The 7 Dimensions of Security Culture

By



The security industry has struggled to define security culture for a long time. Security leaders talk about its value, but they tend to do so without precision—which can be incredibly confusing for business leaders.

Here’s our take on security culture, developed over many years at the intersection of two worlds: academia and “in the trenches” practitioners. Security culture can be broken down into seven components, which we refer to as dimensions. These dimensions are interdependent; each one influences the others.

Dimension 1: Attitudes

The attitudes your employees have toward security is a critical factor. When employees take a negative view, they’re much less likely to abide by the rules and act securely. This means that finding ways to foster positive attitudes toward security can be a great strategy to improve employee behavior and, ultimately, your security culture.

Ask yourself: To what extent do employees care about security? Are they positive, neutral, or negative?

Dimension 2: Behaviors

What employees see other employees do impacts their own behavior. Most people are likely to adopt the behaviors they see modeled by others when they’re in a group. We’re also very likely to do what we’re told by someone in authority, suggesting that leadership should be actively involved in security.

Ask yourself: What are considered acceptable behaviors? What do employees see others doing?

Dimension 3: Cognition

What employees know can influence their behavior. However, just because someone is aware doesn’t mean they care! And even caring doesn’t always translate to behavior. This is what we call the “knowledge-intention-behavior gap.” Training is an important part of any security culture program, but it’s not the end-all.

Instead, consider training as only one of many tools in your toolbox. Support it with strong messaging from your executives and leadership teams, and make sure your employees understand why security is paramount.

Further support your training program through behavior design initiatives and by trying to foster other areas of influence, such as reward and reinforcement systems.

Ask yourself: What do employees know? How do they learn? How do they apply that knowledge?

Dimension 4: Communication

One of the skills of great leaders is their ability to communicate. Often, you’ll hear them repeat the same vision many times over, in many different forms and forums.

Great leaders recognize the importance of setting the agenda and repeating the message so that every employee can understand and relate. Security is no different: If you want it to happen, repeat your values often and find ways to make people talk about them.

Ask yourself: How is security communicated throughout the organization? To what extent is leadership involved? Is security considered a core value?

Dimension 5: Compliance

Organizations need rules to ensure employees know what’s allowed and what’s not. Some organizations are very good at implementing policies and incentives, whereas others are not.

If your security policies and procedures aren’t being followed, it may be because employees are unaware of the policies and procedures, or your policies and procedures are too difficult to follow, or because you need other methods and systems to support compliance.

Ask yourself: How well do employees adhere to policies and procedures?

Dimension 6: Norms

Norms are the informal rules, those policies of the group that aren’t written down and formalized. They’re “just the way things are done around here.” Unfortunately, people are more likely to follow norms than comply with your policies due to perceived peer pressure.

What’s the fix? Seek out any disconnects between your norms and your policies. Find ways to influence your norms to better align with policy. This is accomplished through a combination of communication, social pressures, behavior design, and traditional training methods.

Ask yourself: To what extent are security-related beliefs, behaviors, and values embedded in the norms and unwritten rules of the organization?

Dimension 7: Responsibilities

An organization where every employee actively takes part in the security program is a good organization. Empowering employees to make relevant security decisions during their workday is a valuable strategy.

Likewise, making sure employees understand that even a tiny action can make a huge difference is mission critical. Try to focus on the positive change the employee can make instead of dreaded and ineffective fearmongering.

Ask yourself: To what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?

For further reading in TechZone: Journey Mapping: Cultivating a Mindset for Security Awareness

About the Author

Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.



Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Choosing the right dedicated server: A crucial guide for website hosting

By: Contributing Writer    9/5/2024

Deciding how to host your website can be daunting, especially when considering a dedicated server. This type of hosting solution offers many benefits,…

Read More

How Web Application Firewalls Protect Against Common Threats

By: Contributing Writer    8/29/2024

Despite organizations' best efforts, cyberthreats are more prevalent than ever. The most common threats are becoming more dangerous for your data and …

Read More

Paying Attention to the User Experience: Nureva's New App Simplifies Workspace Audio Management

By: Alex Passett    8/27/2024

After launching its Nureva App in beta earlier this summer, Nureva has announced that this companion app is now fully available to HDL310 and HDL410 a…

Read More

Emerging AI Trends Set to Revolutionize Crypto Trading

By: Contributing Writer    8/26/2024

Anyone who wants to achieve success in crypto trading is well-aware that they need to keep up with the trends. The digital currency market moves fast …

Read More

The technology behind online video poker: welcome to the future

By: Contributing Writer    8/12/2024

Long gone are the days when the most we could do with our cell phones was call and play Snake (If you were born before 2000, you probably remember thi…

Read More