Year after year industry reports such as Verizon’s Data Breach Investigations Report, IBM’s Cost of Data Breach Study, and others, show that financially-driven hackers and insiders use malware, stolen credentials, and phishing as attack vectors. These statistics suggest that 9 in 10 security incidents can be traced back to human factors. Moreover, a recent report by The Internet Society (ISOC) finds that 93 % of security breaches are avoidable.
Rather than simply blame people, let’s consider the ways that we equip our employees and colleagues to make better decisions and take appropriate precautions. A strong and positive security culture is one that where all employees understand what is expected of them, recognize why their participation matters, and know how to act. They feel supported and empowered to contribute to a safer, more secure, and positive outcome.
Building a strong security culture is an important risk management strategy. Moreover, organizational measures to build security culture are significantly more effective when organizations take an evidence-based approach. How am I so confident?
Data. (Or evidence, if you like.)
By measuring the security culture of an entire organization (i.e. every employee) the data provides revealing insights into how security culture has changed across the business. This tells what effect providing measures such as password management tools, awareness e-learning, or team-based lunch and learn sessions, for examples, have on different business areas.
Certain measures or approaches may have a greater impact on a particular group of employees than others. Employees have different needs, different styles of learning, and may require a different approach. When choosing topics and activities to suit different training needs, for example, it is important to understand your audience.
Knowing that your audience has a distinctly negative attitude towards security policies, security controls and/or online training, when addressing an issue of poor adherence to security policy, will tell that you will need to consider a different approach than if evidence shows that they have a strong sense of responsibility when it comes to security, positive attitudes, are open and accepting of change, but simply lack understanding of the policies in place. Knowing your audience is vital to create a successful security culture program.
Let me share some evidence to back up my claims. Last year, in our 2018 Security Culture Report, we demonstrated, using industry benchmark data, how security culture metrics can report a change in security culture over time. The report revealed that there had been a negative change in security culture within real estate, and a positive change in each of the banking and financial industries.
At this point, I feel it’s my duty to state that all the organizations in the data sample had security culture programs in place. The main difference between them is the approach they took when implementing their programs.
In the finance sector, the companies used the metrics collected in the first measurement to adapt their programs. They took specific measures to address the weaknesses identified the year before and their trainings were somewhat tailored to their audience.
The organization represented in the real estate sample, on the other hand, did not make any changes to their existing program that year. The plans had already been made and the budget been approved. Their program consisted a few simple measures, including mandatory security awareness training (a series of e-learning modules) for all employees and a specific campaign to improve password management.
Now you might be thinking, ‘but that doesn’t sound so bad. That’s more than we can afford to do with our budget.’ The reason the program failed to improve security culture is not because they didn’t do enough training or have a big enough budget. The reason is simply because they failed to address the needs of their audience. The e-training content had not been tailored to the needs of estate agents. It’s not all bad news for the real estate customer though.
As a result of the security culture measurement program, the CISO now has the data she needs to justify why a different approach and a more tailored program is necessary. She now has a much clearer understanding of the landscape she is dealing with, can back up her statements with metrics, and has the insights she needs to plan a more suitable (and cost-effective!) program with topics and activities that meet the needs of the organization.
Since we first launched the Security Culture Toolkit in 2016, we have been measuring the security cultures of organizations across Europe and beyond. We’ve surveyed tens of thousands of employees to gather data on their ideas, customs and social norms when it comes to security.
Between 2016 and 2017, customers operating within Fund Management (a sub-sector of the financial services industry) documented an improvement in behaviors of up to 16.7% in one year – from 63 to 73.5 points – and a further 17-point increase in individuals’ sense of responsibility towards security (from 57 to 74.3). [Editor’s note: changes are measured using security culture metrics developed by CLTRe.]
Whilst increasing any of the seven dimensions of security culture (attitudes, behaviors, cognition, communication, compliance, norms or responsibilities) improves the security of an organization, CLTRe believe in taking a holistic approach and do not recommend a “one size fits all approach”. Instead, we provide metrics on each core dimension of security culture to provide evidence that they can be measured and how they can be manipulated to improve security to thereby reduce the risk that people inherently pose in an organization.
We want to identify and understand the differences in security culture amongst different workplaces and groups of employees. We analyze everything from the differences in their attitudes towards security and perception of norms to the differences in their behaviors and adherence to security policy. Why do we do this?
Because having worked on security culture programs for over a decade, one problem we see time and time again is that organizations struggle to get the relevant insights needed to know which organizational measures are most effective. The ability to know and show how security culture has changed is invaluable. It enables businesses to take an evidence-first approach to their security culture transformation programs, and make efficient decisions regarding budget requirements and allocation of resources.