A cybersecurity culture is an important component in risk mitigation for your organization. Cybersecurity scholars have proposed frameworks to cultivate a security culture and the metrics suggested to assess your culture. There are 4 questions to consider when reflecting on your culture:
- How is a cybersecurity culture defined?
- Does your culture align with this definition?
- What factors are essential to building a cybersecurity culture?
- How can you maintain a cybersecurity culture?
Top management support, policy and procedures, and awareness are critical in creating a cybersecurity culture. There are common foundations in research which play a substantial role in developing appropriate cybersecurity culture models. Questionnaires and surveys are the most used tools for research. Due to the rapidly changing cyber threat landscape, ongoing and adaptive measures should be considered. Cyber research highlights multiple factors which influence a cybersecurity culture. The factors which have the most influence include top management support, security policies, awareness and training. All factors are listed below in Figure 1.
Figure 1: Factors Influencing Cybersecurity Culture
The most influential factor is the support from top leadership. Having clear policies and procedures for employees is another key factor to consider. Employee understanding and knowledge of these requirements is a vital part of both building and maintaining a cybersecurity culture. Training is essential to increase security awareness, along with staff willingness to change. An organization resistant to change will adversely impact the ability to execute a cybersecurity plan. Compliance is a key aspect for employees to maintain organizational values and is required to ensure employees and the organization adhere to security standards and regulations. Additional factors to consider are accountability and responsibility, user behavior or management, individual contributors, task management, user motivations and behavior. These factors underscore the importance of employee responsibility and the influence of their behavior within an organization. Another influential factor is commitment which effectuates policy ‘buy in’ and employee adoption of a security culture. Commitment across the firm suggests that the relationship between an organization, its management and its employees can determine the state of the security culture. Additionally, trust is important and is linked to the confidence in employee actions and intentions. Protecting a firm’s data and information, the safekeeping of private information and trust in organizations communications influence the extent of trust in the firm. Research also highlights the need for rewards and approvals to build awareness for organizational cybersecurity plans which can bridge the knowledge-practice gap in awareness. Lastly, identifying internal cybersecurity advocates who support the team in amplifying the security awareness messages, helping employees to adopt security behaviors and identify SETA needs (skills, knowledge, and behaviors) and report on progress is an important factor.
Culture is created by a shared experience of a community and is represented by artifacts, espoused values and shared tacit assumptions. A cybersecurity culture can be broken into six dimensions, including management support, policy and procedure, compliance, awareness, budget and technology. This is an example of a framework built on dimensions that can be divided into factors that affect culture. Your security culture framework needs to cover four domains of human behavior factors; preparedness, responsibility, management, and society and regulations
Finding the answers to your organizational definition of cybersecurity culture and the alignment with this definition often begins with market research, such as a survey. The benefits of surveys to evaluate culture can provide useful metrics, allowing organizations to measure understanding and consider which areas of employee knowledge need intervention.
- “It is my responsibility to protect the information of my organization” and “I am always educated or trained about new security policies” assess employees concentrating on their knowledge of policy.
Additional questions should include the seven information security component categories: leadership and governance, security management and operations, security policies, security program management, user security management, technology protection and operations, and change. Example questions addressed in these seven categories include:
- “I understand how information security is managed in ABC company to protect information” and “ABC company is committed to information security in order to protect information” to assess awareness and perception regarding protection of information.
- “I believe I have a responsibility regarding the protection of ABC company’s information assets (e.g., information and computer resources)”,measuring cultural influence for the protection and governing data. The assessment focuses on understanding where employee knowledge, behavior and attitudes lie; this is what is perceived to shape the security culture.
- “I know what the risk is when opening emails from unknown senders, especially if there is an attachment” and “I use my work email address on social networking sites” measuring employee knowledge, behavior, attitudes and perception to shape the security culture.
Creating a cybersecurity culture survey should measure 11 dimensions, to include change management, privacy perception, user management and cybersecurity in practice, awareness, individual behavior, and knowledge, organizational dimensions, organizational performance, knowledge & behavior, and security culture. Analyzing these dimensions can help to identify gaps and highlight strengths to build a cybersecurity culture.
Without creating a community and environment of trust, it is difficult to implement and foster a cybersecurity culture. Organizational, human and social needs must be considered when it comes to maintaining that culture. Organizational culture has long been studied and is a key contributor to firm success. In today’s rapidly changing technical environment; leadership must embrace a security culture as a subculture of organizational culture. If you are interested in taking action to jumpstart your firm to adopt a cybersecurity culture or do your due diligence on a potential firm prior to acquisition, contact our team to learn more.