Why the key to security culture success is an evidence-based approach

The industry benchmarks for security culture (published in CLTRe’s 2018 Security Culture Report) reveal how specific industries stand apart in terms of their security culture maturity and how different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security.

Using a standard of measurement for identifying the needs of the different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly.  In a post published last week, I explored how some of our finance-sector customers used the data collected from their security culture measurement to better understand the needs of their employees, create “campaign audiences” (i.e. segment their workforce based on their different perceptions and understanding of security) to adapt their security culture program.

As a result, finance-sector customers within Fund Management were able to document a decrease in risky behaviors of up to 16.7% (from 63 to 73.5) in one year. Other noticeably felt cultural changes were a 17-point increase in individuals’ sense of responsibility towards security.

Since 2016 CLTRe has measured security culture across of tens of thousands of employees and each year publishes its findings in an annual Security Culture Report. Large sample data collection using the CLTRe Toolkit enables us to study how security-related attitudes, behaviors, and social norms vary within organizations and also across borders and different industry sectors.

With the insights gathered from our survey-based tool, an organization is able to take an evidence-based approach and plan measures that directly address the weaknesses identified. That first measurement creates a baseline from which effectiveness can be measured.

Having a starting point metric (a baseline) for each segment enables organizations to track progress and a detailed understanding of what makes that particular segment different from the others and how it should be treated. Subsequent measurements record how the security culture of these segments changes so that progress can be tracked and demonstrated.

Organizational measures to build security culture are significantly more effective when organizations take an evidence-based approach. This is how organizations learn whether their security culture strategy is effective and can compare their results against their industry benchmark as a measure of their success.

Last year’s industry benchmarks (published in CLTRe’s 2018 Security Culture Report) revealed how the Retail and Wholesale Trade sector, for example, stands out in terms of their security culture maturity. Different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security.

Chart showing the SCR 2018 Industry Benchmark for the Retail & Wholesale Trade sector, where the dashed green line shows the overall security culture score for the sector (i.e. the average of all the dimensional scores) and the red lines provide a comparison with the global benchmarks (i.e. an average of all sectors studied) indicating the global standard for each dimension of security culture.

With a score 14 points below the global standard (60), this sector scores worse on the Behaviors dimension than all the sectors included in the study.  On the other hand, the above-average scores for Attitudes, Cognition and Compliance, indicate that employees within the Trade sector have higher than average understanding of security and how it relates to their own role in their organization, as well as being more positive and adherent to the organizational measures put in place to protect them and the security of information.

A major challenge in the retail sector can be high employee turnover.  To improve the security culture transformation, whilst minimizing cost, a clear strategy with a strong focus on segmenting the workforce based on roles and positions and their exposure to cybersecurity risks is needed. The 2018 Trade Industry Benchmark shows why this sector requires dramatic changes to how it assesses, monitors, educates and changes its employees’ behavior. 

Using a standard of measurement for identifying the needs of different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly.

Talk to one our security culture experts

Book a demo and discuss your needs with one of our security culture experts. See how easy we’ve made it to set up a security culture measurement program and what sort of insights to expect.

Request a demo

This article was originally published by the Security Culture Framework (read the full post here). CLTRe are proud supporters of the Security Culture Framework and its community.

More information about the SCF can be found here: https://securitycultureframework.net

Related Posts