People are the new perimeter and a prime target for attackers. In fact, according to the Verizon DBIR 2022 Report, 82% of breaches involve the human element.
In this post-pandemic era where remote work has grown, people surf various websites and multitask their work and personal lives, opening the door to potential compromise. To reduce people-centric risk, most organizations have invested in end-user education. Some even go beyond compliance or training and move towards building a security culture that motivates and empowers users to keep their organizations safe.
However, culture tends to be ubiquitous. And the concept of "security culture" can be new or vague to most people. In this blog post, we will introduce a definition of security culture and discuss how organizations can utilize a model of security culture to help strengthen their security awareness programs and further drive behavior change.
Proofpoint defines security culture as "the beliefs, values, and attitudes that drive employee behaviors to protect and defend the organization from cyberattacks." Security culture plays a strong factor in the development of positive security behaviors, for two main reasons.
First, it improves your organization's overall security posture when employees feel responsible to help prevent security incidents. Security is everyone's responsibility, and when employees buy into that it leads to higher vigilance and motivation to act appropriately.
Second, it helps reduce human risk. A strong security culture helps drive behavior change and helps users build sustainable security habits that extend protection to their personal lives. This means that when faced with threats after-hours, on personal devices, or when they least expect them, users will already have the habits necessary to thwart attackers' malicious intents.
We see cybersecurity culture as the overlapping contribution of three main factors: Responsibility, Importance, and Empowerment.
Figure 1: Diagram showing the three dimensions of security culture
Responsibility: Do employees feel that they and their coworkers are responsible for acting to prevent cybersecurity threats?
Importance: Do employees believe that a cybersecurity threat could affect them personally?
Empowerment: Do employees feel empowered to identify and report suspicious behavior?
To be motivated to act (keeping the organization safe), users must believe that threats and organizational compromise are problems that could affect them personally and recognize the importance of securing the organization. In addition, they need to be empowered with the right knowledge and tools to identify threats and feel responsible for doing their parts to prevent attacks from crippling their organizations.
To diagnose the likelihood that an employee has both the ability and motivation to prevent an attack against their organization, we created our cybersecurity culture survey to evaluate each of the three dimensions. This concise survey helps security teams easily measure and quantify the current state of their security culture and enables them to motivate and empower people by tailoring messaging and training.
We follow the principles below to design the survey:
Pragmatic: clearly interpretable results
Short: can be completed in a reasonable amount of time
Focused: each question only addresses a single idea
Unambiguous: each question is clear and avoids jargon
Reliable: gives the same results if tested under similar conditions
Valid: measures what it seeks to measure
Unbiased: minimizes response bias
When deploying a culture assessment, make sure that it's short and simple so that users feel compelled to respond to them amidst competing tasks. Finally, decide on the frequency of administration early on so you can decide the best way to roll out your assessment, obtain regular data points and modify your program based on the results received.
Culture assessments are necessary to take a pulse of user sentiment and plan future initiatives that resonate with users. While knowledge assessments measure what users know and simulated threats like phishes measure what users do, culture assessments provide an effective way to measure what users believe.
Knowing what users believe can go a long way to helping security teams determine any changes in messaging or training assignments they should make to different user groups. Remember that a strong security culture depends on users' investment and motivation, which directly impacts the behaviors they will take when faced with threats.
Figure 2: Culture assessments fill the gap of the components of successful security programs
It's essential for organizations to have multi-faceted security awareness programs that account for what users know, the actions they take in the real-world, and what they believe. How users feel and think about the role they play in security awareness has the capacity to drive impact and help reduce risk in organizations—and culture assessments can help.
As Cybersecurity Awareness Month approaches, it is a great time to build a strong framework for culture through use of engaging modules that target users' knowledge gaps and needs, and use this to motivate users to become a strong line of defense.
For more ideas on what to consider when focusing on strengthening your security awareness culture, leverage our Cybersecurity Awareness Month Kit and check out the Cybersecurity Awareness Hub landing page here.