Why You Should Assess Your Security Culture

Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse your information. ‘Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks,'[1] according to ENISA, the European Union Cybersecurity Agency. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter.

To be effective, security awareness programs need to bring attention to the security risks and issues, encourage positive dialogue across the organization, improve understanding and education, and train their audience on how to mitigate those risks. Security Awareness Training that achieves a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioral change within an organization, is what every organization should be aiming for. 

This emphasis on achieving cultural and behavioral change is important because one of the biggest drivers of behavior change is actually cultural influence. (Awareness alone is not enough to change behavior.) 

Organizational culture is made up of many things — including the ideas, customs and social behaviors of the organization that impact its security, known as security culture. Until recent years, security culture was one of the least understood aspects of organizational culture, and its importance to organizational security was somewhat overlooked. Yet, security culture is vital to organizational security

Recognition of security culture’s impact on risk has grown globally, especially in academic circles where security culture has been found to be an effective mechanism to influence employee behaviors. Every organization has a security culture; what varies is how mature it is, how good or bad, how strong or weak, and how positive or negative. Understanding what type of security culture your organization has, and how best to improve or strengthen it, requires the organization to take a moment to assess it

Driven by innovation and research, CLTRe specializes in measuring security culture. We study changes to find the most effective ways to improve security culture and build more secure organizations. The significant work by CLTRe has attracted the attention and cooperation of not only academia and other research institutes, but also a number of large corporations, governments, and industry bodies, including ISACA, CSA, and ENISA, and has won awards. 

Established in 2015, CLTRe developed the Security Culture Survey, a scientifically-built mechanism for measuring security culture worldwide. The results of the survey offer insight on which areas need improvement, tips on what to focus on next, and provide organizations with a KPI for reporting its security posture to the board.

Getting security culture right is one of the most important aspects of an organization’s protective security regime. Following KnowBe4’s acquisition of CLTRe earlier this year, the Security Culture Survey has been made available to all KnowBe4 customers. Meaning that over 28,000 organizations worldwide now have a reliable and scientifically valid way to measure the maturity of their security culture, get detailed reports on its strengths and weaknesses, as well as receive recommendations on how their security culture can be improved.  

As CLTRe continues to research security culture and understand the impact of Security Awareness Training on changing behaviors, our ability to make tailored, evidence-based recommendations to KnowBe4’s customers improves, thus ensuring its ability to offer the best and most effective solution to its customers.

[1]  From the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, which were adopted as a Recommendation of the OECD Council at its 1037th Session on 25 July 2002.

Screenshot of KB4 product

See it for yourself

Book a demo and see how easy we’ve made it for you to measure your security culture and what sort of insights to expect.