Does your organisation’s security culture enable or inhibit responsible risk taking?

According to Kaspersky Labs, 52% of businesses admit that “employees are their biggest weakness” with regards to IT security and, their “top three cybersecurity fears are all related to human factors and employee behaviour”. A recent study from Google and UC Berkeley examined the various ways accounts are compromised, and determined that phishing attacks – not data breaches – pose the most risk to users when it comes to lost access.

In response to these threats, many companies seek to create a more security aware culture (not to be confused with a culture of security), by providing security training to their employees, running internal phishing simulation tests, and increasing their employee security awareness activities generally.

Building a security culture and promoting
more secure behaviours are important risk management strategies.

The ‘success’ of these campaigns is nearly always shown by reports that show lots of things have been counted, logs of attendance rates, completion rates, click rates, etc… but what can counting or monitoring click-behaviour actually tell you about culture change amongst your employees?  How do you know if these activities are actually working to reduce the risk of these threats?

In our research, we see only a weak correlation between formal trainings, knowledge, and behaviours. This leads us to believe that although some improvement in security behaviour may be achieved through awareness training, a holistic, risk-based approach must be implemented. In fact, evidence supports that the acceptance of norms has the most influence on reduction of risky behaviour.

Of course, some risky behaviour is necessary in all organisations to ensure its continued development and growth. From a risk management perspective, the question we really need to be able to answer is: Does an organisation’s culture enable or inhibit responsible risk taking?

Does an organisation’s culture enable or inhibit responsible risk taking?

“A successful security culture program must engage dialogue and interest within the organization in order to promote secure behaviour through acceptance of norms which are enforced through peer pressure” – Security Culture Report 2017.

ISO 31000:2018 provides a risk management framework that supports all activities, including decision making across all levels of the organization. “Human behavior and culture significantly influence all aspects of risk management at each level and stage,” it states. Norms can act like informal rules and therefore their influence exists independently of what the formal rules or policies dictate.  What we [as employees] perceive as normal behaviour in social or workplace settings has a strong influence on what is considered acceptable behaviour in an organisation, and what is not.

Building a strong, positive security culture and promoting more secure behaviours are important risk management strategies.  Security culture is the ideas, customs, and social behaviours of a group of people that impact security positively or negatively. It is important to realise that a security culture can be both positive or negative and strong or weak.  For example, an organisation in which its employees talk about security-related topics, such as use of internet or information sharing, may, at first glance, be considered to have a stronger security culture than one in which topics relating to security are rarely discussed at all. But, strong does not equal positive.

Security culture can be both positive or negative and strong or weak.

If in that first organisation what you actually hear is echoes of frustration and misinformation, rather than positive dialogue, then it may have a strong, negative security culture.  Imagine the following scenario: an employee is working hard to get to meet a deadline but is getting increasingly frustrated as s/he is met with a pop-up notification (a security control mechanism) that is seemingly preventing them from getting the job done. A ‘helpful’ colleague proffers a version of “it’s okay, you can ignore that warning. I’ll show you a way round that.”

“Great, thank you!” the employee exclaims, “I’ll have to remember that for next time.”

What does this conversation snippet actually tell us about security culture? Although probably well-meant and nonchalent, this exchange between colleagues is cause for concern, indicating that culturally and in terms of the actual patterns of behavior being fostered, this ‘stronger’ organisation may in fact be at higher risk than the previously supposed ‘weaker’ organisation, in which employees were not found to be talking about security-related topics.

Understanding what factors influence or drive an organisation’s security
culture are important and necessary to changing its employee behaviors.

Maybe this example simply highlights one employee’s lack of understanding why the control mechanism was there in the first place (i.e. poor security cognition), or perhaps the issue runs deeper? Communication has the potential reveal a lot about the security culture of an organisation. Poor communication relating to security matters is one aspect of a poor security culture.

For example, from the exchange we learn of we learn of (i) two employees’ negative attitudes towards security controls, (ii) their brazen willingness to circumvent those controls, and (iii) the readiness of one to teach and encourage the other to adopt their same undesired behaviours. All of which are worrying indicators that negative attitudes and poor security behaviours may be commonplace.

If not curbed, these habits have the potential to continue to negatively influence security culture by encouraging risky behaviours.  But how can you know for sure?  Perhaps that is just one insignificant, bad example in what is otherwise an organisation that has an excellent security culture, with very IT-competent and security-conscience employees that make well-informed, risk-averse decisions about how they use, store and share information. (In which case, well done for spotting it just in time to nip it in the bud!) Or, perhaps that was only the tip of the iceberg.

The only way to get know for sure is to measure. Understanding what factors influence or drive this outcome is important and necessary to changing employee behaviors and an organisation’s security culture.

The beauty of measuring using CLTRe, is that (rather than relying solely on attendance rates, click rates and other system-logged data) it collects and analyses data on the actual changes in security culture. With this, you can determine the effectiveness that these activities have on changing employee attitudes, behaviours, cognition, communication, compliance, norms and responsibilities, as well as see what the change in security culture has been overall.

Understanding how employees feel about security, what they think and say about it, is important in ensuring efforts to change their behaviour are successful. By measuring security culture on all seven dimensions, managers learn deep insights that, not only help them to understand their organisation and its employees better but, are critical to building and maintaining a strong and positive (good) security culture.

Measuring employees on all seven dimensions provides organisations with
insights specific to their own security culture(s).

Measuring all employees across organisations on all seven dimensions of security culture provides the organisation with a deep understanding of the security culture in which each of its employees operate in. Thus, answering how the culture enables or inhibits responsible risk taking, from a security perspective.

Examples of some other questions that CLTRe’s security culture insights can answer are:

  • How risk-averse are your employees?
  • How inclined they to comply with security policies, rules or regulations?
  • Do they talk about security?  If so, is the communication positive or negative?
  • Do they care?  What are their attitudes towards the security team, security controls, and security policies?
  • How personally accountable do they believe themselves to be?
  • What does ‘normal’ look like? How do security norms vary across the organisation?

Understanding differences among the cultural dimensions of security within an organisation (and how they they’re changing) provides valuable insights specific to the organisation. CLTRe is currently measuring security culture in eight different languages, across three continents and in multiple industries. Thus, allowing them to understand their own security culture(s), its strengths and weaknesses, and build an effective and sustainable security culture that can be measured, maintained and leveraged to the benefit of the security of its organisation, its profits and its customers.

Fundamentally, CLTRe provides their customers with scientifically valid, reliable and replicable method to measure and benchmark their security culture. CLTRe studies the attitudes, behaviours, cognition, communication, compliance, norms and responsibilities of employees (and how these seven dimensions change over time) to provide organisations with detailed security culture insights that are specific to their own case and help them determine the best course of action.

What now?

Interested in discovering how the CLTRe Toolkit can be used to help you discover if your organisation’s culture enables or inhibits responsible risk taking? Get in contact ([email protected]) or request a demo to talk to one of our security culture experts here at CLTRe to see how we can help.

Not ready for a demo, but interested in this topic? Let us know! 

  • Like, share and follow us using your favourite social media.
  • Send us your questions and comments by email: [email protected]
  • Sign up for our newsletter. (Form at the bottom of the page.)
  • Visit for more information about CLTRe, our research, our products, and our team. Or, for more security culture related articles, browse our blog.

Related Posts