Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Welcome aboard!

Welcome to the Security Culture Framework, the free and open framework to build and maintain security culture. This is a community site where you can download templates, discuss best practices, share and learn about the Security Culture Framework, and about how to create lasting security culture in your organization. If you want to do more than just reading the main…

The Security Culture Conference 2016

A couple of weeks ago I was back in beautiful Oslo (One of my favourite cities – I could definitely live there!) for the Security Culture Conference. Last year we had around 25 people for the inaugural conference which was held on an island just outside the city – see my write up on that here. This year, however, the…

Serious gaming: learning to identify risks

Gaming in security culture training is not about learning rules by heart, but about learning to identify risks.   Serious gaming is a way to enhance the security culture among employees. To learn more about the impact of gaming, I organized a meeting of the Security Culture User Group the Netherlands on the subject. In this blog I share some…

Are your information security goals SMART?

Have you already set your goals for your information security program? Did you ensure that the goals are Specific, Measurable, Achievable, Relevant and Time-specific (S.M.A.R.T)? Ensure that your goals are S.M.A.R.T! And you may ask yourself, how do I know if my goals are SMART? Let’s demonstrate how you can take a goal and test it Let’s assume you set…

Subjective Metrics

The Security Culture Framework, quite rightly, suggests you begin your journey towards a security culture by looking at metrics. Start out by defining the current situation, known as As-Is. Then, document your target situation, known as To-Be. The next stage is to conduct a gap analysis between the two states. The SCF then goes on to talk about result goals…

CLTRe Crew at CeBIT 2016

Last week, the Security Culture Framework was showcased at the huge, global ICT-event CeBIT in Germany. The SCF was showcased by CLTRe, the Norwegian company that assess, build and improve security culture with their SaaS-based toolkit. CLTRe was at CeBIT as part of the IBM booth. As you can see on the pictures below, CLTRe and IBM had a great…

How much is privacy worth?

Finding medical information in old paper files is time consuming and therefore costly. Let’s scan the lot and link it to our electronic health records! Of course at low costs. No problem in the prize fighter market of scanning companies.   Detainees working with our medical records Recently public broadcast corporation Max broadcasted a documentary in the Netherlands on hospitals…

My organization?

My organization, what do they know about security that may help me? You may ask when first learning about the Security Culture Framework in the organization module. As the expert at information security you are sure about that you have all the skills needed to educate your organization in how they shall adapt to the security rules that you have…

An ordinary data breach

  Recently I received an email from a nursing home. It was not meant for me, and it was full of confidential information. How did that happen? I am the owner of the domain merwe.nl and so I receive any mail addressed to email addresses ending with @merwe.nl. The nursing home has admitted a patient Van de Merwe and they…

Culture includes both the artist and their audience

  What does the word “culture” mean to you? When I think of culture I think of it as something that encompasses an entire society of people, not just a subset; so a security culture should consist of everyone within the scope of a security domain – whether that’s an organisation, group, location or other defined range. That said, your…