Identifying risks within: what security culture can tell you about insider threats

Given that the root cause of almost every security incident recorded can be attributed to human error, it follows that having a valid, reliable and automated method to pinpoint potential insider threats is well worth having.

Throughout 2014/15, IBM reported an astounding 95 percent of all security incidents involve human error, i.e. they occurred because an employee did something or clicked on something they shouldn’t have. This statistic remains alarmingly high. More recently, Willis Towers Watson reported that 90% of cyber claims result from human error or behaviour. Many organizations have realised their most serious security threat isn’t the external attack, instead it is the “insider” who is most likely to compromise or leak the organization’s most sensitive data, either intentionally or accidentally.

At risk from within

“The top three cybersecurity fears are all related
to human factors and employee behaviour.”

“52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk,” revealed a recent report . In which, Kaspersky Labs identified that “the top three cybersecurity fears are all related to human factors and employee behaviour”. They surveyed over 5,000 businesses globally to reveal that their biggest worries are employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

To combat this, many organisations are exploring options to mitigate the risks. There are a number of technical solutions and security controls that can be put in place, some designed to force employees to comply with security policies by removing or reducing the ability to make the wrong choice, and others that offer a level of protection through detection, deterrence and/or defense. However, not all these are fool-proof, and even then, employees do not not always follow best practices using technology, often opting to use their own device or circumventing controls in other ways. Technology can not remove the human risk factor in full.

“Many organizations deploy phishing filters, advanced firewalls, network access controls and endpoint scanning tools to mitigate this threat,” explains Anuj Goel, co-founder of Cyware Labs, “but no technology can account for human error entirely.”

From a human weakness into a security strength

Companies are seeking methods to turn their ‘biggest weakness’ into a strength (or, at least change it from being a high risk factor into a stronger, less weak, security asset). Understanding how culture, i.e. the ideas, customs, and social behaviours, impacts security in an organization is important to build an effective strategy to develop a security-conscious workforce and promote desired behaviours. Developing a good security culture is an essential component of a protective security regime that helps mitigate against a range of threats that could cause physical, reputational or financial damage to organisations.

Security culture is the ideas, customs, and social behaviours that
impact security in an organization, positively or negatively.

Leveraged correctly, your staff, contractors, visitors, suppliers and the general public can be a huge force multiplier in strengthening your resilience to security threats and reducing your vulnerability to attack. Through an understanding of the threat and a clear understanding of what is required of them, an organisation’s people can play a significant role in the detection, deterrence and prevention of security threats also.

Many organisations want to develop a security culture where security is a collective responsibility shared by everyone in an organisation. The idea is that by engaging the entire organisation (and its supply chain), everyone becomes involved in protecting data, devices and people, and every human ‘endpoint’ can be leveraged to create a ‘human firewall’. Thus, turning a weakness into a strength.

There is evidence that improving individual dimensions of security culture, such as Responsibility, reduces the overall risk that employees carry; by addressing the role that collective responsibility (and individual accountability) play, we would expect to see an improvement in the security culture as a whole. The benefits of an effective security culture are clear; they include:

  • A workforce that is more likely to be engaged with (and take responsibility for) security issues
  • Increased compliance with (and improved attitudes towards) protective security measures
  • Employees that are more likely to think and act in a security-conscious manner,
  • Reduced risk of insider incidents.

Help identifying insider threats is here

The haystack just got a whole lot smaller!

By charting security culture, it is possible to locate the specific areas of strengths and weaknesses, and pinpoint potential threats within. The beauty of measuring security culture is that it provides data on a spectrum of seven dimensions (rather than only assessing awareness or monitoring click-behaviour), so you can evaluate the effectiveness that these campaigns have on changing the attitudes, behaviours, cognition, communication, compliance, norms and responsibilities of your staff whilst also gauging how much work needs to be put in the sustain security culture improvements.

More often than not, the term ‘security culture’ is used to refer to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security. In depth research by CLTRe reveals that the security culture throughout an organisation is rarely uniform. Mapping out the security culture(s) across the organisation makes it possible to see trends in the data. For example, there may be patterns based on where employees work, what they do, or who they are, that can be found by comparing data from different teams, departments and business units, at different levels of organisational hierarchy, or different demographics.

CLTRe’s security culture mapping tools locate specific areas of strengths and weaknesses
and pinpoint potential threats within.

Furthermore, measuring the changes in each of these dimensions over time, provides meaningful data on the progress of the security culture programme. Repeating the measurement annually reveals what impact the efforts to improve a dimension have actually had on the security culture as a whole, as well as on each of the individual dimensions. This means you gain a holistic overview on who most needs attention, which activities work best, and how to focus your efforts where. With that data, you can have confidence that resources are being spent effectively to improve security culture and reduce risk, maximising optimisation.

Have confidence that resources are being spent on the right things
and on those who most need attention.

With clear, visual representation of these differences, it becomes both possible and easier to create SMART goals, plan an effective strategy and execute a comprehensive programme that is efficient, sustainable and actually delivers measurable improvements.

TIP: Download our whitepaper: To Measure Security Culture: A Scientific Approach to learn more about how CLTRe measure security culture.

Managing the human factors

Having an in-depth understanding of what the human factors are, how they influence security, and their importance to risk management strategy is powermount to reducing risk. Add to that, the ability to identify the groups of employees that have the best/worst security cultures within your organisation, you not only have yourself a shortlist of the strongholds (where to find the best examples of security culture and a potential recruitment pool for security champions across your organisation), but also, the haystack just got a whole lot smaller in your search for potential threats within the ranks. Knowing the weakspots, helps you pinpoint those employees that score particularly low against an established benchmark and, identify where (and how) to prioritise your efforts using data on each of the seven dimensions.

The CLTRe Toolkit, delivered as a SaaS, provides all the tools you need to assess, build and improve the security culture of your organisation, including insider threat detection. See the tools, including:

  • CLTRe Discover distributes the security culture assessment (developed by leading social scientists) and automates the collection and analysis of the results.
  • CLTRe Insights provides in depth reports with drill down options and insightful data visualisation tools.
  • CLTRe Improve creates recommended action items specifically for security culture management.

What now?

Get in contact or schedule a demo to talk to one of our security culture experts here at CLTRe to see how we can help.

Is this a topic that interests you?

Let us know! Like, share and follow us on social media, or even better… get in touch! Book a demo , email us at [email protected], or visit for more information about CLTRe, our research, our products, and our team.