Developing a Cybersecurity Culture Blog

Developing a Cybersecurity Culture

Security products & practices usually ignore the most fundamental element of an organization: the user. A survey by Willis Tower Watson revealed that human actions cause over 90% of security incidents. This means fortifying a cybersecurity culture is just as important as cybersecurity protection. A survey by Willis Tower Watson revealed that human actions cause over 90% of security incidents. This means fortifying a cybersecurity culture is as important as cybersecurity protection. It can be difficult for Chief Security Officers to determine whether or not they have a strong cybersecurity culture. Today, cybersecurity culture is nearly impossible to quantify as there is a lack of tools to measure and manage its effectiveness. Without this capability, Chief Security Officers face difficulties in facilitating the necessary changes needed to improve their organization’s culture. The organizations who have successfully fortified a cybersecurity culture have seen a significantly decreased risk of a major data breach. With the new norm of a distributed workforce bringing a whole new onslaught of security risks targeting employees, it’s now more important than ever that organizations are empowered with a solution that builds and supports a strong cybersecurity culture.

In order to develop a cybersecurity culture, organizations must be able to:

  1. Define security culture
  2. Understand how to build a security cultural model
  3. Managing culture

What is culture?

Traditionally, culture refers to the social and behavioral norms found in human societies often related to knowledge, beliefs, arts, laws, customs, capabilities, and habits. A cultural norm serves as a guideline for behavior, which in turn serves as a template for expectations within a social group.

Defining Cybersecurity Culture

When it comes to defining cybersecurity culture, many elements of the traditional definition are applicable within the context of cybersecurity norms and corporate expectations. In other words, cybersecurity culture within an organization is the collective cybersecurity behavior of all employees.

Building a Cybersecurity Cultural Model

In order to develop an effective group or cultural cybersecurity model, organizations must leverage an individual cybersecurity behavior model. An individual behavior model is best defined by Stanford Scientist and New York bestselling author, B.J. Fogg, and organizations can apply the concepts to a cybersecurity environment. Based on Fogg's research, the necessary components of an individual behavior model can be divided into three principal categories: Motivational, Ability, and Nudge.

Security Culture consisting of motivational elements, ability elements and nudge elements.

An organization can control these variables - Motivation, Ability, and Nudge - to facilitate individual changes in employees' behavior. The diagrams below help to explain the various factors that influence the cybersecurity behavior of an individual employee, and how the collective cybersecurity behavior of all employees can fortify an organization's cybersecurity culture.

  1. Motivational Elements:

    According to Stanford University Behavior scientist, B.J. Fogg, the three-core human motivational elements are pleasure/pain, hope/fear, and acceptance/rejection. In an organizational setting, however, executive communications and their actions set the ground rules. This helps to create a like-minded, community based upon core corporate values. Defining security policies is a crucial step to setting up the expectation of the desired behavior.

  2. Ability Elements:

    Giving employees the right awareness and tools to help them perform their day-to-day tasks with ease is fundamental to forming an empowered cybersecurity culture. Awareness education, development of skills to deal with adversaries, and security protection technologies with the right policies all help employees to protect the company from threats.

  3. Nudge Elements:

    Even if you have the motivation, ability, and skill, we all still require constant reminders to apply our knowledge at the right moment until the habits are formed. Communication from management, and their actions, not only helps to motivate but also plays a vital role in reminding employees of the corporate values and guidelines.

Employee Cybersecurity Behavior Model

Employee Cybersecurity Behavior Model

Organizational Security Culture = A Collection of Individual Employee Behavior

Organizational Security Culture

Managing culture

It’s not enough for an organization to just understand the key components it takes to build a strong cybersecurity culture. They must actively manage their cybersecurity culture through clearly defined expectations of their employees’ behavior. This starts with identifying the organizational cybersecurity goals, conducting a behavioral design to facilitate a behavior change, and then measuring employee behavior towards those goals. The diagram below gives an overview of this process.

Managing culture

Here is a case study example of enacting the necessary steps to influence employee behavior in order to build a stronger cybersecurity culture:

Organization X is looking to improve the use of two-factor authentication for cloud-based applications, without mandating via a security policy.

With their goal set, to see people voluntarily using 2FA, they can begin conducting a behavior design. To do this, they must start asking a few questions on each of the three-axis (Ability, Motivation, Nudge). For example:

  1. Is it easy for the employee to do this task?
  2. Do they know how to do it?
  3. What motivates them to do this?
  4. Do they want to be part of the “Secure-first” Initiative?
  5. Do they know most of the people are enabling it, and only a few are left behind?
  6. Do they know the consequences of a breach without this?
  7. How can I notify the people who have not activated 2FA?
  8. How can I give the right information when they need it?
  9. What can I learn from people having difficulties so I can help them better?

These questions can help the organization recognize the required strategies to facilitate the behavior changes they wish to see. In some cases, they might find that it is better to control people’s ability to make a mistake by controlling the security policy.

In the given 2FA example, mandating 2FA via a security policy is an option; however, in many cases mandating is not a viable option. As shown in the diagram, repeat these exercises for each of the goals, and you can create your own visual and clearly see your cultural cluster.

We hope these concepts will help you to strategize for a better cybersecurity culture.

  • Santhosh Purathepparambil
    Santhosh Purathepparambil

    Co-founder, SecurityAdvisor

Published on: July 16th, 2020

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today