In a conversation related to my recent blogpost, How can we improve security culture, if security awareness training programs are not yielding results? (1), one of our customers asked me to clarify the difference between security awareness and security culture, remarking that they are often wrongly used interchangeably. Here’s my take on it.
Security awareness is the state of knowledge about risk, i.e. the knowledge that members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.
Security culture is a wider concept than security awareness; encompassing not only knowledge of security risks (“cognition”) but, a total of 7 key dimensions: attitudes, behaviors, communication, compliance, norms, responsibilities, in addition to cognition. The Security Culture Framework paraphrases this as: “…the ideas, customs and social habits of a group [organization or team] that influence their security.”
In 2012, Geordie Stewart wrote in his blog that “our definitions of security awareness seem to be limiting our ability to influence people,” (2) and, I agree, we need a better understanding of what we are talking about.
Discussing an ISF definition of security awareness that later refers to security culture, Geordie writes, “[this] is great because it implies group norms which can encourage secure behaviour. [But] its first suggestion on how to create security culture is ‘compulsory attendance at security awareness training’. Seriously, the human race is doomed.” (2)
A vast majority of security awareness training programs are utterly worthless (3) as they fail to address what drives behavior change. In fact, we can learn from organizational experts and scientists, who claim that a one-size-fits-all approach is ineffective (4-8).
If organizations want to elicit change (e.g., by increasing the security level of the organization) greater focus should be placed on the main determinants of change, which are contextually specific and must be empirically verified. In a security culture context, these determinants are:
- Attitudes: How employees feel about security.
- Responsibilities: How accountable employees believe themselves to be for organizational security.
- Compliance: Adherence of rules, regulations or policies (both informal and formal) designed to improve security.
- Cognition: Employees’ understanding and self-efficacy of security knowledge.
- Behaviors: How risk-averse employees are in their actions.
- Norms: The extent that employee actions are subject to peer-influence.
- Communication: The quality and availability of communication and support on security matters.
As an efficient mechanism to influence employee behavior, security culture is one of the most important, yet most overlooked, aspects of organizational security, which is why I advocate so strongly that greater focus should be placed on understanding and managing these seven dimensions.
If you enjoyed this blog post, you might enjoy How can we improve security culture, if security awareness training programs are not yielding results? which discusses the metrics gained from measuring security awareness and security culture programs, and how these different metrics can be used to evaluate (and improve) the effectiveness of your security awareness and security culture programs.
(1) Laycock, A. (2018, Nov 16). How can we improve security, if security awareness training programs are not yielding results? [blogpost, CLTRe]. Retrieved from https://get.clt.re/blog/how-can-we-improve-security-if-security-awareness-training-programs-are-not-yielding-results
(2) Stewart, G. (2012, Mar 12). Definition of Security Awareness [Blog post, IBM]. Retrieved from https://www.risk-intelligence.co.uk/definition-of-security-awareness/
(3) Opacki, J (2017, Aug/Sep). Building a Security Culture: Why Security Awareness Does Not Work and What to Do Instead. ISACA Journal, 2017(4).
(4) Euske, K. J. (2003). Public, private, not-for-profit: everybody is unique?. Measuring Business Excellence, 7(4), 5-11.
(5) Rahim; et al, (2015). A systematic review of approaches to assessing cybersecurity awareness. Kybernetes, 44(4), 606-622.
(6) Shenhar, A. J. (2001). One size does not fit all projects: Exploring classical contingency domains. Management science, 47(3), 394-414.
(7) Prochaska; et al. (2001). A trans-theoretical approach to changing organizations. Administration and Policy in Mental Health and Mental Health Services Research, 28(4), 247-261.
(8) vom Brocke, J; et al (2016). On the role of context in business process management. International Journal of Information Management, 36(3), 486-495.