Cybersecurity culture is nearly impossible to quantify due to an absence of measurement tools. Many businesses attempt to quantify the human element of their security posture by sending employees simulated attacks to find out how susceptible workers are to phishing, social engineering, spoofing, and other similar attacks.
The flawed logic security leaders use to justify these tactics is that simulations help identify high-risk users and secure additional funds for improving cybersecurity. However, the negatives may outweigh the benefits as simulations embarrass workers – and embarrassment rarely accomplishes anything positive – and position security teams as antagonists rather than allies.
Building a positive security culture
We define cybersecurity culture as the collective cybersecurity behavior of an organization’s employees. Traditionally, culture refers to societies’ social and behavioral norms often related to knowledge, beliefs, arts, laws, customs, capabilities, and habits. A cultural norm serves as a guideline for behavior, which serves as a template for expectations within a social group.
The term shame culture was popularized in anthropologist Ruth Benedict’s seminal book, The Chrysanthemum and the Sword. Benedict analyzed Japanese culture in early World War II based on newspaper clippings, articles, and other written cultural artifacts. Many of the book’s observations were later debunked, but the concept of guilt culture and shame culture remain relevant to this day. She described guilt culture as a cultural phenomenon where individuals know whether they are good or bad through their conscience.
In a shame culture, individuals’ worth is determined by what their community says it is. In a guilt culture, people sometimes feel they do bad things; in a shame culture, social exclusion makes people think they are wrong.
Phishing simulations and other “Gotcha!” security training are an example of shame culture. Experience has taught us that attacking our employees doesn’t increase cyber-resilience as much as it makes employees view the internal IT teams negatively, ultimately making it more challenging to get people on board with strategic initiatives. If anything, these boring training sessions make employees less likely to view the IT team as a force for good within the enterprise.
Additionally, shaming employees for falling victim to a phishing simulation will make them even less likely to report when they click on a real phishing link—increasing the chances of an organizational data breach even further. The best security leaders implement tactics and technologies that create an empowering and educational experience that builds trust with employees.
Opt for personalized support
Rather than trying to shame and then coach employees, IT and security leaders should create a seamless security strategy intended to support workers during their greatest time of need. “Cookie-cutter” approaches to security training don’t work over a long period of time. This approach often does not target at-risk users when a potential attack is in progress or is executed with enough frequency to remain top of mind for employees.
Security professionals that adhere to the Golden Rule will find their employees are more open to complying with security policies than those who shame them. It’s simple psychology.
Instead of measuring the amount of people who fell for a phishing simulation, organizations need to quantify and measure the success of their security posture through individual, positive changes in behavior—specifically how employees are moving away from actions that lead to cyber incidents.
Organizations who provide workers with constant reminders to apply their knowledge and acts as a safety net if they falter will be most successful in increasing their organizational security posture.