education:

o Conduct regular training on phishing, ransomware, and social engineering.
o Use simulated phishing tests to train employees to identify threats.
o Provide role-specific training for high-risk departments like IT and Finance.
2. Communication:
o Ensure top-down leadership emphasizes cybersecurity.
o Use newsletters, alerts, and workshops to communicate threats and best
practices.
o Create clear reporting protocols for employees to report suspicious activity.
3. Behavioral Change:
o Foster a sense of shared responsibility for cybersecurity across the
organization.
o Reward employees for secure behaviors and incident reporting.
o Normalize habits like using multi-factor authentication (MFA) and strong
passwords.
4. Balancing Security and Productivity:
o Deploy automated tools like email filters and firewalls to reduce manual
effort.
 o Use user-friendly solutions like password managers and short, interactive
training sessions.

Case Example: NIC ASIA Bank Phishing Incident (2020)

In 2020, NIC ASIA Bank faced a phishing attack where fake emails tricked employees into
sharing credentials.

Steps Taken:

1. Awareness: Regular training and phishing simulations were introduced.

2. Communication: A cybersecurity communication protocol ensured timely threat
updates.
3. Behavioral Change: Employees began verifying emails, reporting suspicious
activities, and adopting secure practices.
4. Tools: Email filters, MFA, and password managers were deployed to automate
security without disrupting productivity.

Results:

• Employee awareness improved, phishing incidents declined, and cybersecurity

became a shared responsibility within the bank.

Key Takeaways for Nepalese Organizations

• Train employees on threats through workshops and simulations.

• Promote clear communication and shared responsibility for cybersecurity.
• Automate tools to maintain security without affecting productivity.
• Foster a culture where secure behaviors are normalized and rewarded.

By learning from cases like NIC ASIA, organizations in Nepal can build a resilient
cybersecurity culture and mitigate risks effectively.