What does security culture mean and how can you influence it?
Discover the ‘ABC’ principle of cybersecurity and how it can help change a company’s culture.
As organizations realize that 68% cybersecurity incidents and breaches are a result of lapses in security judgment rather than absence of some technology tool, the notion of having a healthy security culture is being recognized as a major line of defense and a key part of a defense-in-depth approach.
That said, organizations face fundamental challenges with culture. Firstly, a clear definition of what security culture means or entails is not well understood. Secondly, organizations typically have a vague idea on how they can influence or scale security culture company wide.
Security culture consists of the ideas, customs and social behaviors of a group that influences its security. It comprises seven dimensions:
- Attitudes: Employee attitudes towards cybersecurity rules and policies.
- Behaviors: Common actions and behaviors in an organization concerning cybersecurity.
- Cognition: Employee knowledge and awareness of cybersecurity issues.
- Communication: The quality and frequency of cybersecurity communications.
- Compliance: The knowledge of documented policies and procedures.
- Norms: The unsaid or unspoken but prevalent rules and behaviors in an organization.
- Accountability: How responsible do employees feel about cybersecurity.
Strengthening, influence cybersecurity culture
Below are some practical steps and recommendations organizations can implement to change or update a culture of cybersecurity:
Adopt a focused method rather than a shotgun approach: Avoid spreading yourself too thin. Instead of trying to change too many behaviors at once, which can result in slower changes, adopt a more focused stance. Identify one or two employee behaviors that you want to change and concentrate on those first. Prioritize based on how risky those behaviors are.
To calculate the risk of each behavior, use the formula: Risk = likelihood of risk multiplied by the potential impact.
Additionally, the most common risk is not always the most impactful (and vice versa). This is why security teams should conduct this exercise to best determine which risks to tackle first.
Design, implement a plan to influence change: There are many ways one can change security attitudes, norms and behaviors. These can include formal methods such as updating a security process or a policy, conducting mandatory training or by using informal (or indirect) methods such as leadership teams demonstrating and advocating a certain behavior.
Both formal and informal methods are equally important. For example, to boost security behaviors using informal means, identify individuals with a certain level of respect or influence in the organization. Employees tend to adopt the attitudes and behaviors that actively surround them, therefore, having influencers demonstrate security consciousness will certainly have a high impact across the organization. Ensure to include such ambassadors in your culture change program.
Get buy-in from leadership: One cannot expect employees to adopt or change their behaviors if leaders do not lead by example. Draft an executive summary that highlights the potential risks, the execution plan, timeline, and resources needed. Get commitment from leadership to adopt and follow suit in line with the rest of the organization.
Starting with small changes can be helpful. For instance, getting leadership to consistently report (to security teams) incoming spam will visibly set an example to a wider audience.
Communicate the risks regularly: Explain to employees why changes to online behaviors are necessary. This goes beyond asking employees to complete certain tasks. It means making users understand what risks exist, their impact on the organization and their critical role and responsibility in preventing security incidents and breaches from occurring.
For instance, in addition to telling employees to report phishing emails, explain the reasoning behind it.
Measure outcomes and update actions if necessary: Before you execute your plan, run a baseline assessment of the seven security dimensions that exist within the organization. A security culture survey or culture maturity indicators can prove to be useful tools in measuring where you stand and where gaps exist.
Once your plan is executed, perform another assessment to document the improvements and adjust where necessary. Documenting results isn’t just necessary for measuring success (or failure) but for communicating your progress to leadership to encourage future commitment and to motivate employees by demonstrating the value of their efforts.
The ABC principle
Awareness, Behavior and Culture is a logical progression that can influence change in any organization. Although security awareness doesn’t automatically lead to behavioral change, it can be a powerful tool for influencing it.
Similarly, altering a single person’s behavior will not always lead to overall culture change but it will play an important role in changing group behaviors and dynamics.
Security culture is a multi-dimensional concept that needs to be evolved after careful understanding and evaluation of the cultural dimensions that exist within the organization. Start small, engage leadership, communicate the importance of the exercise, report successes and failures and continue to fine-tune as you learn more. Although it can be stubborn to change, culture can certainly be cultivated, grown and matured with the right mindset and commitment.
A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is security awareness advocate for KnowBe4. An author and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center, Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications.
Opinions expressed here are the author’s own.
Related: