Poor security behavior still evident in most industry sectors

Security behaviors are poor across most industry sectors in Europe and the Unites States regardless of the employees attitudes towards security. In the largest study on security culture to date, the Norwegian software company CLTRe AS reveals data from more than 20,000 employees, across seven languages.

Security Culture Report 2018 key findings

• Poor security behavior is evident in most industry sectors
• The Real estate sector is consistently worse in cybersecurity culture than any other sector
• Security culture in the Finance sector is better than any other sector
• The ICT sector is best when it comes to communicating cybersecurity
• The Trade sector scores best on attitudes towards security, but worst on behaviors.

“We believe there are a number of reasons for these huge differences between the industry sectors. The finance sector for example has a long tradition of security and compliance, which has instilled a culture of security. The trade sector, whilst also heavily regulated, typically sees many employees without higher education. Combined with high staff turnover in the industry, these factors influence its security culture, and so it is no surprise that they also impact security behaviors,” said Kai Roer, CEO of CLTRe.

Huge differences between countries

The study also looks at the differences of security culture across languages. The Security Culture Benchmark is a scale that goes from 0 to 100, 0 being worst and 100 being best. The scale reveals that Finland (75) and Norway (74) are doing far better on cybersecurity behaviors than other countries. A close third is Poland (71). At the opposite end of the scale is Denmark (55) and the Netherlands (56).

“The large differences between the countries in the northern Europe are of particular interest. The differences in national ideas, habits and social behaviors seem to be reflected in the security culture. The large gap in scores between Norway and Denmark is interesting, as these two countries typically are considered quite similar,” says Roer, “Our multinational customers use this data to better understand where they need to focus their cybersecurity efforts on the human factors. It is clear to them that security culture and awareness activities must be adjusted to the local needs.”

Tracking change in security culture

The report tracks changes in security culture for the first time. Using data that spans over two years makes it possible to see how security culture changes from year to year. “It is too early to call it a trend,” explains Dr. Gregor Petric, Chief Science Officer at CLTRe, “we need data-points over more years for that. What we do see is the ability to pick up changes by using our measurement instrument.”

Notable findings in the year-on-year comparison is how some industry sectors improve, while others decline. The Real Estate sector shows a decline of 2 points from their already poor security culture score of 57 in 2016. Their new score is 55.

“The change itself may not be dramatic, but the fact that it is negative suggests that this industry needs to review their current practices,” concluded Roer.