This study investigates demographic differences in cybersecurity culture in a large global organisation supporting safety critical and critical infrastructure sectors to target CSC improvement. A global survey was administered to all internal and external employees of a total of 21148 employees, with 6502 responses. The questionnaire evaluates nine CSC dimensions such as Password Management, Governance, Email Use. Anonymous survey responses were analysed using Kruskal-Wallis tests and Dunns post hoc comparisons to identify differences across demographic variables including employment, recruitment paths, managerial role, gender, age, tenure, and work base. CSC was broadly consistent across the organisation, with statistically significant but small to moderate demographic effects. CSC variations were observed across employment, age, recruitment paths, and line managerial role. In general, fulltime, internal, permanent, older employees, Merge and Acquisition recruits, and line managers consistently scored higher across multiple CSC dimensions. Parttime, younger, external employees, and those with 6 to 20 years of tenure in general scored lower. These patterns highlight higher-scoring groups that may act as CSC carriers and lower-scoring groups that may benefit from tailored improvement measures, enabling organisational learning. Our study offers a practical, scalable way to assess CSC, generating meaningful insights despite industrial constraints. It enables organisations to benchmark maturity, identify gaps, and prioritise targeted improvements using workforce diversity as a guide.

翻译：本研究旨在探究一家大型全球组织中网络安全文化的 demographics 差异，该组织服务于安全关键与关键基础设施领域，以针对性提升网络安全文化。我们对组织内部及外部员工共21148人进行全球问卷调查，回收有效问卷6502份。问卷评估了密码管理、治理、电子邮件使用等九个网络安全文化维度。采用Kruskal-Wallis检验和Dunn事后比较法分析匿名问卷结果，以识别就业状态、招聘渠道、管理角色、性别、年龄、任职年限及工作地点等人口统计变量间的差异。研究结果表明，尽管存在统计显著但影响程度小到中等的人口统计学效应，组织内整体网络安全文化具有高度一致性。不同就业状态、年龄、招聘渠道及直线管理角色间表现出网络安全文化差异。总体而言，全职、内部、长期雇员、年长员工、并购入职人员及直线管理人员在多个网络安全文化维度得分持续较高；而兼职、年轻、外部员工及任职6-20年人群普遍得分较低。这些模式揭示了可能作为网络安全文化载体的高分组别，以及可通过定制化改进措施获益的低分组别，从而推动组织学习。本研究为评估网络安全文化提供了实用且可扩展的方法，在行业限制下仍能产出具有意义的洞察，使组织能够以员工多样性为指导，进行成熟度对标、识别差距并优先开展针对性改进。