Security awareness is a term that most information security professionals are familiar with – security culture a little less so.
“Security awareness training is based on a behavioural theory that was debunked decades ago,” says Kai Roer, co-founder of European security startup CLTRe.
“The Rational Economic Theory says that if you know the best action to take when given a choice, you will always make the better – and rational – choice. But unfortunately for the security awareness industry, their customers and the security industry in general, the human mind does not work rationally. More importantly, our mind doesn’t care about making decisions, and solves that ‘problem’ by creating a large number of mental patterns that result in automatic behaviour.”
Security culture is a wider concept, one that encompasses not only security knowledge (awareness) but also attitudes, norms, compliance, behaviours, responsibilities and communication.
“Humans cannot survive alone, and our biology has evolved to automate many, if not most, of our interpersonal communications and actions. By making our behaviours interdependent, we can internalize norms, attitudes and compliance deep inside our mind, instead of having to spend vital brain energy on figuring out what is the right action to take in any particular situation involving others. Effectively, culture is our biology’s way of reducing risk and improving security for the human species,” Roer explains.
“Security culture is critical to security just as culture is crucial to human society. Culture drives behaviour change, and behaviour change drives culture. Our most important work, as information security professionals, is to control the influence of security culture and facilitate the changes we require in order to keep within the risk parameters of our organization.”
Security awareness training will work, but only if it’s combined with skills training (think “education” more than “awareness”) and policies, and is supported by technology. In other words, you must build a security culture if you want to change security behaviour for the better, and make the change permanent.
Things you need to know
Just like any culture, security culture is susceptible to internal and external influence. It can be formed or be changed relatively quickly, although that’s not usually the best approach if we want to make it sustainable. A much better choice is a controlled program that applies good metrics that enable comparisons over time, and that facilitates the process by influencing policies, educating people and applying the right technology.
Another important thing about creating and/or changing security culture is that we must take a holistic approach.
Security is a complex issue: technology, people, and policies are all part of it and, in Roer’s experience, one cannot change one of these without the other two ending up changed, too.
“When the smartphone was introduced ten years ago, it changed how people interacted with information, with each other and with technology. Companies tried to fight the new paradigm by adding policies to forbid the use of such technology, but people still kept bringing smartphones to work and using them, effectively forcing companies to change their approach,” he illustrates this point.
“BYOD was born not from employers wanting to save money, but from the realization that policies alone are not enough to deal with the new technology. BYOD meant understanding the new technology and its impact on business, adopting technical controls like IAM, and moving away from the ‘our premise/network’ paradigm to the ‘always connected’ paradigm.”
Here’s another example: current anti-phishing training can’t be expected to work if the company doesn’t also use technology to reduce the likelihood of phishing attacks reaching the target, and doesn’t combine it with procedures for helping the compromised quickly and positively.
“Security problems can’t be solved by just buying technology, or adding a new policy, or setting up a security awareness program – we need all three pillars working together to support each other,” he stresses.
A good place to start
Roer’s biggest frustration with the information security industry is that it keeps on flogging dead horses. His avowed mission is to improve how we do security, even if it means fighting old models and and tearing into widely accepted preconceptions. And one of these is that cultural change be nearly impossible to measure, and extremely difficult to achieve.
But neither of those things is true.
“In 2017, we know quite a lot on how to change cultures. Research in the field of psychology shows that we create and internalize norms based on the behaviours we have, which means that if we can train people to do the things we want, they will internalize that behaviour and create social norms that support it. Also, cultural change can be observed, experimented with, and compared.”
This is where his company, CLTRe, can lend a helping hand: their SaaS offering has been created to measure security culture throughout an organization, from the individual employee, via teams and departments to business units, and to help organizations tweak it.
“Based on the data we collect across a number of industries, we provide industry benchmarks and academic research to our customers, helping our industry better understand what actions are effective, where to expect improvements, and compare against other companies in the same industry sector,” he explains.
“Our customers have access to an operative dashboard showing details of their organization that enables fine-tuning of their security culture programs, while demonstrating the effectiveness of their investments throughout their organization.”