The Security Culture Framework is designed as an on-going process running in iterations. Each iteration follows the PDCA-cycle, taking you closer to your goal using Security Culture Campaigns like the one in the illustration below.
A security culture campaign is the combined efforts of trainings and activities used in a specific timeframe, for example a 12-week cycle. During the campaign, you will run activities and content that are designed to move you closer to your defined goals for the period.
By the end of the campaign the awareness and behavior changes are measured, creating a new baseline as well as feed you more information about the current status in your organization. This is shown in the illustration as the feedback loop.
Using a feedback loop continuously helps you stay in control of your progress. You are also making it easy to discover discrepancies and unwanted outcomes, enabling you to adjust your activities.
The illustration above demonstrates how you use security culture campaigns to build security culture. Your campaigns may consist of any or all categorical components of Technology, Policies and Competence. Most of the time, you will find that a combination of all three components yields the best results by working together to support the desired outcome.
Next, the illustration show how you can choose one or several target audiences in your organization. People are different, as is evident in the illustration, and they may need to receive your message in different ways. Your CEO may need to hear about the strategic risk and economical effects, while the sales persons may need a very different approach making it relevant to his immediate work-flow. One size does not fit all.
When you reach the end of your campaign, you are looking for those «Now I get it» moments with the participants. Perhaps they all get it, perhaps only some does. As long as you are able to measure your results and use those metrics as input to your next iteration, you can adjust your course to create better results.
Where we do see awareness campaigns often fail, is the lack of using metrics and audits. Instead of measuring the outcomes, and using those metrics as input to the next iteration, they treat each campaign as a stand-alone solution, a one-off. The difference between a security awareness program and a Security Culture Campaign using the Security Culture Framework is exactly this: The framework use the campaigns as iterations in an on-going process to build and maintain security culture, following the principles of PDCA.