Security culture is present in every organization, regardless of its location or the languages spoken by its employees. For multinational corporations, it is critical to be able to identify differences across locations and languages in order to identify areas for improvement and to track how those efforts are affecting change in security culture.
In the latest Security Culture Report (2018), CLTRe compare the security culture scores of 21,788 employees in seven languages – Danish, Dutch, English (UK and US), Finnish, Norwegian, Polish and Swedish.
Combined scores show that the language with the best security culture overall is Finnish (69), closely followed by Polish (68). The worst are Danish and Dutch (58). These differences demonstrate the need for companies to measure security culture across the full organization in order to pinpoint actual areas for improvement.
The language differences are quite large across our sample. The report reveals that Polish-speakers are more aware of their organization’s security policies, better able to recall the substance of the policies, and adhere to them more consistently. With 29 points between Polish (76) and Dutch (49), the compliance dimension stands out. This huge difference represents the variance in how these groups comply with regulation and security policies.
The second-largest variation in security culture between languages is 20 points on the behaviors dimension. When it comes to the intended or unintended actions employees take that have a direct or indirect impact on the security of the organization, Danish-speaking employees score lowest (55), closely followed by Dutch-speakers (56). The highest score (i.e. those that have the least risky behaviors), is 75 (Finnish), closely followed by Norwegian (74) and Polish (71).
The dimension with the least variation between the languages (just 11 points) is norms, i.e. employees’ perception of which security practices are normal and which are unusual. English and Norwegian score 57, whereas Finnish and Polish score 68. Although perception of norms is far from acceptable, rating as Problematic (50-60 points) and Insecure (60-80 points), the scores show that there is consistency in the adherence of norms across the language sample. Dimension scores between 80 and 90 are considered satisfactory.
The dimension with the lowest overall score, and the second smallest variation, is security cognition, i.e. employees’ awareness, beliefs and understanding of secure practices. With an average score of only 49, and only two languages scoring above 50 points (English 57 and Polish 58), it is clear that this is a key dimension to improve.
It is possible that these low results are a result of employees fatigued by the constant pressure of security awareness training programs. Cognition explores how we learn, what we learn, and how we apply what we learn. It is the dimension that is most closely related to awareness trainings. Given these findings, CLTRe strongly recommends that awareness training programs are more tailored to the needs of individual employees.
For training to be effective, it must be meaningful to the learner. Training that targets the specific needs and learning requirements of the individual, is more likely to be engaging, interesting and useful for the employee. To identify specific organizational and cultural areas of security strengths and weaknesses, measurement of the security culture(s) across the full organization in needed. The CLTRe Toolkit is available in a number of localized versions which allows for details of security culture previously unavailable.
Download the Security Culture Report 2018
To get a free, printable PDF version of the FULL report, go to: https://get.clt.re/security-culture-report-2018/