Year after year industry reports such as Verizon’s 2018 DBIR show that financially-driven hackers and insiders use malware, stolen credentials, and phishing as attack vectors. A recent report by The Internet Society (ISOC) finds that 93 % of security breaches are avoidable, and in 2014, IBM reported that 9 in 10 security incidents can be traced back to human error.
Whilst it is true that statistics on security breaches suggest that people are the currently biggest weakness, an effective risk management strategy is to build a strong security culture. Organizational measures to build security culture are significantly more effective when organizations take an evidence-based approach. How am I so confident?
Data. (Or evidence, if you like.)
Between 2016 and 2017, a finance-sector customer within Fund Management was able to document a decrease in risky behaviors of up to 16.7% (from 63 to 73.5) in one year. Another significant security improvement was evidenced by a 17-point increase in individuals’ sense of responsibility towards security.
Whilst increasing any of the seven dimensions of security culture improves the security of an organization, CLTRe believe in taking a holistic approach and do not recommend a “one size fits all approach”. Instead, we provide metrics on each core dimension of security culture, and provide scientific proof that they can be not only measured, but manipulated to improve security and thereby reduce the risk that people inherently pose in an organization.
Since we first launched the CLTRe Toolkit in 2016, we have been measuring the security cultures of organizations across Europe and beyond. We’ve surveyed tens of thousands of employees to gather data on their ideas, customs and social norms when it comes to security. We want to identify and understand the differences in security culture amongst these groups of people, so we analyze everything from the differences in their attitudes towards security and perception of norms to the differences in their behaviors and adherence to security policy.
Why do we do this? Because having worked on security culture programs for over a decade, one problem we see time and time again is that organizations struggle to get the relevant insights needed to know which organizational measures are most effective. The ability to know and show how security culture has changed invaluable.
By measuring the security culture of an entire organization (i.e. every employee) the data also provides revealing insights into how security culture has changed. This tells you whether your measures (such as providing password management tools, awareness e-learning, or team-based lunch and learn sessions, for examples) have had any effect, and if so, how have they been successful.
Certain measures or approaches may have a greater impact on a particular group of employees than others. Employees have different needs, different styles of learning, and may require a different approach. When choosing topics and activities to suit different training needs, for example, it is important to understand your audience.
When addressing an issue of poor adherence to security policy, knowing your audience has a distinctly negative attitude towards security policies, security controls and/or online training, will tell that you will need to consider a different approach than if they have a strong sense of responsibility when it comes to security, positive attitudes, are open and accepting of change, but simply lack understanding of the policies in place. Knowing your audience is vital to create a successful security culture program.
Let me share some evidence to back up my claims. Last year, in our 2018 Security Culture Report, we demonstrated, using industry benchmark data, how security culture metrics can report a change in security culture over time. The report revealed that there had been a negative change in security culture within real estate and a positive change in each of the industries with the banking and financial sector. At this point, I feel it’s my duty to state that all the organizations in the data sample had security culture programs in place. The main difference between them is the approach they took when implementing their programs.
In the finance sector, the companies used the metrics collected in the first measurement to adapt their programs. They took specific measures to address the weaknesses identified the year before and their trainings were somewhat tailored to their audience.
The organization represented in the real estate sample, on the other hand, did not make any changes to their existing program that year. The plans had already been made and the budget been approved. Their program consisted a few simple measures, including mandatory security awareness training (a series of e-learning modules) for all employees and a specific campaign to improve password management.
Now you might be thinking, ‘but that doesn’t sound so bad. That’s more than we can afford to do with our budget.’ The reason the program failed to improve security culture is not because they didn’t do enough training or have a big enough budget. The reason is simply because they failed to address the needs of their audience. The e-training content had not been tailored to the needs of estate agents. It’s not all bad news for the real estate customer though.
As a result of the security culture measurement program, the CISO now has the data she needs to justify why a different approach and a more tailored program is necessary. She now has a much clearer understanding of the landscape she is dealing with, can back up her statements with metrics, and has the insights she needs to plan a more suitable (and cost-effective!) program with topics and activities that meet the needs of the organization.