New research from CLTRe and KnowBe4 Research reveals empirical evidence that organizations with improved security culture see significantly lower risky security behaviors.
Published today, Security Culture and Credential Sharing reveals that employees are 52 times more likely to open phishing emails, click on malicious links and share their credentials in organizations with poor security culture than in an organization with good security culture.
This groundbreaking study not only confirms that security culture and security behaviors are closely linked, it proves that improving security culture reduces the likelihood of risky and unwanted behavior.
The report reveals that an employee in an organization classed as having Poor security culture is 52 times more likely to share his or her credentials after clicking on a link in a phishing email than employee working in an organization with Good security culture.
As organizations improve their security culture, risky behaviors of employees are reduced. Organizations with better security culture scores see fewer unwanted, risky actions, such as opening of phishing emails, clicking on malicious links, and unintentional credential sharing.
The graph shows the relative change in risk as an organization’s security culture score either improves or worsens. An upward shift in the security culture
class (higher security culture score) results in reduced risk. A downward shift (lower security culture score) results in increased risk.
97,661 employees in 1,115 organizations were analyzed by CLTRe and KnowBe4 Research, in this global study.
The dataset combines the measured behaviors of employees and the measured security culture of the organizations of the same employees. The answers that employees provided in the Security Culture Survey were anonymously linked to their actions on simulated phishing attacks.
The research is an integration of survey-based data and field-experiment data of phishing simulations. Both sets of metrics are collected using KnowBe4’s integrated platform for security awareness training and simulated phishing attacks, KMSAT.
The study reveals that, on average, 16.4% of employees in organizations with a poor security culture score will click on a link in a phishing email. This number drops to 6.1% in organizations with a good security culture score. The percentage of clicked links generally decreases as security culture increases.
In organizations with poor security culture, 5.2% employees opened the phishing email, clicked on the link contained within, and entered their credentials. This number dropped to 0.1% in organizations classed with good security culture. The average across all organizations included in the study was 1.4%.
In the report, organizations with Security Culture Scores between 0 and 60 are classed as having Poor security culture, whereas those with scores between 80 and 90 are classed as having Good security culture. Interestingly, no organization had an Excellent Security Culture Score in this study.
These findings provide very important reasons to focus on improving security culture in organizations.
The full report is available to download from https://get.clt.re/credential-sharing-research/.
