The Virtuous Circle between Security Culture and Security Behavior

Rising numbers of cyber, hacking, and other security risks along with new regulation and legislation from GDPR, ISO27001 or PCI DSS all mean CISOs and their infosec teams have their work cut out.

While policies, processes and technology are important in helping mitigate these risks and adhere to regulation, arguably embedding an organization-wide security culture is the foundation on which to protect a business, its people and its assets. 

Humans are human, not stupid
Human error continues to account for a significant proportion of security breaches today. It’s a fact of life that people get things wrong, and this is perhaps why, according to a recent cross-sector survey of their peers by the Ponemon Institute, CISOs consider the ‘human factor’ as the biggest threat to security today.

So why do people get things so wrong? We need to dispel the myth that humans make mistakes simply because of lack of knowledge or understanding. Decisions made under pressure in a situation or about a topic they know little about routinely bypass the logical side of the brain where rationality is at work, and go direct to the instinctive side of the brain where irrationality is dominant. 

The brain handles these situations using several shortcuts, which enable quick decisions and minimum effort. When values associated with privacy and security come into conflict with other more embedded values, for example those belonging to a culture, it inevitably doesn’t end well on the majority of occasions. 

To be clear, this does not necessarily mean that personnel may not value the content or the sentiment of the security policy. Instead they just may not value it as much as those who wrote, say, the new GDPR policy, processes and procedures within an organization. It’s when these values come into conflict, that organizations stand to see all their hard work around security policies come undone.

The traditional approach to security training, which focuses on raising awareness, is proving to have limited success. Successive studies have shown that simply ‘raising awareness’ has limited direct correlation with transforming organization-wide behavior and bringing about cultural change, and therefore in mitigating security risk.

Most of these education awareness programs are designed on flawed assumptions and an incomplete understanding of what make humans behave like humans - instead of like machines. They fail to instill real awareness and changed behavior, or become embedded in company culture. 

To address this problem, CISOs need to look for new tools and methods designed to go beyond raising awareness and actually engaging and influencing the behaviors of employees and stakeholders and achieve compliance with organizational policies. If behavior can be influenced, it is possible to create a new security-aware culture.   

So why is culture important and how can behaviors be embedded into culture? 
The term culture can be interpreted differently by different stakeholders, but essentially, it’s about having a set of shared attitudes, values, goals, and practices that characterizes an environment.

Culture in an organization is also tangible assets such as artefacts, espoused values and underlying assumptions. These could be organizational structures, processes and procedures or even strategies, goals, philosophies and policy statements. Underlying assumptions could be unconscious, taken-for-granted beliefs, perceptions, thoughts and feelings regarding a myriad of values many of which are not, at first glance, related to information security or even privacy.

People are influenced by their worlds around them and the decisions people make are heavily influenced by their cultural lenses. These lenses are the results of life experiences and lessons learnt and embedded from the earliest years of life through to the present day.

In an organizational setting, people are influenced by the behaviors they see around them as the perceived day to day norms and values that colleagues adhere to. Therefore influencing and re-enforcing acceptable behavior is a key part of embedding security into the culture of an organization. 

A one-size-fits-all training awareness program that aims to appeal to everyone will ultimately fail to resonate, or reflect the values and culture of an organization. If the training does not resonate, it will not score highly on people’s priority list and will fail at increasing the likelihood of a positive security choice and outcome when competing with other values.

If the training sentiment does not mirror how people operate within the organization, the program fails because it will not influence behavior or embed into culture. Yes, it’s possible to document organizational values and expectations of personnel, but anecdotally most people have experienced organizations where there is difference between what is said and what is done. 

Savvy security communications campaigns on the other hand will take into account and be sensitive to local and organizational culture and values. Infosec trainers should take the time to understand their target audience on a deep level to increase the likelihood of influencing behavior to comply with security policies. This way they can create awareness campaigns, which clearly communicate the organization’s values and expectations of the relevant stakeholders.

The security values and culture must be lived and breathed throughout the organization from the top down, bottom up and from the sides inwards so as to reinforce them by allowing everyone to witness and participate in their continued use. 

The first step in understanding the role culture plays in security compliance is recognizing that culture does exist, and that it can and will influence behavior no matter how fantastic or memorable the awareness and training campaign is.

What’s Hot on Infosecurity Magazine?