How Security Culture Invokes Secure Behavior

For years, establishing good cybersecurity has faced a major barrier: people. Yet, it’s not entirely their fault. Mention the word “cybersecurity”, and if employees’ eyes don’t glaze over, then they immediately jump to the same conclusion – this is not my problem; it’s a technology problem. Or they assume the IT team will take care of it. And while this is a reasonable assumption on some level, looking at the bigger picture can be far more beneficial to keep organizations, as a whole, cyber-safe. To put it into perspective, the IT and security teams can be totally clued up on the latest cyber-threats facing their business sector and invest in all the hottest security technology, but if just one person in the procurement department opens a rogue attachment believing it is an impending invoice, then everyone suffers.

There is a simple reason that social engineering, or phishing to be more precise, is the go-to means of entry by hackers - because it works. Based on data from the 2020 Verizon Data Breach Investigations Report, attacks on the human layer are now responsible for a majority of events leading to breaches, reinforcing the fact that you can have the best security technology available, but when there are humans involved, all bets are off. Therefore, efforts to improve security programs in organizations should focus on the human aspect and maintaining secure behaviors amongst employees.

A primary means of cultivating secure behavior in organizations is through intentional focus on the organization's security culture. Security culture involves the shared ideas, customs and social behaviors that influence security. Furthermore, attaining a good security culture happens when employees take to heart their individual roles and responsibilities to better protect and defend, not only their professional environments, but their personal ones too. By focusing on improving security culture, an organization will raise their security readiness; and their people will begin to instinctively act as an effective protective layer.

In fact, it has been observed that security culture is affected by a set of seven core dimensions:

Attitude – the feelings and beliefs that employees have towards security protocols and issues.

Behavior – the actions and activities of employees that have a direct or indirect impact on the security of the organization.

Cognition – the employees’ understanding, knowledge and awareness of security issues and activities.

Communication – the quality of communication channels to discuss security-related events, promote a sense of belonging and provide support for security issues and incident reporting.

Compliance – the knowledge of written security policies and the extent that employees follow them.

Norms – the knowledge of and adherence to unwritten rules of conduct in the organization.

Responsibility – how employees perceive their role as a critical factor in sustaining or endangering the security of the organization.

Organizations that invest in building and maintaining a security culture will drive significantly higher security awareness behaviors among their employees. For example, a recent study found that companies with a good security culture were 52-times less likely than those classed as having a poor security culture to share credentials – often considered to be a major source of insider threat. This means the more focus given to security culture, the greater the likelihood that employees will follow secure practices and adopt more secure behaviors.

Since improving security culture directly translates into more secure employee behaviors and to the overall reduction of organizational risk, investment in this area – which may have been difficult to obtain in the past - can (and will) produce a strong return as well as provide additional value. Even if it’s just the investment of time, consider these steps to build upon:

Risk assessments – set-up periodic assessments, or better yet, continuous monitoring of the organization’s risks. The risk assessment should include the human factors as measured by security culture, knowledge and behavior of the organization and its employees.

Use the seven dimensions – actively work on building a strong security culture using the seven dimensions as a guideline for improvement.

Train and measure through engagement and automation – consider a partner to design and automate the right awareness training program to fit a diverse audience, including engaging content, attack simulations and unique communication tools.

Communicate often – a ‘one and done’ approach will never work to cultivate a meaningful security culture; communicate often by partnering with other departments and connecting their messages to overall security initiatives.

Use the champion model – consider mobilizing a champion program across the organization to consist of advocates in every department, region and country who can further translate and embed the security message within the organization.

Engage with peers – the security landscape is always changing, and it is difficult to keep track of it all. Leverage the security community to learn from others, and to share knowledge and experience.

IT leaders already know that a well-designed security strategy consists of a combination of people, process, and technology. But with technology and processes being pushed towards the forefront, the human element in cybersecurity is often overlooked. Therefore, if we flip this on its head and realise where the most potential for change is, it’s actually humans that have now become one of the greatest assets in the fight to help organizations be better protected. Taking small steps now to improve security culture with a focus on people, will ultimately produce the most reward for organizations now and into the future.

What’s Hot on Infosecurity Magazine?