In this blog post which originally appeared in Infosecurity Magazine in the lead up to InfoSecurity Europe, our founder, Bruce Hallas, explains the intricate relationship between security behaviour and security culture, and discusses how we must get past the notion of people being stupid, and instead just think of them as being human.

Security Culture and Security Behaviour

The Virtuous Circle between Security Culture and Security Behaviour

Rising numbers of cyber, hacking, and other security risks along with new regulation and legislation from GDPR, ISO27001 or PCI DSS all mean CISOs and their infosec teams have their work cut out.

While policies, processes and technology are important in helping mitigate these risks and adhere to regulation, arguably embedding an organization-wide security culture is a foundation on which to protect a business, its people and its assets.

Humans are human, not stupid

Human error continues to account for a significant proportion of security breaches today. It’s a fact of life that people get things wrong, and this is perhaps why, according to a recent cross-sector survey of their peers by the Ponemon Institute, CISOs consider the ‘human factor’ as the biggest threat to security today.

So why do people get things so wrong?

We need to dispel the myth that humans make mistakes simply because of lack of knowledge or understanding. Decisions made under pressure in a situation or about a topic they know little about routinely bypass the logical side of the brain where rationality is at work, and go directly to the instinctive side of the brain where irrationality is dominant.

The brain handles these situations using several shortcuts, which enable quick decisions and minimum effort. When values associated with privacy and security come into conflict with other more embedded values, for example, those belonging to a culture, it inevitably doesn’t end well on the majority of occasions.

To be clear, this does not necessarily mean that people may not value the content or the sentiment of the security policy. Instead, they just may not value it as much as those who wrote, say, the new GDPR policy, processes and procedures within an organization. It’s when these values come into conflict, that organisations stand to see all their hard work around security policies come undone.

The traditional approach to security training, which focuses on raising awareness, is proving to have limited success. Successive studies have shown that simply ‘raising awareness’ has a limited direct correlation with transforming organization-wide behaviour and bringing about cultural change, and therefore in mitigating security risk. Security culture and security behaviour are linked and yet there is a distinct lack of joined up thinking.

Most of these security education awareness programs are designed on flawed assumptions and an incomplete understanding of what makes humans behave like humans – instead of like machines. They fail to instil real awareness and changed behaviour, or become embedded in company culture.

To address this problem, CISOs need to look for new tools and methods designed to go beyond raising awareness and actually engaging and influencing the behaviours of employees and stakeholders and achieve compliance with organizational policies. If security behaviour can be influenced, it is possible to create a new security-aware culture.

Why is culture important?

And how can security behaviours be embedded into security culture? 

The term culture can be interpreted differently by different stakeholders, but essentially, it’s about having a set of shared attitudes, values, goals, and practices that characterizes an environment.

Culture in an organization is also tangible assets such as artefacts, espoused values and underlying assumptions. These could be organizational structures, processes and procedures or even strategies, goals, philosophies and policy statements. Underlying assumptions could be unconscious, taken-for-granted beliefs, perceptions, thoughts and feelings regarding a myriad of values many of which are not, at first glance, related to information security or even privacy.

People are influenced by their worlds around them and the decisions people make are heavily influenced by their cultural lenses. These lenses are the results of life experiences and lessons learnt and embedded from the earliest years of life through to the present day.

In an organizational setting, people are influenced by the behaviours they see around them as the perceived day to day norms and values that colleagues adhere to. Therefore influencing and re-enforcing acceptable behaviour is a key part of embedding security into the culture of an organization.

A one-size-fits-all training awareness program that aims to appeal to everyone will ultimately fail to resonate or reflect the values and culture of an organization. If the training does not resonate, it will not score highly on people’s priority list and will fail at increasing the likelihood of a positive security choice and outcome when competing with other values.

If the training sentiment does not mirror how people operate within the organization, the program fails because it will not influence behaviour or embed into culture. Yes, it’s possible to document organizational values and expectations of personnel, but anecdotally most people have experienced organizations where there is a difference between what is said and what is done.

Savvy security communications campaigns, on the other hand, will take into account and be sensitive to local and organizational culture and values. Infosec trainers should take the time to understand their target audience on a deep level to increase the likelihood of influencing behaviour to comply with security policies. This way they can create awareness campaigns, which clearly communicate the organization’s values and expectations of the relevant stakeholders.

The security values and culture must be lived and breathed throughout the organization from the top down, bottom up and from the sides inwards so as to reinforce them by allowing everyone to witness and participate in their continued use.

The first step in understanding the role culture plays in security compliance is recognizing that culture does exist, and that it can and will influence behaviour no matter how fantastic or memorable the awareness and training campaign is.