The usage of cyber resources and human-computer interaction is often considered to be the weakest link in protecting the cybersecurity within an organization. Security awareness and trainings are useful, but an effective security culture program is more beneficial and yet most overlooked in organizations. Majority of the security workshops and awareness trainings will only improve ones’ security knowledge but not the behaviour. Behavioural scientists have proved and believe that in most cases, people make decisions based on intuitions, emotions and social pressure, and not based on knowledge. This is one of the major reason why experts push for embedding the Information and cybersecurity culture within an organizational strategy.
The usage of advanced hardware and software security solutions are considered vital for the protection of digital information, but we somehow neglect to focus on the behaviour of the human users who manage these technologies. These human users should also be considered as an integral component of the security systems. Their behaviour and attitude over knowledge will have a major impact on the security of these systems.
Cyber Security Culture
Bruce Schneier and RSA introduced the concept of layers above the 7-layer abstract OSI model. Layer 8 refers to “individual person” or “human”. Any security system layer is only as strong as its weakest component and very often it is the behaviour of the human operators that represent the weakest part. When an employees’ behaviour and attitude does not reflect the security policy of the organization, security weaknesses are created.
European Union Agency for Network and Information Security (ENISA) defines Cybersecurity culture as the beliefs, perceptions, attitudes, assumptions, values, behaviours and knowledge of individuals about cybersecurity and how they manifest themselves in people’s behaviour with information technologies. In simple terms, the ABC of cybersecurity culture are Attitude, Behavior and Cognition about cybersecurity.
In mathematical representation, we can define Cybersecurity Culture as the amalgamation or products of individuals’ Attitude (A), Behavior (B) and Cognition (C) as:
Cybersecurity Culture (CSC) = Attitude * Behavior * Cognition
i.e, CSC = A * B * C
Majority of data breaches within an organization are a result of malicious human actors. Implementing cybersecurity culture program in an organization will drastically improve the mindsets, attitudes, risk perceptions, decision-making and overall security awareness. Note that a typical security awareness program alone will not help in improving employees’ on-spot decision making ability during high-pressure and emotionally challenging situations.
Developing a Cybersecurity culture program
01 Analyzing the Current Organizational and Cybersecurity Culture
The analysis phase involves the understanding of current cultures, values, practices, beliefs in the organization. These understanding can be obtained from interviews or questionnaire to identify staffs, managers and decision-makers security knowledge. It involves the inputs from each department and team which will be analyzed to create a SWOT analysis (Strengths, Weaknesses, Opportunities and Threats) report. This report will help in evaluating the current cybersecurity attitude, responses, awareness levels and other security-related concerns.
The future cybersecurity culture program should align with the organizational culture and values. Elements in Cybersecurity culture program should include people, activities, communication and practices. Before entering the phase of building a cybersecurity culture program, we have to get a good understanding of organizational structure, cybersecurity strategies, employee orientation process, communication flows and practices.
02 Building a Cybersecurity Culture Program
The cybersecurity culture building phase will involve the setup of core cybersecurity culture workgroup. This group will be tasked with cybersecurity knowledge generation, as well as the formation of the program and strategy. They will be overseeing the implementation of cybersecurity culture activities and ensuring alignment with the organization’s cyber security policy. To improve the success rate of the program, the core team members should be formed from five specific departments/areas within the organization such as Human Resource, Information Security, Marketing/Communication, IT department, and Risk/Compliance/Legal.
This core team should also work closely with the senior management to deliver status reports of the cybersecurity culture program. The team is responsible for defining goals and activities for the cybersecurity culture program. An essential element in the process of identifying and knowing where we stand in the current status of cybersecurity culture within the organization is the mapping of current and future SWOT measures and goals. This involves a gap analysis between the current situation and the goals. This mapping process will identify the conflicts, risks, compromises and solutions that could result in either the success or failure of the cybersecurity culture program.
03 Implementation Plans
After analyzing the results of the gap analysis, the core team can easily understand the weak points in the current cybersecurity culture. Using this, we can define the cybersecurity culture program activities such as the change in policies/processes, awareness raising webinars, workshops, mock attacks (phone calls, fake phishing emails, virus infected removable media), game scenarios and war-gaming exercises using incentives, etc. Relevant activities should be defined in such a way to close the identified gaps in the previous steps.
Run and re-run the activities individually or in groups to determine the specific or combined impact of the activity. The activities success or failure rates can determine the impact of each activity. This is a continuous process and not a one-time activity. We can choose to perform multiple re-measurements of each activities to determine the success rates.
Web-based newsletter, periodic articles on the latest security threats, department specific newsletter will keep employees’ updated with the organizational achievements and security knowledge. All employees must be aware about the cybersecurity culture program. Relevant documents and details must be shared on a regular basis. Employees’ information security views, attitudes and behaviours will be affected by changes in the organization’s cyber security culture. Both acceptable and unacceptable behaviour should be well-defined. The core team members that developed the cybersecurity culture program should have a clear understanding of the organization’s cybersecurity strategy. Cybersecurity strategy should define the security goals and visions of the organization and the communication of policies, procedures and standards.
05 Regular Evaluation of the cybersecurity culture program
Cybersecurity culture program should also monitor employee IT activities in general to identify security issues. The Security Operation Center (SOC) team should also closely work with the core team members of cybersecurity culture program for preparation of technology reporting that includes reports from servers and IT security tools, e.g. number of attacks and number of security breaches.
The core team members are also responsible for sending out surveys with questions to employees regarding their cybersecurity awareness. They should also send regular reports to the management such as reports related to phishing emails and malware campaigns to measure employee response, e.g., how many people clicked on a malicious link. The team is responsible for revisiting and re-evaluating the cybersecurity culture program on a continuous basis to establish a strong security culture.
Difference between cybersecurity culture and security awareness
Security awareness is an ongoing process of learning that delivers measurable benefits to the organization from lasting behavioural change. The difference between Cybersecurity culture and Cyber Security Awareness is that Cyber Security Awareness can be regarded as a sub-set of Cybersecurity culture. Employee awareness or Cognition is one element of Cybersecurity culture. Cybersecurity culture program takes a broader and deeper view of an employees’ cybersecurity posture, encompassing behaviours, attitudes, norms, beliefs, interactions, values as well as awareness.
Humans are complex beings that follow group norms and habits. Peer pressure to conform can easily influence a person’s behaviour. The case is same for cybersecurity behaviour. Therefore, it is essential to understand the group behaviors and norms in the organization. The overall Cybersecurity culture involves everyone within the organization including the top management to low-level employees. Every employee is responsible for their Cybersecurity practices. Right tools and training should be continuously given to employees to comply with the organization’s cybersecurity policies. A successful cybersecurity culture program should bring in cultural change in the ABC (Attitude-Behavior-Cognition) in cybersecurity culture for the organization.
- Al-Mayahi and S. Mansoor, “Information Security culture assessment: Case study” presented at IEEE Third International Conference on Information Science and Technology (ICIST 2013), Yangzhou, China, March, 2013
- Cyber Security Culture in Organizations, ENISA European Union Agency for Network and Information Security, Feb 2018
- K. Roer and G. Petrič, Indepth insights into the human factor: The 2017 Security Culture Report, 2017
- Mark B. Desman, Building an Information Security Awareness Program, 2001
- Image source: https://www.firstrepublic.com/articles-insights/life-money/protect-against-fraud/cyber-security-it-all-comes-down-to-the-human-factor