Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

An evidence-based approach is the key to security culture success

Last year’s industry benchmarks (published in CLTRe’s 2018 Security Culture Report) reveal how specific industry sectors stand apart in terms of their security culture maturity and how different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security. Let’s take the Retail and Wholesale Trade sector as an example.

With a score 14 points below the global standard (60), this sector scores worse on the Behaviors dimension than all the sectors included in the study.  On the other hand, the above-average scores for Attitudes, Cognition and Compliance, indicate that employees within the Trade sector have higher than average understanding of security and how it relates to their own role in their organization, as well as being more positive and adherent to the organizational measures put in place to protect them and the security of information.

Chart showing the SCR 2018 Industry Benchmark for the Retail & Wholesale Trade sector, where the dashed green line shows the overall security culture score for the sector (i.e. the average of all the dimensional scores) and the red lines provide a comparison with the global benchmarks (i.e. an average of all sectors studied) indicating the global standard for each dimension of security culture.

A major challenge when adequately educating the workforce on cybersecurity in the retail sector is high employee turnover.  To improve the security culture transformation, whilst minimizing cost, a clear strategy with a strong focus on segmenting the workforce based on roles and positions and their exposure to cybersecurity risks is needed.

Using a standard of measurement for identifying the needs of different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly. The 2018 Trade Industry Benchmark shows why this sector requires dramatic changes to how it assesses, monitors, educates and changes its employees’ behavior. 

Organizational measures to build security culture are significantly more effective when organizations take an evidence-based approach. In a similar-themed post, published last week, I explained how finance-sector customers used the data collected from their security culture measurement to better understand the needs of their employees, create “campaign audiences” (i.e. segment their workforce based on their different perceptions and understanding of security) to adapt their security culture program.

As a result, finance-sector customers within Fund Management were able to document a decrease in risky behaviors of up to 16.7% (from 63 to 73.5 points) in one year. Other noticeably felt cultural changes were a 17-point increase in individuals’ sense of responsibility towards security.

With the insights gathered, an organization is able to take an evidence-based approach and plan measures that directly address the weaknesses identified by the insights gathered in the first measurement. That first measurement creates a baseline from which effectiveness can be measured.

Having a starting point metric (a baseline) for each segment enables organizations to track progress and a detailed understanding of what makes that particular segment different from the others and how it should be treated. Subsequent measurements record how the security culture of these segments changes so that progress can be tracked and demonstrated.

Organizational measures to build security culture are significantly more successful when organizations take an evidence-based approach. This is how organizations learn whether their security culture strategy is effective and can compare their results against their industry benchmark as a measure of their success.

Contact CLTRe directly to learn more: https://get.clt.re/demo

Follow me

Aimee Laycock

Chief Operating Officer at CLTRe AS
Although relatively new to Information Security, joining in the industry in 2016, Aimee is an enthusiastic and engaged member of the community. She has been working with CLTRe since its conception and enjoys speaking on the importance of measuring security culture, its influences on improving risk management practices, and sharing security culture success stories.
Follow me

1 comment for “An evidence-based approach is the key to security culture success

Comments are closed.