Creating awareness and security culture requires a lot of hard work if you want to succeed. Using the Security Culture Framework, you can design and implement the security culture you want, which is great. The SCF itself offers an over-arching framework within which you can build and maintain your culture – but sometimes you want a more hands-on approach, a methodology directly focused on security awareness activities.
When that happens, you may look at Tom Andreas Mannerud´s Security Awareness Cycle, a methodology that is based on his award winning graduation project, and one that closely aligns with the SCF. You will recognize the different steps – from defining your metrics, to understanding your audience, and creating materials that will help you succeed with your goals.
The most important addition and focus area of Tom´s work is his focus on behaviors. He says you need to understand and map out the behavior you like/do not like, and then target that behavior with your activities. As behaviors are an important part of culture, and awareness alone does not change behavior, the focus on behaviors in Tom´s work helps you focus your efforts and budgets where it really matters – to change the behaviors into the kind of culture you want.
* Ron Knode Service Award by the Cloud Security Alliance
* NCI Fellow at the National Cybersecurity Institute in Washington DC
* JCI ITF #132
* Amazon Bestselling Author
Author/editor of the success books:
* Build a Security Culture, IT-Governance 2015
* Protecting our Future (Chapter: Cybersecurity in International Perspective), Hudson Whitman 2013
* The Cloud Security Rules (Editor, author), The Roer Group 2012
* The Leaders Workbook, The Roer Group 2010
Latest posts by Kai Roer (see all)
- Join the 2017 Security Culture Conference - March 7, 2017
- Interview with Wolfgang Goerlich on Security Culture - February 8, 2016
- How Culture Impacts Negotiations - December 2, 2015