Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Are your employees the weakest link or a firewall?

Paper cut-out of people holding hands to form a chain
Image: Paper cut-out of people holding hands to form a chain

The security industry tends to view the average employee one of two ways: as the weakest link in the security chain or as part of a human firewall.

Of course, when both the numbers of security incidents and their impact continue to grow each year, the human-is-the-weakest-link can be an easy excuse to use — and it can be backed by social engineers demonstrating how easy it is to trick people into certain behaviours (i.e., giving away information or providing accidental access).

The human-as-a-firewall is a based on the idea that humans have the ability to recognise and handle new patterns better than computers, and thus are better suited to taking care of (some) security decisions. Mainly, the human-as-a-firewall paradigm is driven as a counter-discourse to the human-as-the-weakest-link concept, providing an opposing view that results in different actions.

Both sentiments are used to argue that large investments must be made in order to increase employee awareness of security threats. The hope is that awareness training will lead to changes in behavior, which will result in a reduction in security incidents involving human interaction.

When these approaches lead to increased investments in technical and organisational security controls or when they are used to support technology with knowledge and illustrate why policies are in place, they are positive. However, either approach can be negative when used as an excuse for poor results or based on a poor understanding of the human mind.

Where the first paradigm’s disregard of human abilities looks down on employees, thus enabling and strengthening potential hostility between the employees and those in charge of security, the second paradigm may put too much focus on human abilities. Research into the human mind strongly suggests that we are predictably irrational (Ariely, 2008) when it comes to decision making and that context matters more than we like to accept.

Incorporate balance programmes

In fact, the human mind is more complex than these two paradigms suggests. Humans can be both weak links and firewalls — context, social setting, training, time and many other factors are at play.

Building and improving a security culture requires more than just awareness training. Programmes should be based on the risk profile of the organisation, and must start and end with the employee — taking into consideration the employee’s role, access to information, and security culture score. Programmes must engage employees and their colleagues in dialogue, curiosity and responsibility.

Organisational sociology researchers have for decades observed that a one-size-fits-all approach is ineffective.Results show that organisations that use organisational and technical controls, in combination with an understanding of their organisational needs, are generating better results than those organisations that fail to incorporate balanced programmes.

Measuring matters

Measuring security is a given when discussing technical controls, and just like technical controls, organisational controls like security culture must be measured in order to understand and manage change. Measuring security culture gives guidance to improve organisational security. When such metrics are put into practice, the true state of security culture can be assessed and effective decisions can be made on the information generated.

If organisations want to elicit change (i.e. build a security culture, improve security behaviours and reduce risk) greater focus should be placed on the main determinants of change. Combining state-of-the art web survey research, predictive analytics and business intelligence allows complex internal organisational processes to be monitored and analysed. The information gathered can be used to aid decision makers to efficiently improve their organisational processes and drive desired change.

What next?

Originally posted on the CLTRe Blog, this post has been repurposed for the SCF community.

Follow me

Aimee Laycock

Chief Operating Officer at CLTRe AS
Although relatively new to Information Security, joining in the industry in 2016, Aimee is an enthusiastic and engaged member of the community. She has been working with CLTRe since its conception and enjoys speaking on the importance of measuring security culture, its influences on improving risk management practices, and sharing security culture success stories.
Follow me