Data analysis was conducted using values of the average, median, standard deviation, CVR, as well as the calculated change in these values between Round 1 and Round 2.

The First round was completed in 20 days (from December 11th to December 31st 2023). Consensus of agreement was reached on 12 statements (see Table 3). Specifically, 75 % of our experts agreed on 12 out of 19 statements. No consensus of disagreement was obtained. As noted earlier, comparisons between degrees of convergence, consensus, and critical CVR were made to assess the level of agreement. These analyses indicated that seven statements did not reach consensus, necessitating a second round. Furthermore, the experts reported that two statements overlapped. The expert panel suggested merging Statements 2 and 3 into one because they address both reducing cognitive fatigue and improving workload balance. They also suggested combining Statements 6 and 18 into one category because the latter is considered an instrument of the former. Finally, the experts proposed a new statement called “Responsible use of personal social network,” scheduled for evaluation in the Second round.

The Second round was completed in 15 days, from February 12 to 26, 2024. Consensus was reached on five out of seven remaining statements (see Table 4). Therefore, overall, the study achieved consensus on 16 statements. Additionally, the experts agreed that the statement “Sharing success stories” was not essential. The action received a low score of importance and did not reach a consensus. As for “Dedicating staff to cybersecurity training,” the experts did not reach a consensus, but their answers were sparse, reporting a greater interquartile range.

Finally, Table 5 displays the statements that have achieved consensus, listed in order of importance. For each action, the best practices and tools suggested by the experts in the open-ended responses that are useful for the dissemination of these interventions are shown in the right column.

Encouraging personal responsibility is an important driver to improve cybersecurity by promoting a culture of vigilance together with proactive engagement in safeguarding it. Several practices and tools identified in the Delphi study can be leveraged to introduce these principles. A primary focus should be on implementing fear mitigation practices, which entails avoiding disciplinary methods following incidents that may breed resentment or foster disengagement. Instead, incentivizing incident reporting with rewards can encourage proactive engagement in sharing essential information. Practical training initiatives such as phishing simulations, and the introduction of gamified approaches, including competitions and gaming elements, are recommended. These methods inject dynamism and motivation into cybersecurity awareness efforts. Specifically, phishing attack simulations emerged as prominent strategies for enhancing preparedness and responsiveness without prior warning. Moreover, cybersecurity must not be viewed as a mere obligation but rather as a golden opportunity for personal and organizational growth, integrating mandatory training with spontaneous practice tests. A multifaceted approach encompassing education, simulation, gamification, and incentivization is recommended to encourage personal responsibility for cybersecurity.

Because the effectiveness of security practices depends on their integration with user workflows, several practices are suggested. One prominent approach involves aligning cybersecurity protocols with user convenience, exemplified by the adoption of biometric authentication as a user-friendly alternative to complex password requirements. Initiatives such as pre-alerting password change requests and the incorporation of physical device authentication help achieve a balance between security and usability. Additionally, centralizing strong authentication mechanisms and implementing Privileged Account Management simplifies security practices while ensuring robust protection of sensitive assets. Role-specific security standards, including differentiated approaches for top management and general staff, further contribute to workload balance by tailoring security measures to individual roles and responsibilities. Furthermore, the automation of vulnerability management processes and the implementation of specialized human resources reduce the burden on individual users while strengthening organizational defenses. Effective scheduling and workload distribution, facilitated by collaboration between IT departments and other managerial stakeholders, ensure that cybersecurity activities are integrated into existing workflows, as “effective planning reduces mental stress and heavy workloads (as a consequence of workload balancing) on one hand, and on the other, it tends to mitigate cyber risks (stemming from high mental stress situations)” (cybersecurity manager). In essence, the use of automation and a wise allocation of security measures emphasize the importance of harmonizing security measures with user workflows to achieve optimal cybersecurity outcomes.

Cybersecurity models and standards represent desirable actions for effective cybersecurity management. These tools include community-developed websites such as OWASP and CWE for software development and vulnerability identification, respectively, and internationally recognized standards such as ISO 27001 for cybersecurity management systems. Additionally, the experts highlighted the role of AI technologies such as Darktrace in enhancing security. Moreover, frameworks such as COBIT were emphasized for their effectiveness in managing cybersecurity risks. Next-generation antivirus solutions, along with endpoint detection and response systems, were identified as essential for proactive threat detection and mitigation. Overall, the consensus among respondents emphasizes the importance of adhering to established standards, leveraging advanced technologies, and implementing robust management systems to bolster cybersecurity posture. However, as a cybersecurity researcher stated, "I believe model and standards adoption is important, but only in cases where the right standard is applied to the right context.”

Awareness campaigns represent another effective means to improve organizational cybersecurity. Owing to the ineffectiveness of universal approaches, the experts recommended tailoring awareness campaigns to specific target audiences. Moreover, the experts advocated for mandatory training with final tests to ensure comprehension, alongside interactive sessions such as tabletop exercises and simulations, which should leverage tools such as visors for enhanced engagement. Internal communications, including videos and group challenges, are recommended to reinforce cybersecurity messages. Additionally, specialized professional training is deemed essential to boost employee confidence and enthusiasm. Real-world anecdotes about phishing tools and procedures are recommended, with dedicated sessions led by experienced speakers to captivate the audience. Hence, the need for ongoing or permanent campaigns has been emphasized, and the experts agreed that the more these campaigns engage participants, the greater their impact.

The experts provided valuable insights into effective tools and best practices for cybersecurity training, emphasizing the importance of authentic engagement and interaction as opposed to mere obligation. Interactive experiences such as escape rooms, simulations, phishing campaigns, and gaming activities were suggested as particularly effective methods for cybersecurity education. The participants noted that ongoing training efforts within organizations were producing substantial improvements in user attitude toward cybersecurity. They emphasized the need for training to be engaging, contextualized, and applicable outside the workplace. As a cyber threat analyst stated, "the important thing is interactivity—something that truly engages personnel in a defense mindset and creates ‘suspicion’ in everyday activities that could conceal malicious actions.” Role-playing games have been suggested to educate employees on proper responses to cyberattacks, underscoring the interactive nature of effective training. Crisis management exercises, capture-the-flag competitions, and interactive simulations were recommended to enhance cybersecurity awareness and preparedness. Innovative approaches such as cartoons and interactive platforms were noted to improve training effectiveness, even though practical constraints such as budget and time must be considered. Participants agreed that these innovative approaches are more effective than traditional methods.

Additionally, the participants stressed the importance of frequent, in-person training sessions to ensure employee attention and information retention, cautioning against over-reliance on virtual tools such as VR, games, and chatbots. Red Teaming, penetration tests, tabletop exercises, and phishing simulations were highlighted as valuable contributions to cybersecurity training, emphasizing the importance of hands-on practice and real-world scenarios. Overall, the consensus among respondents underscores the need for dynamic, engaging, and interactive training methods to train employees about cybersecurity threats and best practices effectively.

According to the experts, defining roles and responsibilities is another important action to be taken to enhance cybersecurity within organizations. The proposed practices encompass the application of the ISO 27,001 standard at an organizational level, ensuring a structured framework for delineating roles and responsibilities. Dedicated sessions aimed at explaining policies and clarifying defined roles were suggested to facilitate better understanding and adherence. These seminars are designed to establish a clear and shared operational model, fostering a culture of accountability and awareness across the organization. Additionally, periodic simulations of cybersecurity scenarios were recommended to assess individuals' adherence to the roles and responsibilities as outlined in security plans and policies. Importantly, the process of defining roles extends beyond the cybersecurity team to include members of other functions within the organization, emphasizing the importance of cross-functional collaboration in cybersecurity efforts. By presenting case studies of cyberattacks resulting from individual negligence and their repercussions, employees can gain awareness of the cascading effects of lapses in cybersecurity responsibilities. Overall, a standard reference system of roles and responsibilities, combined with ongoing seminars on its understanding and simulations of its implementation, are effective practices for defining roles and responsibilities in cybersecurity management.

The experts agreed that developing a cybersecurity-oriented culture is essential for enhancing overall cybersecurity within organizations. Implementing an Information Security Management System (ISMS) based on the ISO 27,001 standard serves as a foundational step in fostering such a culture, as it provides a structured framework for cybersecurity practices and principles. Additionally, promoting transparency and clarity regarding cybersecurity matters and encouraging a shift towards sharing cyber incident stories with all personnel can significantly contribute to shaping a cybersecurity-focused culture. This entails periodic cyber risk assessments to assess organizational vulnerabilities as well as the endorsement of cybersecurity initiatives by top management through emails and newsletters, which would demonstrate leadership commitment to cybersecurity priorities. Moreover, targeted seminars and specialized professional training, facilitated by external cybersecurity experts, offer employees valuable opportunities to enhance their knowledge and skills, fostering a proactive and informed approach to cybersecurity. Engaging leadership, particularly at the board of directors level, in discussions on cybersecurity strategies and risk management further reinforces the organizational commitment to cybersecurity and cultivates a culture of accountability and vigilance. Through awareness campaigns, training, and ongoing communication efforts, organizations can instill a sense of responsibility for cybersecurity in employees and foster a culture where cybersecurity is integrated into every aspect of operations and decision-making processes.

Encouraging feedback and peer learning is recognized as a desirable action to enhance cybersecurity within organizations. The respondents suggest implementing evaluation tests with the opportunity for employees to provide suggestions on the improvement of cybersecurity practices. Additionally, facilitating team discussion on cybersecurity best practices allows for peer-to-peer knowledge sharing and learning from common security incidents. Sharing incident stories and providing personalized post-evaluation or post-incident feedback help employees understand the impact of errors and learn from their mistakes, encouraging a culture of responsibility. Importantly, feedback should always be constructive and positive, focusing on actions and incidents rather than blaming individuals. The participants advised against penalizing employees for falling victim to cyberattacks, but recommend encouraging and rewarding the reporting of incidents, which promotes transparency and a proactive cybersecurity mindset across the organization. More specifically, negative feedback should be given constructively and individually, while positive feedback can be shared with the team (or, in special cases, with the organization). As a cybersecurity analyst and penetration tester stated, “it is very important not to condemn the employee who unintentionally facilitated a breach or data leak (provided their innocence has been verified……), but it is equally important to hold them accountable for the future by informing them of how they should have acted. In fact, the way feedback is given in such cases is a very delicate matter.” Overall, practicing open communication, continuous learning, and supportive feedback mechanisms empowers employees to actively contribute to cybersecurity efforts.

The experts recognized the strategic importance of scheduling cybersecurity activities in the enhancement of cybersecurity within organizations. They advocated for the establishment of a comprehensive process of risk management that encompasses measures such as software design, implementation of security countermeasures, effectiveness monitoring, and vulnerability remediation. Furthermore, they emphasized the necessity of integrating cybersecurity activities into broader organizational strategies, elevating their significance to the level of strategic industrial planning. This entails incorporating cybersecurity education and implementing key frameworks, such as SecOps, for secure development practices. Establishing a Control Tower or Project Management Office (PMO) dedicated to overseeing cybersecurity initiatives ensures centralized supervision and coordination. Penetration testing planning and dedicated calendar blocks for cybersecurity-focused events are also recommended strategies. While acknowledging the challenges posed by the scale of operations in larger organizations, the participants underscored the importance of both targeted education and the exploitation of technologies such as Artificial Intelligence (AI) in the optimization of resource allocation towards cybersecurity awareness and training efforts. Moreover, it is recognized that “there is a need to include the security-by-design approach in all company processes” (cybersecurity senior consultant and visual analytics for cyber security researcher). By embedding security-by-design principles and limiting employee exposure to unsafe actions, organizations can proactively mitigate risks and foster a culture of cybersecurity awareness and readiness across all levels, making security one of the main drivers in the formulation of a company's architectural, infrastructural, and organizational policies.

The experts emphasized the importance of simplifying procedures as a strategic action to enhance cybersecurity within organizations. Recognizing that technical jargon and complex language can pose challenges to non-technical personnel, participants advocated for the elimination of anglicisms and the use of clear, concise instructions in the local language, preferably with accompanying illustrative visuals. They stressed the need for specialized training to familiarize employees with the appropriate cybersecurity terminology, alongside dedicated sessions aimed at explaining procedures in an accessible manner. Furthermore, participants recommended incorporating role-playing exercises and simulations of real-life scenarios to provide practical experience in navigating cybersecurity processes. Regular audits and reviews of security procedures are also recommended to identify areas for improvement and streamline governance models. While some caution against oversimplification, emphasizing the importance of precise communication, others underscore the need for user-friendly procedures tailored to the needs of diverse stakeholders. Ultimately, by simplifying procedures and fostering a culture of accessibility and clarity, organizations can empower employees to effectively adhere to cybersecurity protocols, thereby strengthening overall resilience against cyber threats.

Team-level cybersecurity management is considered a pivotal action for cybersecurity reinforcement. Central to this approach is the adoption and implementation of the ISO 27,001 standard, as it provides a structured framework for information security risks management. Participants advocated for the tailoring of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to assess the performance and effectiveness of cybersecurity functions at team level. Regular monitoring of these metrics enables teams to track their cybersecurity posture over time, identify areas for improvement, and respond promptly to cyber events. Moreover, the participants emphasized the necessity of ongoing engagement and training initiatives including workshops, seminars, and team-based exercises, to ensure that cybersecurity remains a continual focus for all team members. Dedicated cybersecurity teams or task forces are also recommended to provide specialized support and expertise and to foster a culture of collaboration and reliability. By establishing clear KPIs, implementing escalation procedures for incident response, and fostering a collaborative team environment, organizations can strengthen their cybersecurity resilience and mitigate risks effectively.

The experts agreed that ensuring the adequacy of technical resources is a key action in the enhancement of cybersecurity. Central to this approach is the implementation of robust security management systems, such as the ISO 27,001 standard, which provides a structured framework for safeguarding information assets. The participants highlighted the importance of leveraging advanced technologies, including AI, to bolster security measures. AI-powered solutions offer the capability to analyze network behavior and detect anomalous activities, enabling timely alerts to security personnel for further investigation and response. Additionally, participants advocated for the establishment of dedicated roles, such as security architects, who should be responsible for the design and maintenance of security infrastructure in collaboration with external analysts from Security Operations Centers (SOC) and Computer Emergency Response Teams (CERT). Meanwhile, the adoption of Secure System Development Life Cycle (SSDLC) principles ensures that security considerations are integrated into all stages of technology deployment and development processes. Technical resources such as AI, antivirus software, and other tools are essential because, without these, personnel would struggle to manage cybersecurity effectively. Merely relying on individual abilities does not suffice: employees also need adequate technical resources and proper training on how to use them.

The experts underscored the pivotal role of incident reporting in fortifying cybersecurity. They advocated for a multifaceted approach to incident reporting, emphasizing the importance of timely communication and structured documentation throughout the process. A key aspect is the conditionality of incident reporting based on the severity of vulnerabilities or the actual impact of the attack on the system. This nuanced approach ensures that resources are allocated appropriately and critical security threats are addressed effectively. Furthermore, the incorporation of post-incident analysis, such as post-mortem and lessons-learned documents, facilitates continuous improvement and knowledge sharing within the organization. The participants also stressed the importance of confidentiality in incident reporting, ensuring that employees feel empowered to report incidents without fear of repercussions. This entails implementing secure reporting channels and limiting access to sensitive information to authorized personnel only. Additionally, the integration of incident reporting mechanisms with Security Operations Centers (SOC) and Computer Emergency Response Teams (CERT) streamlines response efforts and facilitates collaboration among relevant stakeholders. Regular reporting of incidents, coupled with periodic reviews and revision of Key Performance Indicators (KPIs), enables organizations to monitor their cybersecurity posture effectively and refine incident response strategies over time. Ultimately, incident reporting serves as a cornerstone in fostering a proactive cybersecurity culture, promoting transparency, accountability, and collective resilience against evolving cyber threats.

According to our experts, addressing remote work cybersecurity is an action to be undertaken to support the overall cybersecurity posture. The unanticipated widespread adoption of remote work due to the COVID-19 pandemic compelled millions of employees to operate in environments and with tools that might not have always met optimal security standards. While organizations invest in technologies and processes to safeguard their information assets, individuals can apply these measures effectively, which will ultimately make a difference. Key solutions and best practices identified by the participants include implementing stringent system hardening measures, such as VPN with multifactor authentication and USB restrictions, to secure remote connections. Moreover, centralized management of Virtual Desktop Infrastructure (VDI) and enhanced monitoring by Security Operations Centers (SOC) using technologies such as Machine Learning to detect anomalous user behavior contribute to a more secure remote work environment. Mandatory training on cyber vulnerabilities related to remote working along with the requirement for remote access certification highlights the high level of attention organizations dedicate to remote work security. The implementation of Multi-Factor Authentication (MFA) and the utilization of technologies such as Endpoint Detection and Response (EDR), web filtering, and email security further fortify remote work environments. The emphasis on sharing best practices and providing straightforward instructions to users, coupled with the deployment of appropriate remote work technologies, forms a holistic approach to enhancing remote work cybersecurity. By integrating these strategies, organizations can mitigate risks and ensure the security and productivity of remote work arrangements.

The experts recognized that understanding the limitations of cybersecurity devices is crucial in the enhancement of overall cybersecurity. The widespread adoption of remote work has highlighted the necessity for organizations to deploy robust security measures tailored to the unique challenges of remote environments. While organizations invest in technologies and processes to protect their information assets, stakeholders must comprehend the inherent limitations of these cybersecurity devices. This understanding enables organizations to effectively evaluate the efficacy of existing security measures and identify areas for improvement. Key solutions and best practices identified by the participants include implementing stringent system hardening measures, such as VPN with multifactor authentication and USB restrictions, to secure remote connections. By acknowledging and addressing the limitations of cybersecurity devices, organizations can develop more resilient cybersecurity strategies and prevent employees from over-trusting these devices.

The theme of social networks and cybersecurity is becoming increasingly relevant due to the widespread use of platforms and the growing user base, who begin at a younger age. It is therefore important to incorporate security topics into training and prevention programs to address potential cyberattacks. Implementing rules and templates for whatever can be shared on social networks is crucial. Sensitization (and awareness) campaigns with realistic practical examples are essential to truly convey the devastating impact of cyberattacks. There is often a lack of awareness of the implications of sharing personal information on social networks, especially concerning the security of the organization one works for. Attention should also be given to regulatory aspects, particularly regarding the use of social media in the workplace. Although this may be more relevant for companies with mobile devices operating on corporate VPNs, it is still important to consider the consequences for all companies. Social networks serve as abundant sources of information for conducting attacks such as business email compromise (BEC). Thus, web filtering systems are essential, as evidenced by their inclusion in the 2022 version of ISO27001. As reported by a Chief Information Security Officer, “One of the attacks observed in the past originated directly from LinkedIn, through a fabricated job position and the exchange of a Word document containing an infostealer. However, our XDR solution successfully prevented the execution of the malware, enabling us to reconstruct all events of the attack. Social networks are integral parts of our lives and pose an increasing cyber risk, amplified by the introduction of AI. Corporate training should encompass the risks and behaviors to adopt on these platforms. Several colleagues have highlighted how this training has significantly benefited their personal sphere as well.”