The 7 Dimensions of Security Culture


The security industry has struggled to define security culture for a long time. Security leaders talk about its value, but they tend to do so without precision—which can be incredibly confusing for business leaders.

Here’s our take on security culture, developed over many years at the intersection of two worlds: academia and “in the trenches” practitioners. Security culture can be broken down into seven components, which we refer to as dimensions. These dimensions are interdependent; each one influences the others.

Dimension 1: Attitudes

The attitudes your employees have toward security is a critical factor. When employees take a negative view, they’re much less likely to abide by the rules and act securely. This means that finding ways to foster positive attitudes toward security can be a great strategy to improve employee behavior and, ultimately, your security culture.

Ask yourself: To what extent do employees care about security? Are they positive, neutral, or negative?

Dimension 2: Behaviors

What employees see other employees do impacts their own behavior. Most people are likely to adopt the behaviors they see modeled by others when they’re in a group. We’re also very likely to do what we’re told by someone in authority, suggesting that leadership should be actively involved in security.

Ask yourself: What are considered acceptable behaviors? What do employees see others doing?

Dimension 3: Cognition

What employees know can influence their behavior. However, just because someone is aware doesn’t mean they care! And even caring doesn’t always translate to behavior. This is what we call the “knowledge-intention-behavior gap.” Training is an important part of any security culture program, but it’s not the end-all.

Instead, consider training as only one of many tools in your toolbox. Support it with strong messaging from your executives and leadership teams, and make sure your employees understand why security is paramount.

Further support your training program through behavior design initiatives and by trying to foster other areas of influence, such as reward and reinforcement systems.

Ask yourself: What do employees know? How do they learn? How do they apply that knowledge?

Dimension 4: Communication

One of the skills of great leaders is their ability to communicate. Often, you’ll hear them repeat the same vision many times over, in many different forms and forums.

Great leaders recognize the importance of setting the agenda and repeating the message so that every employee can understand and relate. Security is no different: If you want it to happen, repeat your values often and find ways to make people talk about them.

Ask yourself: How is security communicated throughout the organization? To what extent is leadership involved? Is security considered a core value?

Dimension 5: Compliance

Organizations need rules to ensure employees know what’s allowed and what’s not. Some organizations are very good at implementing policies and incentives, whereas others are not.

If your security policies and procedures aren’t being followed, it may be because employees are unaware of the policies and procedures, or your policies and procedures are too difficult to follow, or because you need other methods and systems to support compliance.

Ask yourself: How well do employees adhere to policies and procedures?

Dimension 6: Norms

Norms are the informal rules, those policies of the group that aren’t written down and formalized. They’re “just the way things are done around here.” Unfortunately, people are more likely to follow norms than comply with your policies due to perceived peer pressure.

What’s the fix? Seek out any disconnects between your norms and your policies. Find ways to influence your norms to better align with policy. This is accomplished through a combination of communication, social pressures, behavior design, and traditional training methods.

Ask yourself: To what extent are security-related beliefs, behaviors, and values embedded in the norms and unwritten rules of the organization?

Dimension 7: Responsibilities

An organization where every employee actively takes part in the security program is a good organization. Empowering employees to make relevant security decisions during their workday is a valuable strategy.

Likewise, making sure employees understand that even a tiny action can make a huge difference is mission critical. Try to focus on the positive change the employee can make instead of dreaded and ineffective fearmongering.

Ask yourself: To what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?

For further reading in TechZone: Journey Mapping: Cultivating a Mindset for Security Awareness

About the Author

Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Spotify's AI DJ is Gaining Traction, Expanding into New Markets

By: Alex Passett    6/1/2023

Music streaming giant Spotify previously launched its AI DJ feature in the U.S. and Canada, and now the U.K. and Ireland, as well. This AI-powered DJ …

Read More

Scepter, ExxonMobil and AWS to Develop Innovative Platform for Methane Monitoring

By: Greg Tavarez    6/1/2023

Scepter and ExxonMobil joined forces with AWS to develop an innovative data analytics platform aimed at characterizing and quantifying methane emissio…

Read More

Prepare for Impact: AI Will Revolutionize Every Organization, Application, and Service

By: Reece Loftus    5/30/2023

The opportunity cost in not embracing AI is very real because of the ways AI improves productivity and quality and reduces cost at an unprecedented ra…

Read More

NextPlane's Affordable Microsoft Teams PSTN Calling Solution for UCaaS and Service Providers

By: TMCnet Staff    5/23/2023

NextPlane's Affordable Microsoft Teams PSTN Calling Solution for UCaaS and Service Providers

Read More

5 Gmail Security Tips Every Business Should Know

By: Contributing Writer    5/17/2023

Gmail security refers to the various features and best practices implemented by Google to protect Gmail users' accounts and data from unauthorized acc…

Read More