nl en

Change Management and Cybersecurity Culture in Organisations


Admission requirements

Only students of the MSc Crisis and Security Management can take this course.


How can we build a strong cybersecurity culture in our organisations? Which factors do we have to consider when implementing a cybersecurity strategy? How can we effectively communicate the importance of developing a cybersecurity culture in organizations?

These questions reveal a common premise: cybersecurity is no longer only about technology but also about people and organisational problems. Examples of employees' inadequate uses of technology or lack of security culture are behind insider threats, CEO frauds, or ransomware attacks. However, many organisations –especially small and medium enterprises– have not yet reached an appropriate cybersecurity maturity because of resistance to change. Building a cybersecurity culture often means that employees' behaviour and the organisational structure must change. And while solutions are out there, they are not being fully adopted.

In this course, students will learn how to develop, maintain and evaluate a cybersecurity-driven culture in organisations by leveraging the principles of organisational change. The goal of the course is to prepare the students to develop research skills to critically evaluate the cybersecurity maturity of organisations and propose and implement solutions. The theoretical foundations for this course will combine organisational change models and diffusion of innovations theory.

Specifically, the course explains the conceptual framework of organisational change, diffusion of innovation, cybersecurity culture and cybercrime prevention in organisations. We will also explain how to evaluate the organisation's overall culture and align cybersecurity culture with the organization's culture. We will then focus on communication and leadership, as sometimes resistance to change happens because the new measures are never explained adequately. But communication is not enough to enable change. Finally, we will cover how to create policies that are simple and easy to follow and how to measure and track the impact of the change.

Course objectives

After finalising this course, students will be able to:
1. Explain, based on the knowledge of the state of the art, what cybersecurity culture is, why is important, and how to evaluate the cybersecurity culture of an organisation.
2. Identify and apply relevant theoretical and analytical frameworks and methodologies to analyse lack of cybersecurity maturity in an organisation.
3. Devise methods to assess the impact of change strategies in organisations.
4. Design a security strategy to enable and secure the workforce by integrating cybersecurity into all dimensions of an organisation.
5. Provide strategic analysis and advise to organisations’ managers by making change recommendations to achieve a higher degree of cybersecurity maturity.
6. Effectively communicate business cases to leadership and obtain their support for making their organisation more cyber-secure.


On the right side of programme front page of the E-guide you will find links to the website and timetables, uSis and Brightspace.

Mode of instruction

This course consists of seven interactive sessions including lectures, seminars, presentations and group work. In the lectures, students will learn the relevant concepts, theoretical models, and methodologies. In the seminars and workgroups, students will complete in-class formative (non-graded) assignments, team presentations, and exercises.

Attendance is mandatory. Students are only allowed to miss one session if there are special, demonstrable personal circumstances. The Board of Examiners, in consultation with the study advisors, will decide on such an exceptional exemption of mandatory attendance.

Total study load 140 hours:

  • 21 Contact hours

  • 119 Self-study hours: reading, preparing lectures, assignments, etc.

Assessment method

Students are not obliged to hand in an assignment at the first opportunity in order to make use of the re-sit opportunity. The re-sit assignment will test the same course objectives, but will be different in terms of topics, cases or substance.

Mid-term assignment (individual paper)

  • 30% of final grade

  • Resit not possible

  • Course must be compensated in case of a fail (grade < 5.50)

Group exercise

  • 20% of final grade

  • Resit not possible

  • Course must be compensated in case of a fail (grade < 5.50)

Final assignment (individual paper)

  • 50% of final grade

  • Grade must be 5.50 or higher to pass the course

  • Resit possible

Students will also be permitted to resit the 50% individual paper if they have a calculated overall course grade lower than 5.50 or with permission of the Board of Examiners. The group assignment and the Mid-term assignment must be compensated.

Reading list

A selection of books and articles, to be announced on Brightspace.


Register for every course and workgroup via uSis. Registration in uSis is possible from 7 March, 13.00h. Some courses and workgroups have a limited number of participants, so register on time (before the course starts). In uSis you can access your personal schedule and view your results.

Leiden University uses Brightspace as its online learning management system. Important information about the course is posted here.
After enrolment for the course in uSis you are also enrolled in the Brightspace environment of this course.
The corresponding Brightspace course will become available one week prior to the first seminar.