The security industry has struggled to define security culture for a long time. Security leaders talk about its value, but they tend to do so without precision—which can be incredibly confusing for business leaders.
Here’s our take on security culture, developed over many years at the intersection of two worlds: academia and “in the trenches” practitioners. Security culture can be broken down into seven components, which we refer to as dimensions. These dimensions are interdependent; each one influences the others.
Dimension 1: Attitudes
The attitudes your employees have toward security is a critical factor. When employees take a negative view, they’re much less likely to abide by the rules and act securely. This means that finding ways to foster positive attitudes toward security can be a great strategy to improve employee behavior and, ultimately, your security culture.
Ask yourself: To what extent do employees care about security? Are they positive, neutral, or negative?
Dimension 2: Behaviors
What employees see other employees do impacts their own behavior. Most people are likely to adopt the behaviors they see modeled by others when they’re in a group. We’re also very likely to do what we’re told by someone in authority, suggesting that leadership should be actively involved in security.
Ask yourself: What are considered acceptable behaviors? What do employees see others doing?
Dimension 3: Cognition
What employees know can influence their behavior. However, just because someone is aware doesn’t mean they care! And even caring doesn’t always translate to behavior. This is what we call the “knowledge-intention-behavior gap.” Training is an important part of any security culture program, but it’s not the end-all.
Instead, consider training as only one of many tools in your toolbox. Support it with strong messaging from your executives and leadership teams, and make sure your employees understand why security is paramount.
Further support your training program through behavior design initiatives and by trying to foster other areas of influence, such as reward and reinforcement systems.
Ask yourself: What do employees know? How do they learn? How do they apply that knowledge?
Dimension 4: Communication
One of the skills of great leaders is their ability to communicate. Often, you’ll hear them repeat the same vision many times over, in many different forms and forums.
Great leaders recognize the importance of setting the agenda and repeating the message so that every employee can understand and relate. Security is no different: If you want it to happen, repeat your values often and find ways to make people talk about them.
Ask yourself: How is security communicated throughout the organization? To what extent is leadership involved? Is security considered a core value?
Dimension 5: Compliance
Organizations need rules to ensure employees know what’s allowed and what’s not. Some organizations are very good at implementing policies and incentives, whereas others are not.
If your security policies and procedures aren’t being followed, it may be because employees are unaware of the policies and procedures, or your policies and procedures are too difficult to follow, or because you need other methods and systems to support compliance.
Ask yourself: How well do employees adhere to policies and procedures?
Dimension 6: Norms
Norms are the informal rules, those policies of the group that aren’t written down and formalized. They’re “just the way things are done around here.” Unfortunately, people are more likely to follow norms than comply with your policies due to perceived peer pressure.
What’s the fix? Seek out any disconnects between your norms and your policies. Find ways to influence your norms to better align with policy. This is accomplished through a combination of communication, social pressures, behavior design, and traditional training methods.
Ask yourself: To what extent are security-related beliefs, behaviors, and values embedded in the norms and unwritten rules of the organization?
Dimension 7: Responsibilities
An organization where every employee actively takes part in the security program is a good organization. Empowering employees to make relevant security decisions during their workday is a valuable strategy.
Likewise, making sure employees understand that even a tiny action can make a huge difference is mission critical. Try to focus on the positive change the employee can make instead of dreaded and ineffective fearmongering.
Ask yourself: To what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?
For further reading in TechZone: Journey Mapping: Cultivating a Mindset for Security Awareness
About the Author
Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.
