Category Archives: cybersecurity

Developing a cybersecurity culture to influence employee behavior

Developing a cybersecurity culture to influence employee behavior

Jean-Loup Richet, IAE de Paris (Sorbonne Business School)


In our increasingly connected world, cybersecurity has become a critical concern for individuals, businesses, and governments alike. With the ever-growing threat of cyberattacks, it is more important than ever to raise awareness of cybersecurity risks and best practices. By promoting cybersecurity awareness, we can help protect ourselves and our data from malicious actors (Richet, 2021). Cybersecurity awareness helps to educate individuals about the dangers of cybercrime and the importance of taking steps to protect themselves online… But also to comply with organizational rules and deter them from deviant behaviors!

When it comes to deterring employee deviant behavior in information security, sanctions are one of the most commonly used methods. Organizations have long used sanctions as a way to deter employees from committing fraud. Sanctions can range from financial penalties to termination of employment.

However, research on this topic has been mixed, with some studies showing that sanctions are effective and others indicating that they are not. Trang & Brendel (2019) take a closer look at the role of sanctions in deterring employee deviant behavior and explore how contextual and methodological moderators can impact this deterrence approach. Their findings suggest that while sanctions have an overall effect on deviant behavior, their effectiveness depends on the context in which they are implemented and the methodology used to study them. In particular, they find that deterrence theory is more likely to predict deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with high uncertainty avoidance. By understanding the moderating effect of these contextual and methodological factors, organizations can better design sanction mechanisms that are tailored to their specific needs and objectives.

There is a growing body of evidence that suggests organizations with strong cybersecurity cultures are better equipped to manage cyber risks, to protect their data and systems, but also to manage employee deviant behaviors. Practitioner research (IBM, 2021) found that organizations with a security-conscious culture are three times more likely to have comprehensive security programs in place and four times less likely to experience a data breach originating from an insider.

While the benefits of a strong cybersecurity culture are clear, developing such a culture is no easy task. Alshaikh (2020) identify and explain five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: identifying key cyber security behaviors, establishing a ‘cyber security champion’ network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with internal and external campaigns. These key initiatives have helped organizations exceed minimal standards-compliance to create functional cyber security cultures. Organizations looking to improve their cybersecurity culture should consider implementing some or all of these five key initiatives. By doing so, they will be better positioned to manage cyber risks and protect their data and systems. It will also help them to create a culture of security within organizations, making it more likely that employees will report suspicious activity, take precautions to prevent attacks, and comply with information security policy. In addition, raising awareness of cybersecurity issues can help to better inform policymakers as they work to enact laws and regulations to promote cybersecurity and protect our interconnected world.


Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98, 102003.

IBM. (2021). Cyber Resilient Organization Study 2021. Retrieved from:

Richet, J.L. (2021). Trends in Cybercrime: Cases the Banking Sector. BPI France, Jun 2021, Paris, France. 2021.

Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265-1284.

Developing a cybersecurity culture to influence employee behavior

Cybercrime Trends: an Exploration of Ad-Fraudsters Communities

Cybercrime Trends: an Exploration of Ad-Fraudsters Communities

Jean-Loup Richet, IAE de Paris (Sorbonne Business School)

Abstract/ highlights of the paper

• This is one of the first studies documenting the way ad-fraud communities innovate and create value for their criminal customers.
• A multimethod approach was applied for data collection, integrating qualitative and quantitative assessment of six cybercriminal communities.
• Specialized ad-fraud communities provided a wealth of knowledge and incremental innovations in ad-frauds.
• General and customer-oriented ad-fraud communities showcased the most internal interactions, as well as exhibiting better performance and growth.
• General and customer-oriented ad-fraud communities have developed specific capabilities, focusing on innovation through artificial intelligence, which fuels customer engagement and fosters (criminal) attractiveness.


Richet, J.-L. 2022. “How Cybercriminal Communities Grow and Change: An Investigation of Ad-Fraud Communities,” Technological Forecasting and Social Change (174), p. 121282. (

Cybercrime Trends V2

Using Escape Room to Gamify Cybersecurity Learning

Serious games are particularly popular in Business Schools and universities: we are used to run business simulations, marketing games, project management role-playing games, etc.

I have always been fond of gamification and engaging alternatives for learning complex topics (cybersecurity is one of them) and was always pushing the boundaries (how to teach technical and engineering topics to managers?). Hence, I developed at the Sorbonne an escape room for cybersecurity – a live action team game, where players are hackers/industrial theft and have to exploit cybersecurity vulnerabilities in order to steal confidential and strategic business data.


The game was designed for MBA and master students and comprised multiple activities … and even a lockpicking test! This is the kind of lockpicking game one could encounter at the Black Hat Conference or Defcon for instance, so it wasn’t complex (all the teams succeed).

Of course, this game would not have been possible without the talented project team at the Sorbonne Business School that made the project come alive! Congrats again to this highly motivated team of students for their hard work (Simone, Charline, Alice, Emma, Florine and Guillaume).
And thanks to Melodia and Antoine @ NTT for their technical support for this event 🙂

The game has been conceived and played in French, but it is currently being translated in English. I intent to publish it here in the coming months.