Security awareness is good, but good security culture is better

As an efficient mechanism to influence employee behavior, security culture is one of the most important, yet most overlooked, aspects of organizational security.

“A common flaw in our industry is that awareness trainings will change, i.e. improve, security behavior,” says Kai Roer, co-founder of European security startup CTLRe (and Help Net Security columnist).

“This idea comes from the rational economic theory, with which a hundred years ago economists tried to explain how people are influenced to make purchases. A few decades later, this theory was debunked by behavioral scientists, who proved that we make decisions based on emotions and social pressure, and not based on our knowledge.”

For example, despite knowing it is illegal to speed in your car, people still do it. “Why, then, does our industry still invest in awareness training programs, instead of building solutions that improve security?” he asks.

Roer and Dr. Gregor Petrič, the Head of Center for Methodology and Informatics, University of Ljubljana, have been analyzing the responses of over 10,000 employees from 38 companies in Norway and Sweden, who’ve been asked questions about their security knowledge, behavior, attitudes, compliance, and so on.

Based on those resposes, the company’s first annual Security Culture Report has been compiled, and it shows some very interesting patterns.

Expected and unexpected revelations

“At first glance, a female over the age of 50, working in a Norwegian bank, who has worked at least 5 years in that bank, tends to be a lower risk and a more secure employee,” says Roer.

build security culture

“However, peeking behind the numbers, we notice that females report lower competence of security and risk than their males counterparts, whilst also reporting higher compliance with secure behaviors. Does this mean females are more secure employees? Or, does this mean that men are more honest in their reporting of behaviors?”

Another interesting finding is that age definitely matters.

“I have heard in the past that younger people are more tech-savvy than us who are not so young any more, and some have suggested that this must mean that they’re also more secure (they know tech, so they should know and do better – see a pattern here?),” Roer notes. “But our research shows that more secure behavior comes with age, and so does a clearer understanding of norms and compliance with social behaviors.”

They’ve also found that there is a strong correlation between norms and behaviors: the more people understand and internalise their organization’s norms (policies, regulatory issues as well as informal rules), the better their security behaviours are.

“This leads us to believe that a security program with more focus on clear and concise norms will lead to better security. Again, this is supported by social scientific research done over the past 60 years,” he notes.

The results have also shown that differences in security culture dimensions across different industries:

build security culture

Roer also says that, besides the finding on age (he had the “millenial are better at security” bias, too), he was surprised by the comparisons on the data between countries.

“I had a bias that organizational cultures in Sweden are more conformative than in Norway and, therefore, I expected Sweden to rate higher on security culture than Norway in general,” he noted. But, their findings showed the opposite. “There may be any number of reasons for this, which we are looking into next.”

How do you build security culture?

Lots of resources are being invested into training staff on secure behaviors, while breaches are increasingly being traced back to some kind of human interaction.

“For as long as I have been part of the information security industry, we have complained about the lack of results from security awareness programs. But the whole idea behind training people to change behavior is flawed. Our research clearly shows that what we need to focus on is to build good rules of behaviors, and then informing and enforcing them on the employees,” says Roer.

“In social psychology, we call this peer pressure – all groups of people have them, and we are all tuned into them. In fact, most of us pick up these signals without even noticing, we just adopt our behaviors to what we perceive as the preferred behavior in the group. Lots of studies have demonstrated the power of social influence, and how to successfully build influencer programmes. Security culture is a large part social behavior, and I believe we should adopt and apply methods that are working well in other fields, instead of just keep insisting on doing things that do not work.”

His advice to companies for setting up a good (or good enough) security culture within their organization:

  • Know your culture – use a tool to map it out (disclaimer: CLTRe provides such a tool as a service).
  • Ensure a gender-bias-free organisation – “Our study shows that males and females have large differences between how they understand and work with risk and security. A good balance of the genders, throughout the organization – from top management all the way down – can be crucial to handle security risk appropriately,” he points out.
  • Ditch awareness programmes, and focus on facilitating good behaviors using what we know from social psychology: norms, peer pressure, social relations.