Security Culture is defined as the ideas, customs, and social behaviors of a group that influence its security.
Security culture can be considered a part of a broader company culture but requires its own specific tasks, objectives and responsibilities to achieve. A positive company culture by itself will not guarantee a strong security culture.
“But why should I care about security culture?” you might be thinking. Your employees may have bad security-related behaviors either acquired on their own or through a lack of organizational focus and discipline. These habits can be hard to break. But in this case, favorably changing employee behaviors by architecting a meaningful and relevant security culture could protect your organization and executives from brand damage, reputational loss, and financial hardship.
Your employees’ knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.
We asked our Security Awareness Advocates for their expert advice on and how to develop a strong security culture over time, after you have a strong security awareness training program in place. This is what they had to say:
Here are their main takeaways:
One side effect of being the world’s most popular security awareness training and simulated phishing platform is that KnowBe4 has collected billions of data points from training campaigns, phishing simulations, and employee surveys. As a result, KnowBe4 has the largest dataset in the world when it comes to security culture.
The KnowBe4 Research team has adapted that data to be used in a new and groundbreaking way: to provide the industry’s first data-driven maturity model specifically geared to measure security culture.
The Security Culture Maturity Model is an evidence-driven framework for understanding and benchmarking the current security-related maturity of an organization, industry vertical, region, or any measurable group. It has five levels ranging from least to most mature: basic compliance, security awareness foundation, programmatic security awareness & behavior, security behavior management, and sustainable security culture.
The solid blue S-Curve represents the specific awareness, behavior and culture benefits an organization will achieve at each stage. Notice the inflection points and crossover point for each of the S-Curves. The inflection points and crossover point each represent the real behavioral gains that an organization can expect as they begin to focus on shaping employee behavior through a combination of training, frequent simulations and reinforcement tactics.
Also notice the relationship between the two curves. As security awareness, behavior and culture increase, the likelihood of human-related breach and cost of remediation (the dotted red S-Curve) decrease. And again, there is a sharp inflection point as organizations move beyond knowledge-based awareness and begin intentionally focusing on behavior and the social aspects of how employees value security.
Additionally, there is a gap between the top of the blue line and the top right of the chart, and there is an even more noticeable gap between the very end point of the dotted red line and the bottom point of the final level. These represent a simple truth: no organization will fully “arrive”, and no organization will ever be fully beyond the possibility of experiencing a human related breach. That’s the nature of any security measure, technology-based or human-based. No security layer (technical or human) is able to make an organization 100% secure, but each additional layer of security you add provides additional resilience.
Ready to explore the Security Maturity Model and see where your organization fits in?
In security, there are three interrelated pillars that organizations need to build and maintain: people, tools, and processes. The “people” aspect, and in particular the understanding of how people use tools and processes, can be hard to understand. Put simply, people are complicated.
By examining the behavior and security culture of tens of thousands of employees across thousands of organizations, KnowBe4 has observed that the link exists between the level of security culture in an organization and the measure of secure behavior of its employees. The dataset used to identify these patterns combines the measured behaviors of employees, as measured using the KnowBe4 Kevin Mitnick Security Awareness Training (KMSAT) phishing assessment platform, and the measured security culture of the organizations of the same employees, as collected through our scientific Security Culture Survey.
Years of research work led our team to distill seven dimensions of security culture that have a direct or indirect impact on the security of the organization. The seven dimensions are: Attitudes, Behaviors, Cognition, Communication, Compliance, Norms, and Responsibilities.
Each dimension is separately observed, measured and understood on a continuum from low risk to high risk. This is informative for organizations, especially when the dimensions are seen together. Combining the dimensions creates an accurate estimate of an organization’s security culture and allows an organization to fully and deeply understand the human risks involved and make reliable predictions.
Data obtained by measuring each dimension of security culture allows for direct comparisons of the extent to which each dimension of security culture is developed. In other words, these metrics reveal which dimensions are most problematic and risky.
In concrete terms, our continuing research into this topic shows improving one’s security culture directly translates into more secure employee behaviors and to the overall reduction of organizational risk. While investment may have been difficult to obtain in the past, this research shows a strong return on such an investment and additional value.
The findings of our own research conducted on security culture and risky employee activities demonstrate a 52x difference between the behaviors of credential sharing in the worst class (Poor) and the best class (Good). This means the more focus given to security culture, the greater the likelihood that employees will follow secure practices and adopt more secure behaviors.
The following graph shows the number of actions (out of 1,000) taken by employees. The columns represent the different actions (Opening, Clicking, Entering Data), and the column groups represent the security culture class. The black line shows how the risk is reduced by moving from one class to another.
Long story short: Improving security culture should be the number one strategy for organizations to protect themselves. A structured approach to manage the security culture should be implemented, and that approach should involve timely measurements to be taken by all employees.
Here are some practical steps your organization can take to start a journey toward improving security culture:
With 82% of data breaches being caused by social engineering or human error, it is clear that organizations can’t afford to neglect the importance of the human side of cybersecurity. Over the past few years, there has been a meteoric rise in attacks seeking to bypass technology by targeting humans. And it’s working. Ransomware continues to make headlines due to large scale attacks like those that targeted the US’s largest gasoline pipeline, JBS Foods and Kaseya.
This trend only grows as technology-based defenses improve. Attackers are drawn to the path of least resistance. They want to save time, effort, and cost. And because technology-based defenses can be difficult to penetrate using technology-only attack methods, cybercriminals view employees as the most attractive attack vector. Because of this, employees have become the de facto attack vector of choice for cybercriminals. Their knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.
SecurityCoach is the first real-time security coaching product created to help IT and Security Operations teams further protect your organization’s largest attack surface — your employees. Introducing a new category of technology called Human Detection and Response (HDR), SecurityCoach helps strengthen your security culture by enabling real-time coaching of your users in response to their risky security behavior.
Explore these free resources to learn more about the importance of security culture and how to bring these lessons and elements into your organization.