The Security Culture Framework consists of four modules:
- Metrics: What to measure, why and how
- Organization: Whom to involve
- Topics: What topics to cover
- Planner: When do we do the different activities
The Framework request you to start at the top, and work your way towards the bottom. Or, if using the illustration, start in the top-right corner, and work your way around following the clock.
Every module has several parts and processes. It is not necessary to complete one module before you start working on the next. In fact, the modules interconnect and requires that one work in paralell.
The Framework draws from project management and process management. Each activity can be organized as campaigns – projects running for a shorter timespan (1-3 months), enabling easy monitoring of progres and change. This approach makes it easy to improve campaigns to further enhance the desired outcome.
The Framework is a dynamic approach where you will use past activities and experience to improve the content and activities in your security culture program.
Who can use the framework to build security culture?
Anyone who works with security in an organization will find the Security Culture Framework useful. The framework is designed to be flexible and adaptible, so it is easy to apply to your existing organizational needs.
The outcome of the work with the framework depends on a great number of things, amongst are:
- your level of understanding of the framework itself
- your level of understanding of culture, security culture and security awareness
- your ability to include and involve other key resources in your security culture program
- your ability to leverange existing competence in your organization
The second module, Organization, is designed to help you understand who to involve, why and how.