CLTRe AS, Bleikerveien 17, 1387 Asker, Norway

Does the culture enable or inhibit responsible risk taking?

According to Kaspersky Labs, 52% of businesses admit that “employees are their biggest weakness” with regards to IT security and, their “top three cybersecurity fears are all related to human factors and employee behaviour”. A recent study from Google and UC Berkeley examined the various ways accounts are compromised, and determined that phishing attacks – not data breaches – pose the most risk to users when it comes to lost access. In response to these threats, companies are running phishing simulation tests, increasing their awareness activity and providing security training to their employees.

Building a security culture and promoting
more secure behaviours are an important risk management strategies.

In our research, we see only a weak correlation between formal trainings, knowledge, and behaviours. This leads us to believe that although some improvement in security behaviour may be achieved through awareness training, a holistic, risk-based approach must be implemented. In fact, evidence supports that the acceptance of norms has the most influence on reduction of risky behaviour.

ISO 31000:2018 provides a risk management framework that supports all activities, including decision making across all levels of the organization. It states, “Human behavior and culture significantly influence all aspects of risk management at each level and stage.”

What we [as employees] perceive as normal behaviour in social or workplace settings has a strong influence on what is considered acceptable behaviour in an organization, and what is not. Norms can act like informal rules and therefore their influence exists independently of what the formal rules or policies dictate. A successful security culture program must engage dialogue and interest within the organization in order to promote secure behaviour through acceptance of norms which are enforced through peer pressure.

Building a strong, positive security culture and promoting more secure behaviours are an important risk management strategies. A security culture can be positive or negative and strong or weak. At first glance, an organisation in which its employees talk about security-related topics, such as use of internet or information sharing, may be considered to have a ‘stronger’ security culture than one in which topics relating to security are rarely discussed at all. But, if in that first organisation what you actually hear is echoes of frustration and a ‘helpful’ colleague proffer a version of “it’s okay, you can ignore that warning. I’ll show you a way round that;” it may in fact be at higher risk than the second, previously supposed ‘weaker’ organisation. This exchange between colleagues, nonchalent and well-meant, is cause for concern.

Measuring all seven dimensions of employees provides organisations with
insights specific to their own security culture(s).

Communication has the potential reveal a lot about the security culture of an organisation. Poor communication relating to security matters is one aspect of a poor security culture. From the exchange, we learn of two employees’ negative attitudes towards security controls, their brazen willingness to circumvent those controls, and the readiness of one to teach and encourage the other to adopt their same undesired behaviours. All of which are worrying indicators that negative attitudes and poor security behaviours may be commonplace, and if these habits are not curbed, may continue to negatively influence security culture by encouraging risky behaviours.

But how can you know for sure? Perhaps that is just one insignificant, bad example in what is otherwise an organisation that has an excellent security culture, with very IT-competent and security-conscience employees that make well-informed, risk-averse decisions about how they use, store and share information. (In which case, well done for spotting it just in time to nip it in the bud!)

Or perhaps, that was only the tip of the iceberg. The only way to get answers is to measure.

If ‘success’ is being measured by logs of attendance rates, completion rates, click rates, and reports that show lots of things have been counted. how do you know if they work? What does counting or monitoring click-behaviour actually tell you about the changes in security culture amongst your employees? From a risk management perspective, what you need to know is: How does the culture enable or inhibit responsible risk taking?

The beauty of measuring using CLTRe, is that (rather than relying solely on attendance rates, click rates and other system-logged data) it collects and analyses data on the actual changes in security culture. With this, you can determine the effectiveness that these activities have on changing employee attitudes, behaviours, cognition, communication, compliance, norms and responsibilities, as well as see what the change in security culture has been overall.

Security culture is the ideas, customs, and social behaviours of a
group of people that impact security positively or negatively.

Understanding how your employees feel about security, what they think and say about it, is important in ensuring efforts to change their behaviour are successful. By measuring security culture on all seven dimensions, you learn deep insights that, not only help you to understand your organisation and its employees and better but, are critical to building and maintaining good security culture.

By measuring security culture across all seven dimensions, the CLTRe Tookit gives a deep understanding of your employees and the security culture in which they operate. Thus, allowing you to answer how the culture enables or inhibits responsible risk taking, from a security perspective.

Some other examples of questions CLTRe’s security culture insights can answer are:

  • How risk-averse are your employees?
  • How inclined they to comply with security policies, rules or regulations?
  • Do they talk about security? If so, is the communication positive or negative?
  • Do they care?
  • What are their attitudes towards the security team, security controls, and security policies?
  • How personally accountable do they believe themselves to be?
  • What does ‘normal’ look like?
  • How does ‘normal’ vary across the organisation?

CLTRe is currently measuring security culture in eight different languages, across three continents and in multiple industries. This provides their customers with scientifically valid, reliable and replicable method to measure and benchmark their security culture. It also provides detailed insights to help them determine the best course of action.

Understanding differences among the cultural dimensions of security within an organisation (and how they they’re changing) provides valuable insights specific to the organisation. CLTRe studies the attitudes, behaviours, cognition, communication, compliance, norms and responsibilities of employees (and how these seven dimensions change over time) to provide organisations with security culture insights that are specific to their own case. Thus allowing them to understand their own security culture(s), all its strengths and weaknesses, and build an effective and sustainable security culture that can be measured, maintained and leveraged to the benefit of the organisation, its profits and its customers.

What now?

Get in contact or schedule a demo to talk to one of our security culture experts here at CLTRe to see how we can help.

Is this a topic that interests you?

Let us know! Like, share and follow us on social media, or even better… get in touch! Book a demo , email us at [email protected], or visit for more information about CLTRe, our research, our products, and our team.