Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Facts or fiction?

 2015_09_30_rulers

Introduction

A few months ago I was a satisfied participant on The Security Culture Summer Camp 2015, which turned out to be much fun, new stuff learned, and quite a lot of work.

During several weeks the participants attended lectures, read articles, and got assignments to solve. It is the latter, which is my rather sneaky way to get into this blog item’s topic.

The assignments had as a premise that one should use the participants’ own organization as the basis for solving the assignments.

Typically, Assignment 1 started like this: “In your organization,….

However, at that point in my life, I was between jobs, and “my organization” did not exist. Nor was I particularly eager to use any of the organizations where I had previously worked as “my organization” for the assignments. 

What to do?

A fictive organization in a fictive environment

After some contemplation, I decided that I should use my (minor) skills as a storyteller and create my own organization to use for the four assignments for the summer camp. As I will try to show in this blog item, this turned out to give me some ideas that I believe may be useful to share to others in the information security community.

When I had made up my mind to create such a mock-up organization, I soon found out that this had the potential to be quite fun. After all, this was my organization, and I could make whatever I wanted, populate the organization with the employees I wanted, assign any vision and goals for the organization and so on. 

Obviously the whole project turned out to be quite a lot of work, as I had to describe the organization and its environment in some detail in order to make this work. However, it turned out to be quite fun as the work progressed, and I ended up with the following organization in a fictional country.

REPENT, which is an acronym for (Research, Evaluate and Publish Excluded News Topics). This non-governmental organization has approximately 50 employees and is not popular by the government (or government-friendly corporations) in my fictional country, as it often publish information that governmental bodies find embarrassing. 

One (among several) mechanisms the organization has set up to protect itself, and its employees, is the mandatory use of surname aliases by all the employees. Creating these aliases for almost 50 of my “co-workers” was a real thrill. I chose to pick the surnames from different sport and gaming activities (why not?), and ended up with names like, Jessica Mastermind (head of HR, needles to say), my own favorite, Skye Diving, Lily Badminton, Blue Golf, Jerry Bobsled, and yours truly, Per Olav Backgammon. Obviously REPENT’s head was the infamous Sylvia Battleship…

By using this organization, with its plethora of threats, various defense mechanisms, challenges and dedicated employees, as the basis for my organization, I was able to complete the summer camp’s assignments.

More interestingly in this context, though, during my work with this I discovered something, which surprised me.

A new perspective

I noticed that I had to use a much broader view on information security challenges and defense mechanisms than what I had expected.

Previously my perspective was influenced by my knowledge of the particular organization that was analyzed. Now I had to examine an unknown type of organization against threats from an unknown environment. Additionally I had to view “my co-workers” in this fictional organization not as belonging to a culture that I knew well, but potentially belonging to any culture. 

This forced me to examine the internal (inside the organization) and external (beyond the organization’s perimeter) variables more thoroughly and with a more open mind. I lacked my “normal” knowledge and prejudices.

I believe that this experience may prove useful for others as well, as I will attempt to explain.

An alternative approach to internal security training

A much used approach to security training is to use the organization that the employees belong to as the “case” for the training. Obviously this has several advantages that I shall not discuss here. 

On the other hand I believe, based on my experience this summer, that one can achieve interesting, and potentially different results by using a totally different type of organization as the case that is studied by the participants in the information security training.

Some points may be worth mentioning:

  • Any attendant can express him-/herself quite freely, as no living person or existing organization is involved and can be offended.
  • The attendees are more easily able to “feel” the new roles – they are free to enter and define (within limits) the roles they are assigned, rather than being influenced by existing roles in their organization and their views of these.
  • The person who conducts the information security training is able to define various problems and challenges that the attendees shall examine.  These case studies can be defined freely and without restrictions from real-life situation that we all are bound by.
  • Once the setup is created, which requires some initial work, I admit, it can be re-used in different organizations, and can be used for several subsequent training sessions within one organization, as the users will be familiar with the general setup.
  • I believe that if the mock-up organization is created with a certain informal and fun approach, the persons who attend the training will be willing and able to enter their roles with an open and relaxed mind-set.  This is beneficial in any training session.
  • It has great potential be fun, which is always an advantage for any training’s success.

Final warnings

It is of course important to have in mind though, that the objective of the training shall not be fun (only).

In order for this type of training to succeed and be useful for an organization, the personnel who attend must learn something that is useful in their current (and future) work. Their way of thinking about information security issues should have been changed.

The person who is responsible for the training should therefore be able to facilitate the specific results from the training into general knowledge, and also into knowledge and cultural change that is relevant for the real organization(s), the students belong to.

I would like to end with stressing that the type of information security training as I have outlined above with a fictitious organization, should not as an alternative to training with the real organization as the focus. One should see the two as complimentary with potential useful results derived from each method.

Good luck with your information security training!

Profile photo of Per Olav Førland

Per Olav Førland

Per Olav Førland is educated with a master in economics. He has been working in the IT industry since the mid ‘80s, and with information security since the mid ’90.
He has the following certifications: ISO/IEC 27001 Lead Implementer, PRINCE2 Foundation, Certified Security Culture Practitioner (CSCP), and EUCIP Core level.
He currently works as an independent information security consultant
His hobbies are reading and listening to music (rock and opera).
Profile photo of Per Olav Førland

Latest posts by Per Olav Førland (see all)

%d bloggers like this: