Security Culture

What Is Security Culture?

Security Culture is defined as the ideas, customs, and social behaviors of a group that influence its security.

Security culture can be considered a part of a broader company culture but requires its own specific tasks, objectives and responsibilities to achieve. A positive company culture by itself will not guarantee a strong security culture.

“But why should I care about security culture?” you might be thinking. Your employees may have bad security-related behaviors either acquired on their own or through a lack of organizational focus and discipline. These habits can be hard to break. But in this case, favorably changing employee behaviors by architecting a meaningful and relevant security culture could protect your organization and executives from brand damage, reputational loss, and financial hardship.

Your employees’ knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.

Measuring Security Culture - The Security Culture Maturity Model

One side effect of being the world’s most popular security awareness training and simulated phishing platform is that KnowBe4 has collected billions of data points from training campaigns, phishing simulations, and employee surveys. As a result, KnowBe4 has the largest dataset in the world when it comes to security culture.

The KnowBe4 Research team has adapted that data to be used in a new and groundbreaking way: to provide the industry’s first data-driven maturity model specifically geared to measure security culture.

The Security Culture Maturity Model in Detail

The Security Culture Maturity Model is an evidence-driven framework for understanding and benchmarking the current security-related maturity of an organization, industry vertical, region, or any measurable group. It has five levels ranging from least to most mature: basic compliance, security awareness foundation, programmatic security awareness & behavior, security behavior management, and sustainable security culture.

The Maturity Level S-Curves

The solid blue S-Curve represents the specific awareness, behavior and culture benefits an organization will achieve at each stage. Notice the inflection points and crossover point for each of the S-Curves. The inflection points and crossover point each represent the real behavioral gains that an organization can expect as they begin to focus on shaping employee behavior through a combination of training, frequent simulations and reinforcement tactics.

Also notice the relationship between the two curves. As security awareness, behavior and culture increase, the likelihood of human-related breach and cost of remediation (the dotted red S-Curve) decrease. And again, there is a sharp inflection point as organizations move beyond knowledge-based awareness and begin intentionally focusing on behavior and the social aspects of how employees value security.

Additionally, there is a gap between the top of the blue line and the top right of the chart, and there is an even more noticeable gap between the very end point of the dotted red line and the bottom point of the final level. These represent a simple truth: no organization will fully “arrive”, and no organization will ever be fully beyond the possibility of experiencing a human related breach. That’s the nature of any security measure, technology-based or human-based. No security layer (technical or human) is able to make an organization 100% secure, but each additional layer of security you add provides additional resilience.

Ready to explore the Security Maturity Model and see where your organization fits in?

Get your copy of the maturity model now!

The Seven Dimensions of Security Culture

In security, there are three interrelated pillars that organizations need to build and maintain: people, tools, and processes. The “people” aspect, and in particular the understanding of how people use tools and processes, can be hard to understand. Put simply, people are complicated.

By examining the behavior and security culture of tens of thousands of employees across thousands of organizations, KnowBe4 has observed that the link exists between the level of security culture in an organization and the measure of secure behavior of its employees. The dataset used to identify these patterns combines the measured behaviors of employees, as measured using the KnowBe4 Kevin Mitnick Security Awareness Training (KMSAT) phishing assessment platform, and the measured security culture of the organizations of the same employees, as collected through our scientific Security Culture Survey.

Years of research work led our team to distill seven dimensions of security culture that have a direct or indirect impact on the security of the organization. The seven dimensions are: Attitudes, Behaviors, Cognition, Communication, Compliance, Norms, and Responsibilities.

Attitudes are defined as the feelings and beliefs that employees have toward security protocols and issues.They are commonly expressed in terms such as prefer, like, dislike, hate, and love, attitudes involve a preference for or against something.
Behaviors are defined as the actions and activities of employees that have direct or indirect impact on the security of the organization.
Cognition is defined as the employees’ understanding, knowledge and awareness of security issues and activities.
Communication is defined as the quality of communication channels and their effectiveness at discussing security-related events, promoting sense of belonging and providing support for security issues and incident reporting.
Compliance is defined as the knowledge of written security policies and the extent that employees follow them.
Norms are defined as the knowledge of and adherence to unwritten rules of conduct in the organization. In the context of information security, “norms” describe how security-related behaviors are perceived by employees as normal and accepted or unusual and unaccepted.
Responsibilities are defined as how employees perceive their role as a critical factor in sustaining or endangering the security of the organization.

Each dimension is separately observed, measured and understood on a continuum from low risk to high risk. This is informative for organizations, especially when the dimensions are seen together. Combining the dimensions creates an accurate estimate of an organization’s security culture and allows an organization to fully and deeply understand the human risks involved and make reliable predictions.

Data obtained by measuring each dimension of security culture allows for direct comparisons of the extent to which each dimension of security culture is developed. In other words, these metrics reveal which dimensions are most problematic and risky.

Security Culture in Practice

In concrete terms, our continuing research into this topic shows improving one’s security culture directly translates into more secure employee behaviors and to the overall reduction of organizational risk. While investment may have been difficult to obtain in the past, this research shows a strong return on such an investment and additional value.

The findings of our own research conducted on security culture and risky employee activities demonstrate a 52x difference between the behaviors of credential sharing in the worst class (Poor) and the best class (Good). This means the more focus given to security culture, the greater the likelihood that employees will follow secure practices and adopt more secure behaviors.

The following graph shows the number of actions (out of 1,000) taken by employees. The columns represent the different actions (Opening, Clicking, Entering Data), and the column groups represent the security culture class. The black line shows how the risk is reduced by moving from one class to another.

Long story short: Improving security culture should be the number one strategy for organizations to protect themselves. A structured approach to manage the security culture should be implemented, and that approach should involve timely measurements to be taken by all employees.

Here are some practical steps your organization can take to start a journey toward improving security culture:

Risk Assessments: Set-up periodic assessments, or better yet, continuous monitoring of your organization's risks. Make sure that your risk assessment includes the human factors as measured by security culture, knowledge and behavior of the organization and its employees.
Use the Seven Dimensions: Actively work on building a strong security culture using the seven dimensions as a guideline for improvement.
Train and Measure Through Engagement and Automation: Partner with KnowBe4 to design and automate the right awareness training program to fit your diverse audience, including engaging content, attack simulations and unique communication tools.
Communicate Often: Communicate often by partnering with other departments and connecting their messages to overall security initiatives.
Use the Champion Model: Consider mobilizing a champion program across your organization in order to have advocates in every department, region and country who can further translate and embed the security message within your organization.
Engage with Your Peers: The security landscape is always changing and it is difficult to keep track of it all. Leverage your security community to learn from others, and to share your own knowledge and experience.

The Cost of Not Focusing on Security Culture

With 82% of data breaches being caused by social engineering or human error, it is clear that organizations can’t afford to neglect the importance of the human side of cybersecurity. Over the past few years, there has been a meteoric rise in attacks seeking to bypass technology by targeting humans. And it’s working. Ransomware continues to make headlines due to large scale attacks like those that targeted the US’s largest gasoline pipeline, JBS Foods and Kaseya.

This trend only grows as technology-based defenses improve. Attackers are drawn to the path of least resistance. They want to save time, effort, and cost. And because technology-based defenses can be difficult to penetrate using technology-only attack methods, cybercriminals view employees as the most attractive attack vector. Because of this, employees have become the de facto attack vector of choice for cybercriminals. Their knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.

Strengthen Your Security Culture with SecurityCoach

SecurityCoach is the first real-time security coaching product created to help IT and Security Operations teams further protect your organization’s largest attack surface — your employees. Introducing a new category of technology called Human Detection and Response (HDR), SecurityCoach helps strengthen your security culture by enabling real-time coaching of your users in response to their risky security behavior.

Learn more about SecurityCoach >>

Get a free preview of SecurityCoach >>