This article comes from the invitation I received from Televisão de Moçambique to comment on the results of the “National Cybersecurity Risk Assessment Workshop, with an emphasis on Critical Information Infrastructures”¹.
In Mozambique, according to one of the panellists present, “…at least 500 national institutions (public and private) suffer threats and attacks perpetrated by hackers”.
In this article, I invite my reader to answer the question: In the context of Mozambique, how does Culture affect Cyber (In)Security?
Let’s look at it in turn:
- Definition of culture², and of Cyber (In)Security (IS).
- The relationship between Culture and Cyber (In)Security.
- Conclusion.
A. Definition of Cyber (In)Security
In my opinion, IS can be analysed through the following lenses and consists of:
- The quality or situation,
- In which computers, devices, networks or information systems,
- And data,
- And natural and legal persons, without their consent,
- Are vulnerable, i.e. unprepared and without protective measures,
- Against threats, attacks and psychological manipulation³,
- perpetrated by hackers and criminals,
- Which can or does result in
- The decrease, degradation and/or loss of availability of information systems, confidential data, reputation, significant financial damage.
- [Such a state of vulnerability] can create the conditions and stimulate individuals, companies and states to act to protect the security of people and property, the confidentiality and availability of information and cyber systems.
B. The relationship between Culture and Cyber (In)Security: front and back
Social psychologist Geert Hofstede⁴ developed a logical framework for analysing cultural differences, based on six dimensions that I use here to analyse this topic.
1) The Power Distance Index (PDI)
a) Description: Refers to the acceptance of unequal power in a society.
b) Countries with high power distance: as is the case in Mozambique⁵, there is a general acceptance of hierarchy and authority, with a large difference between leaders and followers.
c) (Un)Safe behaviours resulting from high PDI: Ignoring security alerts: in these cultures, trust in the authorities can lead to a tendency to ignore security alerts, assuming that the authorities have everything under control.
d) Most frequent types of cybercrime: in these cultures, violation of security policies, phishing⁶.
- Individualism vs. Collectivism Dimension (IDV)
a) Description: refers to the acceptance of unequal power in a society.
b) Markedly collectivist countries: as is the case in Mozambique, collectivism is more prominent, and people value group harmony and are willing to make individual sacrifices for the well-being of the group.
c) (Un)Safe behaviours resulting from low IDV: not sharing passwords indiscriminately: in cultures with high collectivism, people may be more likely to focus on the interests of the group, avoiding carrying out risky practices such as sharing passwords without thinking about the consequences for the group.
d) Most frequent types of cybercrime: in these cultures, breaches of accounts, identity theft.
- Masculinity vs. Femininity Dimension (MAS)
a) Description: refers to the distribution of roles and values between the sexes in a society.
b) Markedly masculine countries: as is the case in Mozambique, masculinity is more prominent, and people value characteristics that are traditionally considered masculine, such as assertiveness, ambition and competitiveness.
“In highly collectivised cultures, people may be more likely to focus on the interests of the group, avoiding carrying out risky practices…”
c) (Un)Safe behaviours resulting from high MAS: not protecting online privacy: in these cultures, there may be less emphasis on protecting online privacy, as showing vulnerability or concern for privacy may be seen as “feminine”.
d) Most frequent types of cybercrime: in these cultures, phishing and ransomware⁷.
- Uncertainty Avoidance Dimension (UAI)
a) Description: refers to a society’s tolerance of uncertainty and ambiguity.
b) Countries without uncertainty avoidance: as is the case in Mozambique, people are more tolerant of uncertainty, accept ambiguity and are open to change.
c) (In)Secure behaviours resulting from low UAI: updating systems without fear of disruption: in these cultures, people are not afraid to update systems and do not fear interruptions or unknown changes.
d) Most frequent types of cybercrime: in these cultures, spear-phishing⁸ and malware⁹.
- Long-Term Orientation vs. Short-Term Orientation (LTO) Dimension
a) Description: This dimension measures how societies value long-term planning, compared to the pursuit of immediate success, stability and respect for social norms.
b) Short-term orientated countries: as is the case in Mozambique, Tanzania and Nigeria, people are short-term orientated and focus on the past and present, valuing tradition and social norms.
c) (Un)Secure behaviours resulting from low LTO: adopting emerging technologies without security assessment: in cultures with a short-term orientation, people are more willing to adopt emerging technologies quickly, without fully considering the long-term security implications.
d) Most frequent types of cybercrime: in these cultures, attacks on IoT devices, ransomware, social engineering⁴.
Organisations are living in an era in which cybersecurity concerns are ever-present
- Indulgence vs. Restraint Dimension (IVR)
a) Description: refers to how societies deal with their own human passions and desires. Cultures with a low score on the INR scale tend to control and limit emotional expressions.
b) Countries with a high indulgence scale: as is the case in Mozambique, tend to allow immediate gratification of personal and emotional desires.
c) (Un)Safe behaviours resulting from low IVR: sharing personal information on social networks: in cultures with high indulgence, people may be more likely to share personal information and details of their lives on social networks, seeking gratification and emotional connection.
d) Most frequent types of cybercrime: in these cultures, identity theft, privacy violations.
C. Conclusion
In this article I have analysed culture through Hofstede’s dimensions, and we have seen how it influences (un)safe behaviour online.
In societies like Mozambique, with a high power distance index there is greater acceptance of authority, which impacts on adherence to cyber security policies.
In addition, collectivism influences the protection of information, reflecting the valorisation of the group over the individual.
Masculinity can lead to excessive risk-taking online, while low uncertainty avoidance can result in less caution with suspicious links and emails.
Short-term orientation can promote the rapid adoption of technologies without considering security.
And indulgence can lead to excessive sharing of personal information.
Awareness of the interconnection between culture and (In)Security is the first step towards promoting effective cybersecurity and mitigating the negative impact of these threats on societies¹⁰ .
¹ Promoted by INTIC on 5 September 2023.
² KLUCKHOHN, Clyde: “The heart of culture is made up of traditional ideas and values that are connected”.
³ Social Engineering: A form of psychological manipulation to persuade someone to carry out specific actions.
⁴ HOFSTEDE, Geert (2001) “Culture’s Consequences: comparing values, behaviors, institutions, and organisations across nations”.
⁵ Mozambique in Geert Hofstede’s six cultural dimensions, see: https://clearlycultural.com/geert-hofstede-cultural-dimensions/power-distance-index/
⁶ Phishing: mass cyber-attacks. Criminals exploit the lack of discernment of users who, by clicking on false links, end up unwittingly revealing confidential information.
⁷ Ransomware: sensitive data hijacking scheme based on encrypting a user’s files and demanding a ransom in exchange for the decryption key.
⁸ Spear-phishing: falsified emails aimed at individuals.
⁹ Malware: an abbreviation for “malicious software”.
¹⁰ Other relevant authors and books on this subject: CLARKE, Richard et all, “The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats”.