Authors - Ismail Suleiman, Dinesh Reddy Vemula, Abhaya Kumar Pradhan Abstract - This paper presents the evaluation and demonstration phases of a Design Science Research Methodology (DSRM) study that produced the Organisational Security Culture Framework (OSCF) for Namibian Public Enterprises. An empirical needs assessment established a three-tier security culture maturity deficit: a 40% policy awareness gap; a widespread misconception among non-IT staff that cybersecurity is solely an IT responsibility; and a training gap in which 25% of staff had received no formal security training in the preceding year. The OSCF comprises five interrelated components: Risk Assessment, Security Policy and Enforcement, Security Compliance, Training and Awareness, and Ethical Conduct. Demonstration was executed across four staged phases: baseline assessment, component testing, pilot integration, and full-scale deployment. Evaluation employed a dual approach: expert panel review against eight criteria and Key Performance Indicator (KPI) measurement across five strategic objectives. Results confirm that the OSCF closed the 40% policy awareness gap, achieving 95% staff awareness post-implementation, and significantly reduced phishing susceptibility. Seven evidence based refinements evolved the OSCF from a static policy model into a continuous security culture maturity loop. The framework’s modular, tiered architecture supports long-term sustainability of behavioural change and scalable deployment across organisations of varying cybersecurity maturity, including federated multi-institutional environments.
Open Zoom