Security products & practices usually ignore the most fundamental element of an organization: the user. A survey by Willis Tower Watson revealed that human actions cause over 90% of security incidents. This means fortifying a cybersecurity culture is just as important as cybersecurity protection. A survey by Willis Tower Watson revealed that human actions cause over 90% of security incidents. This means fortifying a cybersecurity culture is as important as cybersecurity protection. It can be difficult for Chief Security Officers to determine whether or not they have a strong cybersecurity culture. Today, cybersecurity culture is nearly impossible to quantify as there is a lack of tools to measure and manage its effectiveness. Without this capability, Chief Security Officers face difficulties in facilitating the necessary changes needed to improve their organization’s culture. The organizations who have successfully fortified a cybersecurity culture have seen a significantly decreased risk of a major data breach. With the new norm of a distributed workforce bringing a whole new onslaught of security risks targeting employees, it’s now more important than ever that organizations are empowered with a solution that builds and supports a strong cybersecurity culture.
Traditionally, culture refers to the social and behavioral norms found in human societies often related to knowledge, beliefs, arts, laws, customs, capabilities, and habits. A cultural norm serves as a guideline for behavior, which in turn serves as a template for expectations within a social group.
When it comes to defining cybersecurity culture, many elements of the traditional definition are applicable within the context of cybersecurity norms and corporate expectations. In other words, cybersecurity culture within an organization is the collective cybersecurity behavior of all employees.
In order to develop an effective group or cultural cybersecurity model, organizations must leverage an individual cybersecurity behavior model. An individual behavior model is best defined by Stanford Scientist and New York bestselling author, B.J. Fogg, and organizations can apply the concepts to a cybersecurity environment. Based on Fogg's research, the necessary components of an individual behavior model can be divided into three principal categories: Motivational, Ability, and Nudge.
An organization can control these variables - Motivation, Ability, and Nudge - to facilitate individual changes in employees' behavior. The diagrams below help to explain the various factors that influence the cybersecurity behavior of an individual employee, and how the collective cybersecurity behavior of all employees can fortify an organization's cybersecurity culture.
According to Stanford University Behavior scientist, B.J. Fogg, the three-core human motivational elements are pleasure/pain, hope/fear, and acceptance/rejection. In an organizational setting, however, executive communications and their actions set the ground rules. This helps to create a like-minded, community based upon core corporate values. Defining security policies is a crucial step to setting up the expectation of the desired behavior.
Giving employees the right awareness and tools to help them perform their day-to-day tasks with ease is fundamental to forming an empowered cybersecurity culture. Awareness education, development of skills to deal with adversaries, and security protection technologies with the right policies all help employees to protect the company from threats.
Even if you have the motivation, ability, and skill, we all still require constant reminders to apply our knowledge at the right moment until the habits are formed. Communication from management, and their actions, not only helps to motivate but also plays a vital role in reminding employees of the corporate values and guidelines.
It’s not enough for an organization to just understand the key components it takes to build a strong cybersecurity culture. They must actively manage their cybersecurity culture through clearly defined expectations of their employees’ behavior. This starts with identifying the organizational cybersecurity goals, conducting a behavioral design to facilitate a behavior change, and then measuring employee behavior towards those goals. The diagram below gives an overview of this process.
Here is a case study example of enacting the necessary steps to influence employee behavior in order to build a stronger cybersecurity culture:
Organization X is looking to improve the use of two-factor authentication for cloud-based applications, without mandating via a security policy.
With their goal set, to see people voluntarily using 2FA, they can begin conducting a behavior design. To do this, they must start asking a few questions on each of the three-axis (Ability, Motivation, Nudge). For example:
These questions can help the organization recognize the required strategies to facilitate the behavior changes they wish to see. In some cases, they might find that it is better to control people’s ability to make a mistake by controlling the security policy.
In the given 2FA example, mandating 2FA via a security policy is an option; however, in many cases mandating is not a viable option. As shown in the diagram, repeat these exercises for each of the goals, and you can create your own visual and clearly see your cultural cluster.
We hope these concepts will help you to strategize for a better cybersecurity culture.
Co-founder, SecurityAdvisor
Schedule some time to talk with one of our experts and they will show you how we can help your organization.
Get a demo Today