Most security managers feel the need to embed cyber security in the organisational culture. To achieve this goal, they roll out the usual methods such as communication materials and security awareness training. However, there are other approaches that can be borrowed from the concept of “culture”, and these can be used to monitor, measure and ideally strengthen the human element in information security.
Organisational culture as a means of control – a 1980s concept
The aim of an underlying concept of an organisational culture is to translate daily cooperation into behaviours, values, attitudes and beliefs. In the 1980s, the organisational culture concept developed into a management trend, with the aim of actively shaping organisational culture. At the time, sociologist Martin Parker even spoke of “culturalism” in management and of instrumentalising the concept of culture for control purposes. The basic management goal was (and still is) generally to strengthen employees’ self-commitment and dedication. This approach has also had an impact on developing common management systems and standards for information security. More than ever, security awareness is considered to be a fundamental point of control.
How useful is a security culture audit?
At InfoGuard, our cyber security consultants and auditors also monitor an organisation’s social elements, in addition to the technological and procedural ones. We always experience part of the organisational culture in the course of local visits, interviews, questionnaires and audit reports.
It is not easy to measure security awareness and assess the cyber security culture in key figures and barometers. Managements often want a ”speedometer” or a ”green-yellow-red traffic light” in a clear dashboard form – in terms of security culture too. But how can this culture be measured, and can it even be mapped in green-yellow-red terms?
There is a range of metrics that we use with our clients to measure the security awareness and behaviour of people within an organisation. These include the classic, even controversial, metrics from security awareness training, simulated phishing attacks, the handling of data (media) or compliance with security requirements. Such values help to record basic risk in order to identify more far-reaching requirements for measures.
An extensive consideration and analysis of important ”elements of culture” in employees’ security self-image and behaviour can provide useful indicators for correctly classifying past and future measures. In keeping with the many attempts to define “culture” in social science terms, it is fun to look at individual categories from a security perspective. Below are the questions from some of the categories to conduct a thought experiment within your organisation.
-
Myths and legends surrounding internal security incidents:
• Which incidents are we talking about? For instance, the last production stoppage or when the online shop was unavailable for several days.
• How are these situations related? For example, in safety training, in detail/without more precise information, emotionally/objectively, in an embellished/factual way, etc.?
• Are there dramas (e.g. administrators’ exhaustion), heroes (e.g. colleague finds backups they thought were lost), destinies (e.g. dismissals) etc.?
-
Periodic rituals, unchangeable standards, conscious or unconscious, planned or unplanned regular repetitions: As an example, which committees or meetings in the security management field can be described as ritual - formal, festive or celebratory, with word formulas and high symbolic content? How is the impact of these ”rituals” on the organisation perceived (strong, authoritative, weak, incomprehensible or sceptical)?
-
Taboos and no go zones: What should not be talked about, what should not take place? For example, risks that are not discussed? Are there systems that are excluded from guidelines and regulations? What systems, things or places do you try not to mention to the auditors? Are there errors or mishaps that you wouldn’t tell anyone about? Or processes that it is best not to question, for example why is a certain application only updated every six months?
-
Ideological beliefs and convictions regarding behaviour, technology, processes, etc.? As an example, are there fixed ”tracks” to drive on? Is one manufacturer/service provider generally considered more secure than the others? Does this have an influence on caution and compliance with standards or controls?
-
Division of labour, distribution of roles and powers, structures of accountability: How do different posts represent security organisation in a freely drawn organisational chart? Where do the arrows of instruction and reporting point? Are there silos of responsibility or centres of power? Does the picture correspond to the strategy or the desired situation? What are the position of the persons responsible, e.g. for applications, processes and systems, with regard to the security measures requested? How are these perceived, planned, delegated, delayed, documented and reported? Think here also about patch and identity management, access controls, reviewing log data as well as error messages, etc.
-
Trust, attitudes and assumptions regarding people, technologies and processes with a security function: What are the (informal/qualitative) reactions to questions such as: Do we have protection against cyberattacks? What needs to work well to reduce outages, attacks, data theft and other forms of information security risk?
With security, you will no doubt be able to think of a few stories about these questions in your own environment. Even without comprehensive metrics, you are getting closer to getting a picture of your cyber security culture. A low level of security awareness – even negligent behaviour – is also part of this.
There is always (some kind of) security culture
However, the concept of culture remains elusive. Nevertheless, we have formulated some key ideas of cyber security culture in our own personal view:
-
Cyber security culture is not confined to professional organisations. For some time now, it has extended deep into the personal sphere and into society as a whole. As a result, it also has an impact on corporate and organisational security – both in a positive way (attention, experience, skills, etc.) and in a negative way (ignorance, indifference, negligence, etc.).
-
Cultural characteristics can be recognised by specific elements. Examples of these include structures, processes, internal dealings, narratives, rules, dealing with errors, cooperation, etc.
-
Security awareness and the corresponding behaviour in decisive situations are an important part of the organisational culture (for survival). This can be seen clearly in the current threat situation, for example “phishing email” + “missing software updates” = “good chance of successful attack”.
-
Humans are the attack path that is most frequently used in successful attacks. This insight has been gained from the current threat situation. To err is human and unavoidable. A successful cyber security culture (including both its technical and organisational manifestations) is able to strongly defend itself against the negative impact of human errors. For instance, it is often virtually impossible to avoid clicking on well-presented phishing emails. However, it is possible to reduce inhibitions, for example, about reporting a suspected phishing attack or the fear of the adverse consequences of reporting your own lapse.
-
The technical automation of detection, correlation and mitigation measures takes some of the burden off humans (end-users, admins, analysts, management, etc.). Awareness of the known (including your own) human weakness also increases awareness and acceptance of the short-term (extra) effort required to make the technical security tighter.
-
Technical experts and security managers often refer to employee’s “lack of awareness”. In a strong cyber security culture, this excuse no longer exists.
-
“Us and them” is not just something that is found in discussions about cultural identity in everyday life, but often between security officers and operational managers, between representatives of interest from users, business and security. An important part of a strong security culture is recognising these lines, building bridges and promoting cooperation and exchange.
Cyber security culture is more than just security awareness-training
In audit reports, in the results of an attack simulation or as “lessons learned” after an actual incident, we note the frequent recommendation to strengthen awareness and to expand employee training. A quick win is to first target the “end user” and their (security) behaviour. In fact, a strong cyber security culture also specifically includes employees’ attitudes and behaviour with a role model or directive function or with particular technical privileges.
For clients with a high level of maturity in awareness campaigns and security awareness training we look at the behavioural and communication structures in security-specific processes and procedures. Tabletop exercises, group-specific attack simulations and role-specific workshops do not deal solely with technical and organisational aspects, but also actively shape the cultural elements mentioned above.
Cyber security and especially security awareness involve more cultural and social components than many people might think. Psychological effects that we have already talked about in previous blog articles play an important role.
What is the security culture like in your company? A strong cyber security culture not only promotes security, but also the well-being of all those responsible and involved. Our InfoGuard experts are happy to support you on this journey.
Security awareness – step-by-step
Effective cyber security culture can only be achieved if the various elements work together. The first step is to become aware of the risks, create a multi-stage, long-term concept and find an experienced partner to professionally guide and support you along the way. But what measures does a concept of this kind actually include? What risk factors need to be covered in security awareness campaigns? Find out more about these and other questions on our know-how page – including a quiz on how good your own security awareness is.