An effective security culture survey focuses on 5 characteristics and generally includes 20 - 30 questions to measure the characteristics. The characteristics and example questions are below:
Attitudes: The feelings and beliefs that employees have toward the security protocols and issues.
I know where to access internal resources to help me make good security decisions
Behavior: The actions and activities of employees that have direct or indirect impact on the security of the organization.
My work contributes to the overall security of the company, clients and employees?
Cognition: The employees’ understanding, knowledge and awareness of security issues and activities.
I am confident that I could recognize a security issue or incident if I saw one
Communication: The quality of communication channels to discuss security-related events, promote a sense of belonging, and provide support for security issues and incident reporting.
I know exactly where to go in the organization when I need a security expert
Compliance: The knowledge of written security policies and the extent that employees follow them.
Security policies at the company are easy to follow
Cultural Norms: Unwritten expectations regarding appropriate behaviors pertaining to usage of information technology in organizational context, perception of what practices are normal and unproblematic.
People from outside the security team are encouraged to participate and ask questions about security
Responsibility: The employees’ perceived role as a critical factor in sustaining or endangering the security of the organization.
The security team and my team are working towards the same goals
Additional insights can be gleaned about the strengths and weaknesses of specific channels such as email, incident reporting, mobile, password management, awareness training, social media and the internet.
With the Security Culture Survey, you get the measure of your security culture at every level of your organization. Creating a benchmark provides a baseline that you can measure against over time and set SMART goals for your company. Measuring organizational culture towards information security helps identify key areas of concern within your organization (such as potential insider threats) and identify the strengths and weaknesses of the security culture.
From leadership down to individual contributors, get real insight into the security culture of your organization. The Security Culture Survey helps you get a better understanding of the impact and effectiveness of your cybersecurity culture. If you need help getting started, contact our team for more information!