ENISA recommends measuring security culture using the CLTRe Toolkit

Press Release: Oslo, February 7th, 2018

In their report Cyber Security Culture in Organisations, ENISA, the European Union Agency for Network and Information Security, set out a set of recommendations on how to build and improve security culture at organizations of all kinds and sizes. One of the recommendations is to measure security culture across the organization, using the CLTRe Toolkit, a scientific instrument designed to accurately measure security culture and provide organisations with deep insights into how security culture differs across teams, departments, units and industry sectors.

In a response to the published report, Kai Roer, the CEO of CLTRe comments “This is a huge step forward in the area of securing the employees and creating human firewalls. Measuring the effect of your actions and their implications on the organization as a whole, is crucial to reduce risk of breach.”

In the report, ENISA set forward an 8-step model for a security culture programme. The model is based on the free and open Security Culture Framework by CLTRe and, provides companies with free templates and other resources to build and improve their security culture.

“Our industry claims that 95% of security incidents can be traced back to human factors. Imagine if we could reduce 5% or 10% of human factors.” Kai Roer says. “A security breach has an average cost of 3.6M euros. Even a small reduction in human factors will dramatically influence the cost of breach as well as number of incidents, thereby directly reducing the risk faced by companies today. Applying the suggested actions set out by ENISA will have a direct impact on that risk.”

About the ENISA report

ENISA’s Cybersecurity Culture in Organisations report is based on a multi-disciplinary research, conducted to better understand the dynamics of how cybersecurity culture can be developed and shaped within organisations.

This research draws from different disciplines, including organisational sciences, psychology, law and cybersecurity as well as the knowledge and experiences of large European organisations. The report provides good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s cybersecurity culture programme.

Full ENISA press release


About CLTRe

CLTRe is a European Software-as-a-Service company specializing in measuring security culture with the scientific instrument the CLTRe Toolkit. With offices in Asia, Europe and USA, the company provides organisations worldwide with specialist services on security culture.