Thesis Daphine Vorstenbosch

Subject: Information System Science

Title: Organisational Culture, Human Factors and NIS2 Readiness: How Can IT Auditors Diagnose the Non-Technical Dimensions of Cybersecurity Compliance?

Abstract: 

The NIS2 Directive represents a qualitative shift in European cybersecurity governance, elevating compliance from a framework concentrated on technical controls to one that explicitly requires board-level responsibility for cybersecurity culture, risk management, and incident reporting. Despite this shift, many organisations struggle to translate NIS2’s obligations into operational practice. Research consistently demonstrates that human and cultural factors, rather than technical deficiencies, account for most cybersecurity failures, yet existing IT audit methodologies remain predominantly artefact-oriented and provide limited systematic insight into the cultural and behavioural substrates that NIS2 compliance most urgently demands.

This thesis investigates how organisational culture and human factors affect NIS2 readiness in client organisations, and how IT auditors can better diagnose these dimensions. The main research question is: How do organisational culture and human factors influence NIS2 readiness in client organisations, and how can auditors effectively diagnose these factors? Three sub-questions address cultural determinants of cybersecurity behaviour (RQ1), barriers to NIS2 compliance (RQ2), and the translation of Protection Motivation Theory and Technology Threat Avoidance Theory into a practical diagnostic approach for IT auditors (RQ3).

A qualitative research design was adopted. Twelve semi-structured expert interviews were conducted with EY IT auditors and cybersecurity consultants. These professionals had direct or indirect experience with NIS2-relevant client engagements across diverse sectors. Interview data were analysed using an inductive-deductive thematic analysis approach, generating 37 codes across eleven thematic groupings anchored in PMT, TTAT, Schein’s three-level culture model, and safety science principles.

Three principal findings emerge. First, sector-driven compliance culture is the dominant organisational determinant of NIS2 readiness: historically regulated sectors have embedded security governance as a basic assumption, while newly in-scope organisations face a qualitatively different cultural challenge. Second, the most consistent non-technical barriers to NIS2 compliance,  scope uncertainty, the policy-practice gap, resource constraints, diffuse accountability, and underreporting inhibitors, are culturally produced and cannot be addressed through technical controls alone. Third, current IT audit practice exhibits a structural diagnostic gap: artefact-based indicators measure inputs to the awareness-behaviour chain without capturing the culturally significant transitions within it. In response, a five-domain diagnostic framework is proposed to aid IT auditors in assessing the human side of NIS2 readiness.

Keywords: NIS2 Directive, organisational culture, human factors, information security governance, IT auditing, cybersecurity culture, Protection Motivation Theory, Technology Threat Avoidance Theory, diagnostic framework

Leave a Reply

Your email address will not be published. Required fields are marked *