The Role of Information Security Culture in Zero Trust Adoption: Insights From UAE Organizations

Abstract

Read online

This study examines the viability of Zero Trust (ZT) models, a burgeoning measure of cybersecurity, in different cultural contexts. The ZT security model is based on the principle of “never trust, always verify” and, unlike traditional models, rejects inherent trust assumptions. The focus is on Middle Eastern culture, specifically the United Arab Emirates (UAE), to examine impact of information security, national and organizational culture, and how these correlates with the adoption of the ZT model. A theoretical model explains the user and organizational behavior towards ZT in the Arab culture, assessed through a survey based on the most important factors of the information security culture. The empirical data was analyzed in the UAE with the participation of 98 cybersecurity professionals from 98 different organizations using SmartPLS4 and PLS-SEM. The overall results indicate that both national and organizational culture, as well as information security culture, are significantly and positively correlated with the adoption of the Zero Trust Architecture (ZTA). This indicates that cultural aspects at different levels of national, organizational, and information security-specific play a crucial role in the decision-making process regarding the implementation of ZT models. The inclusion of the UAE brings a particular cultural element that has unique variations, and practical recommendations to help organizations improve their ZT adoption in line with cultural considerations. These findings are relevant for organizations and policy makers. The inclusion of additional factors, countries, and participants in future research could increase the accuracy of the results.

Keywords

• Zero trust model
• information security culture
• cybersecurity
• national culture
• organization culture
• UAE