Human behaviour is complex and inconsistent, making it a rich hunting ground for would-be criminal hackers and a significant risk to the security of your organisation.
In Build a Security Culture, security consultant and trainer Kai Roer discusses the human and cultural factors in organisational security, and explains how to ensure your organisation is set up to manage and deter malicious intrusions and threats based on common human vulnerabilities.
Here is an extract taken from chapter 7 of the book:
Chapter 7: Building Security Culture
Building and maintaining security culture is like any other process you manage: continuous, planned, controlled and audited. I am sure you are familiar with the PDCA (Plan, Do, Check, Act) flow of process management from the ISO/IEC and other standards. What you may not know is that the same pattern of planning, doing, checking the results and implementing necessary changes (act) also works great when it comes to working with people.
After many years of listening to frustrated security professionals who felt they had failed in building security awareness, I analysed what went wrong. I also wanted to see what successfully implemented programmes had in common. In my travels around the world, I spoke with a large number of security people in a wide variety of organisations of all sizes. Two things quickly became apparent:
- There are more successful programmes than we realise.
- The failures could be easily mended by changing the approach.
The first finding is important because it gives us hope, and proof, that building and maintaining security culture is possible, and may not require that much from us.
The second finding is important because it points us in the right direction: by changing the way we design and implement security awareness programmes, we too can be successful.
Next, I looked at what was being done. Again, I found fundamental differences:
- Successful programmes were designed and implemented in the organisation using resources from HR, marketing and communication in addition to the security officer (SO). They leveraged the different competences in the different fields of speciality to set up programmes that actually worked. They also had long-term perspectives, with clearly defined goals, milestones and metrics. And finally, they ran their programmes as projects within a process – following the PDCA cycle.
- Failed programmes came in two broad categories: those where the SO did everything himself, and those who only focus on checkbox compliance.
These findings made it easy to pinpoint the mistakes to avoid, and the best practices to share, and I could create the first iteration of the Security Culture Framework together with Lars Haug and Mo Amin.
The Security Culture Framework consists of four parts, making a fully repeatable process. It targets large organisations, and its open and flexible structure makes it easy to adjust to any organisation and size. It is designed to help you organise your work with building and maintaining security culture, and will not replace any of your existing tools, suppliers or materials; you will still need those.
The framework was created to help set up and run your security culture programme – it is not a programme in itself.
The framework consists of four parts:
Each of the parts are tied to the other, and they operate together to form a template of a security culture programme. Depending on where your organisation is today, the starting point is usually one of two: the Metrics, where you would define goals, or the Organisation, where you would set up your team. For the sake of simplicity, I run through each of the parts, and then walk you through one iteration of the programme, starting by setting up a team.
A security culture programme is the combined activities you do to build and maintain security culture in your organisation.
The Metrics part of the framework helps you understand what you are setting out to do with your security culture programme.
In this part of the programme you will define your goals – long-term and short-term. You may have different kinds of goals – from specific results goals like “By the end of this year, we will have reduced the number of successful phishing attacks by 50%”, to learning goals like “By the end of this programme, the participant will demonstrate how to discover and avoid a phishing attempt.”
A question that I get from time to time is “Why do I need to set goals?” The quick answer is that a goal helps you understand where you are supposed to go.
Considering the two kinds of goals just mentioned, both focus on phishing, which helps you determine what kind of activities you should implement in your programme. The result goal is telling you what you want to achieve in the metrics on your systems and reports: a 50% reduction of successful phishing attempts. A result goal used correctly will help you understand where you will find supporting data to document your progress towards your goal.
In this example, there may be a number of different sources in your current system that may provide the metrics you need.
Another pointer that a result goal gives you is to understand your current situation. To reduce the number of successful phishing attempts by 50%, you need to know how many attempts are currently being successful. You use the goal to help you understand where to find metrics that you can use both to understand your current status and the status of your future.
In the ISO/IEC 27000 series, the current state is defined as “as is”, and the future state is defined as “to be”. Since you are setting out to change the current state of your organisation, you need a clear understanding of both states. The Metrics module is your reminder to do just that.
The other kind of goal, the learning goal, is designed to help you consider what you want, or sometimes need, your participants to learn. The learning goal should be created to support your result goal, and is defined by asking yourself what participants need to know, do or understand to move from their current state into the state of your goal.
“With this book, Kai Roer has taken his many years of cyber experience and provided those with a vested interest in cyber security a firm basis on which to build an effective cyber security training programme.”
Dr Jane LeClair, Chief Operating Officer, National Cybersecurity Institute.
2. The Organisation part
As just mentioned, one of the challenges faced by failed awareness programmes was the idea that “I have to do it all by myself.” This was in contrast to the successful programmes, which generally involved a larger team with a broad understanding of culture, training, communication and security.
The Organisation part of the Security Culture Framework helps you understand what kind of resources you need in the core security culture workgroup, as well as who else should be involved.
At a minimum, your core workgroup should have the following competencies on board:
- Culture and training.
This often translates to someone from the security office, someone from marketing/communication and someone from HR. With the core competencies in place, you can start planning your programme.
In larger organisations you may want a steering committee who sponsor and govern the programme, and act as the liaison between the programme and top-level management. In smaller organisations, you may report directly to the CEO, chief information officer (CIO) or CISO.
Depending on your chosen goals, you may also include other people in the workgroup. Competencies that often come in handy include:
- training design/instructionaldesign
- graphic design
- data analytics.
Some organisations have these resources internally, and others choose to buy external services.
One point to make is that the core workgroup requires security competence, but that does not mean that the
SO must also be the group manager. One very efficient way to handle the workgroup is to use a project manager, or at the very least a project administrator to take the administration, meeting planning and so on off the shoulders of the SO. Remember that the SO’s primary role in the workgroup is to provide security competence and guidance, which is not the same as managing the group itself!
Another important aspect of the Organisation is the audience analysis section. People are different, with different interest and areas of focus. Departments are different – they come with different tasks, some of which attract people with special competence and different personality types. Organisations with different locations, including multinationals, may experience that each location has its own particular subculture.
When you design, plan and implement your security culture programme you must understand the differences and similarities of these groups, so you can adapt your activities, goals and expectations to each of the target audiences.
So far, using the Security Culture Framework, we have defined one or several clear goals, we understand how to measure them, we have set up a workgroup to organise the programme and we know that we need to adapt our activities to the people we are training.
The next part of the Security Culture Framework is Topics. Building on your defined goal and your understanding of the target audience, the Topics are there to help you choose the kind of activities that ensure a successful security culture programme.
There are no limits to the kind of activities that can be used in building and maintaining culture, and this is where the marketing department may excel in creating content.
The fourth part of the Security Culture Framework is the Planner. The Planner is a selection of different ways to plan and execute your security culture programme, where three elements are vital:
- When to run activities.
- When to do measurements (metrics).
- When to revise and assess your progress.
The Planner is not another planning tool like Microsoft Project. Instead, it is a description of what actions
a security culture programme should consist of, and at what interval.
One example of a security culture campaign is the Security Culture Framework 12-week campaign. The 12-week campaign is one full iteration of a security culture programme, run over the course of 12 weeks. The campaign is divided into three parts, following the Planner module:
Four weeks of metrics, followed by six weeks of activities, and then two weeks of measuring progress, analysing results and revising future actions.
This is an extract from Build a Security Culture
Protect your organisation by building a security-minded culture.
In this book, Kai Roer presents his Security Culture Framework, which addresses the human and cultural factors in organisational security. He highlights the underlying cause for many successful and easily preventable attacks.
Available in softcover, Adobe eBook and Adobe ePub.