Cultural Resistance & Staff Awareness in EASA Part 145 Cybersecurity

Sofema Online (SOL) examines key aspects of Cultural Resistance in the implementation of cybersecurity within EASA Part 145 organizations.

Introduction – Understanding Cultural Resistance in Cybersecurity

One of the biggest challenges in implementing Information & Cyber Security within an EASA Part 145 organization is cultural resistance.

Many aviation maintenance personnel, including engineers, technicians, and administrative staff, may view cybersecurity as an IT issue rather than a shared organizational responsibility.

Overcoming this resistance requires a strategic mix of leadership engagement, role-specific training, a no-blame culture, and integrating security into daily operations.

By fostering a strong cybersecurity culture, organizations can proactively manage cyber risks, ensure compliance with (EU) 2023/203, and enhance overall aviation safety.

Key cultural resistance factors include:

• Lack of awareness – Employees may not fully understand how cybersecurity threats impact aircraft maintenance safety.
• Resistance to change – Maintenance personnel may be reluctant to adopt new cybersecurity procedures if they perceive them as additional workload.
• Fear of consequences – Staff may avoid reporting cybersecurity incidents due to fear of being blamed for a breach.
• Reliance on outdated practices – Long-standing habits, such as sharing passwords or using unauthorized personal devices, create cybersecurity risks.
• Compartmentalized responsibilities – Many employees believe that cybersecurity is solely IT’s responsibility, rather than a shared responsibility across the organization.

Mitigation Strategies to Overcome Cultural Resistance

Leadership Engagement & Cybersecurity Culture

The Accountable Manager (AM) and Leadership Team must actively endorse cybersecurity policies and integrate them into safety and quality culture.

• Cybersecurity Champions Program – Appoint cybersecurity ambassadors across different departments (e.g., Maintenance, Quality, Logistics).
• Top-Down Communication – Leadership should communicate the importance of cybersecurity to operational safety.
• Accountability Framework – Cybersecurity must be embedded in job roles and performance evaluations.

Targeted Cybersecurity Awareness Training

Implement customized cybersecurity training for different employee levels, focusing on their roles in protecting information security.

Role-Specific Training:

• Maintenance Technicians → Risks of tampered digital maintenance records, phishing attacks.
• Quality & Safety Managers → Reporting cybersecurity incidents under IS.I.OR.230 (External Reporting Requirements).
• Logistics & Supply Chain → Preventing supply chain cyber threats.

Hands-On Workshops & Simulations:

• Real-world cyber-attack simulations (e.g., phishing attack drills).
• Tabletop exercises on incident response.

Encouraging Incident Reporting & ‘No-Blame’ Culture

Shift towards a ‘Just Culture’, where employees feel safe reporting cybersecurity issues without fear of punishment.

• Anonymous Cyber Incident Reporting System (aligned with IS.I.OR.215 & IS.I.OR.220).
• Recognition Programs – Reward employees who identify and report cyber threats.
• Non-Punitive Policy for reporting cyber errors, similar to safety incident reporting.

Reducing Workload Impact

Ensure cybersecurity procedures integrate smoothly into daily operations without overburdening maintenance teams.

• Automate cybersecurity compliance where possible (e.g., Single Sign-On (SSO), Multi-Factor Authentication (MFA) with biometric login).
• Reduce complexity of security policies and provide quick-reference guides.

Periodic Cybersecurity Drills & Continuous Learning

Foster an environment of continuous cybersecurity improvement through real-life case studies and adaptive training.

• Annual Cybersecurity Competency Assessments for employees.
• Cross-functional cybersecurity crisis drills between Maintenance, Quality, and IT teams.
• Real-time alerts & feedback mechanisms for evolving cyber threats.

Measuring the Effectiveness of Cybersecurity Culture Change

To track improvements in cybersecurity awareness and staff engagement, EASA Part 145 organizations should use:

Cybersecurity Culture Key Performance Indicators (KPIs):

• Incident Reporting Rates – Increase in cybersecurity incidents reported (indicating improved awareness).
• Phishing Test Results – Percentage of employees who fall for simulated phishing emails vs. those who report them.
• Employee Cybersecurity Survey Scores – Assess staff perceptions and attitudes towards cybersecurity annually.
• Audit Findings & Compliance Scores – Reduction in non-compliance issues related to cybersecurity in internal audits.

Next Steps

• Follow this link to our Library to find & download related documents for Free.
• See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
  for comments or questions please email team@sassofia.com

Tags:

EASA Part 145, Cyber Security, SAS blogs, mitigation strategies, BlogSeries, Cultural Resistance, (EU) 2023/203, manage cyber risks, Resistance to change, Compartmentalized responsibilities, Accountability Framework, ybersecurity Awareness, IS.I.OR.215 & IS.I.OR.220