An organisation that focuses on these dimensions will have a stronger people-centric security culture than one that doesn’t, and will consequently be more cyber resilient.
Cyber-security culture is increasingly recognised as the third key pillar of human cyber-security resilience – sitting alongside “awareness” and “behaviour” in a neat “ABC” trio.
A positive cyber-security culture means people have a greater understanding and awareness of cyber-security in the workplace and are committed to behaving in a secure manner. Understanding this security culture is an integral part of understanding a business’s overall risk profile.
But how can businesses understand their culture in practice? What exactly should they be measuring? It’s a question our own behavioural science team at CybSafe have been looking into for many months.
The answer we’ve arrived at is laid out below. While there is no single ideal culture to pursue, in our view, there are seven key dimensions to pay attention to.
Evidence-based assessments based on these seven criteria can help businesses measure the extent to which they have a people-centric security culture, and can reveal clear paths to reducing risk, increasing resilience and steering culture towards something more people-centric.
Employees need to have faith in both the processes and the individuals who put them in place if they are to be followed correctly. If there is a feeling of uneasiness or mistrust towards the choices of an organisation, then it’s unlikely that the appropriate behaviours will be maintained.
Trust also needs to work both ways. Reciprocal trust between staff and the organisation is essential for effective engagement with cyber-security. Often, employees are monitored heavily and their behaviour is restricted excessively. Research shows such an approach to be questionable.
Just and fair
A “just and fair” culture emphasises shared security accountability between leaders and staff. In turn, shared accountability ensures breaches are reported as and when they occur, which allows organisations to limit damage and learn from mistakes. Not only do employees need to trust in the competence and decision-making capabilities of their organisation, but they need to feel confident and comfortable enough to speak up when confronted with security issues or a suspected security breach. Clearly, employees that are unjustly monitored or blamed for security-related issues will be incentivised to keep quiet when issues arise.
Resources and communication
By providing employees with security-related communications and material, awareness can be increased, and a strong security culture can be bolstered. It is important to provide employees with contextualised material that is specific to their role, industry and level of experience, so that they are aware of the actual threats that could be posed to an individual in their position. Organisations may use a variety of modes to deliver their awareness content, such as posters, desk drops and face-to-face training.
Security policies designed to aid productivity are more likely to be followed. Sadly, security policies are often developed without fully understanding how people work in organisations. Such security policies prohibit productivity. And, because people’s mental resources are limited, such security policies force employees to make a choice. They can either follow the policies and crawl through their to-do lists at a snail’s pace, or they can shape security policies around their existing responsibilities.
In fact, research shows that people routinely craft their own versions of security policies when official policies are cumbersome and poorly implemented. If employees feel like they can’t be secure and productive at the same time, then it’s likely that organisational security policies need some work. The NCSC in the UK refers to this as “you shape security” – a collaborative process to develop productive and secure policies. Productive security requires integrating good security habits into the business processes.
Collaborative security efforts – efforts that span the entirety of a workplace – can prevent more cyber-threats than solo attempts at threat prevention.
Research has shown that the most at-risk employees often delegate security to another source. This other source can be something technological, such as the assumption that an antivirus will block all attacks, or it can be another person or department within the organisation.
Ease and choice
Research indicates that those who feel comfortable performing a task are likely to continue doing it, while those who struggle are likely to stop.
One way to make someone comfortable with an experience or behaviour is repetition, which sequentially, increases familiarity. Within cyber-security, this could involve employees practicing reporting potential breaches periodically, so that the process feels familiar and easy.
A wealth of research has shown that a primary driver of behaviour is whether or not an individual believes other people they consider to be important approve of it. These important people may be their immediate colleagues or line management but might also include personal contacts such as family and friends.
If people within an organisation feel like others will disapprove of security policy compliance (for example, if they feel they’ll be looked down upon for sacrificing productivity in an effort to follow security policies), then security policies are unlikely to be followed.
Find out what it takes to measure and improve the seven dimensions of your cyber security culture. Read CybSafe’s Cyber Security Culture whitepaper here.
by Oz Alashe, CEO of cyber-security awareness and data analytics platform CybSafe