Human Culture Security Assessment (HCSA): An Ethnographic Framework for Diagnosing Organizational Vulnerability to Social Engineering

This paper introduces the Human Culture Security Assessment (HCSA), a mixed-methods diagnostic framework that applies organizational ethnography to measure cultural vulnerability to social engineering attacks. While technical cybersecurity controls have reached significant maturity in many organizations, the human factor remains the primary attack vector in 68% of documented breaches. Existing culture assessment instruments, including quantitative frameworks such as the CLTRe Security Culture Survey and multidimensional models such as MORPHEUS, operate primarily at the level of declared culture: what employees say they do. The HCSA addresses the critical gap between declared and practiced culture through systematic ethnographic fieldwork, producing observable behavioral data that questionnaire-based instruments cannot capture. The framework diagnoses six cultural dimensions that map directly to social engineering attack vectors: Risk Perception (D-01), Authority Culture (D-02), Urgency Culture (D-03), Reporting Culture (D-04), Trust and Verification (D-05), and Knowledge Flows (D-06). Each dimension is operationalized through a Likert-scale questionnaire, a structured field observation protocol, and semi-structured interview guidelines. The integration of these three data layers enables triangulation between what organizations declare, what ethnographers observe, and what behavioral simulation reveals. The HCSA is positioned at the intersection of organizational anthropology, social engineering science, and EU regulatory compliance. It is designed to produce verifiable evidence of human factor management as required by Article 21 of the NIS2 Directive (EU 2022/2555), filling a methodological gap that current compliance frameworks do not address. This paper further identifies three research trajectories that the framework opens. First, the relationship between national cultural dimensions — in the tradition of Hofstede and Hall — and organizational vulnerability to social engineering, with implications for cross-cultural comparative research across EU member states. Second, the integration of behavioral pressure conditions — including incentive structures, emotional manipulation resilience, and leadership modeling — as modifiers of cultural baseline scores under real attack conditions. Third, the epistemological limits of quantitative culture measurement instruments, which by design capture only declared behavioral intentions and are structurally unable to measure the practiced culture that attackers actually exploit. The HCSA represents a methodological contribution to the emerging field of cybersecurity anthropology — a discipline whose development is both academically necessary and practically urgent in the current regulatory and threat landscape.