The 7 Dimensions of Security Culture


The security industry has struggled to define security culture for a long time. Security leaders talk about its value, but they tend to do so without precision—which can be incredibly confusing for business leaders.

Here’s our take on security culture, developed over many years at the intersection of two worlds: academia and “in the trenches” practitioners. Security culture can be broken down into seven components, which we refer to as dimensions. These dimensions are interdependent; each one influences the others.

Dimension 1: Attitudes

The attitudes your employees have toward security is a critical factor. When employees take a negative view, they’re much less likely to abide by the rules and act securely. This means that finding ways to foster positive attitudes toward security can be a great strategy to improve employee behavior and, ultimately, your security culture.

Ask yourself: To what extent do employees care about security? Are they positive, neutral, or negative?

Dimension 2: Behaviors

What employees see other employees do impacts their own behavior. Most people are likely to adopt the behaviors they see modeled by others when they’re in a group. We’re also very likely to do what we’re told by someone in authority, suggesting that leadership should be actively involved in security.

Ask yourself: What are considered acceptable behaviors? What do employees see others doing?

Dimension 3: Cognition

What employees know can influence their behavior. However, just because someone is aware doesn’t mean they care! And even caring doesn’t always translate to behavior. This is what we call the “knowledge-intention-behavior gap.” Training is an important part of any security culture program, but it’s not the end-all.

Instead, consider training as only one of many tools in your toolbox. Support it with strong messaging from your executives and leadership teams, and make sure your employees understand why security is paramount.

Further support your training program through behavior design initiatives and by trying to foster other areas of influence, such as reward and reinforcement systems.

Ask yourself: What do employees know? How do they learn? How do they apply that knowledge?

Dimension 4: Communication

One of the skills of great leaders is their ability to communicate. Often, you’ll hear them repeat the same vision many times over, in many different forms and forums.

Great leaders recognize the importance of setting the agenda and repeating the message so that every employee can understand and relate. Security is no different: If you want it to happen, repeat your values often and find ways to make people talk about them.

Ask yourself: How is security communicated throughout the organization? To what extent is leadership involved? Is security considered a core value?

Dimension 5: Compliance

Organizations need rules to ensure employees know what’s allowed and what’s not. Some organizations are very good at implementing policies and incentives, whereas others are not.

If your security policies and procedures aren’t being followed, it may be because employees are unaware of the policies and procedures, or your policies and procedures are too difficult to follow, or because you need other methods and systems to support compliance.

Ask yourself: How well do employees adhere to policies and procedures?

Dimension 6: Norms

Norms are the informal rules, those policies of the group that aren’t written down and formalized. They’re “just the way things are done around here.” Unfortunately, people are more likely to follow norms than comply with your policies due to perceived peer pressure.

What’s the fix? Seek out any disconnects between your norms and your policies. Find ways to influence your norms to better align with policy. This is accomplished through a combination of communication, social pressures, behavior design, and traditional training methods.

Ask yourself: To what extent are security-related beliefs, behaviors, and values embedded in the norms and unwritten rules of the organization?

Dimension 7: Responsibilities

An organization where every employee actively takes part in the security program is a good organization. Empowering employees to make relevant security decisions during their workday is a valuable strategy.

Likewise, making sure employees understand that even a tiny action can make a huge difference is mission critical. Try to focus on the positive change the employee can make instead of dreaded and ineffective fearmongering.

Ask yourself: To what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?

For further reading in TechZone: Journey Mapping: Cultivating a Mindset for Security Awareness

About the Author

Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Shabodi Accelerates Adoption of Network-Aware Applications with CAMARA API Enterprise Reference Implementation

By: Special Guest    2/16/2024

Shabodi, an Application Enablement Platform (AEP) provider unleashing advanced network capabilities in LTE, 5G, 6G, and Wi-Fi 6, announced they have l…

Read More

How Much Does Endpoint Protection Cost? Comparing 3 Popular Solutions

By: Contributing Writer    2/2/2024

Endpoint protection, also known as endpoint security, is a cybersecurity approach focused on defending computers, mobile devices, servers, and other e…

Read More

What Is Databricks? Simplifying Your Data Transformation

By: Contributing Writer    2/2/2024

Databricks is an innovative data analytics platform designed to simplify the process of building big data and artificial intelligence (AI) solutions. …

Read More

What Is Blue/Green deployment?

By: Contributing Writer    1/17/2024

Blue/green deployment is a software release management strategy that aims to reduce downtime and risk by running two identical production environments…

Read More

The Threat of Lateral Movement and 5 Ways to Prevent It

By: Contributing Writer    1/17/2024

Lateral movement is a term used in cybersecurity to describe the techniques that cyber attackers use to progressively move through a network in search…

Read More