One key reason to measure security culture is to understand how it changes and evolves over time. The end goal is to be able to control the change to such a degree that organizations can reduce risk by dramatically reducing the likelihood of a security incident originating from human factors. A measurement instrument that measures security culture must be able to measure the changes in the organization and report these changes in a meaningful way.
The Security Culture Report 2018 demonstrates the ability of the CLTRe Toolkit to measure changes in security culture over time. The report shows how some industries are improving and others are not. To our knowledge, this kind of comparison has never before been published.
Looking at the data, there are two clear findings:
- The Finance sector as a whole (and each finance sub-sector covered by the study) demonstrates a healthy improvement in culture from one year to the next. Notably, Fund Management demonstrates very good improvement year over year, increasing by 5 points, and bringing it up to the 2016 level of Insurance and the Business Support Services.
- The Real Estate sector clearly shows a decline in security culture. This decline comes in addition to already poor security culture observed in the sector (see the Industry Benchmark on page 10 of the report).
All the organizations in the data sample have security culture programs in place. Regrettably, findings show that the security awareness investments made in the data sample of Real Estate companies have been far less effective. In the Finance sector, these programs are somewhat tailored towards the unique challenges which that industry faces, whereas in the Real Estate sector the programs tend to be more generic and less tailored towards the different needs of the employees and the unique challenges that they face during their workday.
Security culture in the Real Estate sector worsened between 2016 and 2017 by 2 points, pointing to a need for security culture programs that are better tailored towards the unique challenges which that industry faces, and the needs of the employees. Whereas, the Finance sector (already best in class) continues to improve, with Fund Management and Insurance making the largest year-on-year improvements.
The value of being able to measure security culture repeatedly becomes quite clear when looking at these results. Repeating measurements, using a reliable and valid measurement instrument like the CLTRe Toolkit, enables organizations to understand how security culture changes over time and correct course if needed. As an added bonus, measuring security culture helps organizations to demonstrate the effectiveness of their organizational security controls, as required by GDPR.
Download the Security Culture Report 2018
To get a free, printable PDF version of the FULL report, register here: