What is a cyber security culture AND what are the challenges?
Attempts to define ‘cyber security culture’ usually become weighed down by its relatively abstract terms, ‘security’ and ‘culture’. As a starting point, practitioners and executives should instead seek to understand what people in their own organisation think it is. A 2021 study of global enterprises sampled 1,161 leaders in risk management; respondents were asked what they thought security culture really meant. After their answers had been pooled into five broad categories just 12 per cent (the smallest group) identified that ‘a good security culture is embedded into the organisation’. Ideally executives should expect to hear that answer from at least fifty per cent of their team: as we believe that employees using words such as ‘integrated’ or ‘intertwined’ suggest an organisation with a mature understanding of an effective cyber security culture.
“just 12 per cent (the smallest group) identified that ‘a good security culture is embedded into the organisation’.”
S-RM’s November 2021 report, Investing in Cyber Resilience: Spend, Strategy, and the Search for Value, revealed one key concern for organisations was the lack of importance placed on cyber security issues by employees whilst another involved lack of compliance with cyber security policy. Cyber strategies are often at risk of having an overly heavy focus on technical product solutions, but the most mature approaches will engage technology, processes, and people. In the remainder of this article, we highlight some ways in which members of the C-Suite can remedy their concerns about cyber security training, mitigation of people-centric attack surfaces, employee perceptions, and compliance, by examining and investing in their organisation’s cyber security culture.
“members of the C-Suite can remedy their concerns about cyber security training, mitigation of people-centric attack surfaces, employee perceptions, and compliance, by examining and investing in their organisation’s cyber security culture.”
HOW TO BUILD a CYBER security culture
Embedding a cyber security culture requires continuous, active investment. Companies with a mature security posture utilise technology effectively but equally have an embedded cyber security culture wherein individuals are encouraged to develop good cyber security habits. Teams that are driven by such people will be proactive in identifying, questioning, and preventing the sorts of behaviours that could lead to a security incident. As a result, an organisation will be more resilient to any period of disruption, such as the shift to remote working due to pandemic which most organisations have recently experienced. Executives can successfully build a cyber security culture if they understand that culture is transmitted because of “cooperative skills and motives…cultural inventiveness…teaching, social imitation and norms of conformity”.
Increasing awareness of cyber security threats is the bare minimum required to start building an effective cyber security culture. Whilst awareness is undeniably important, people’s behaviour cannot be expected to change because they have been provided with information. It is rational to think that an annual mandatory training package will provide suitable context to inform people’s good judgement for the rest of the year - the reality is that if, in a pressurised situation, doing something securely is perceived as a hindrance, practice may not follow best procedure. An auditable register of annual cyber security training is desirable; however, people must also be enabled to learn continuously throughout the year. Teams might consider developing cyber security champions who can draw awareness to good practice when they see it. The same people can also nudge poor cyber security practice back onto the desired path, for example by using reminder cards with a simple message such as “Hotkey for screen lock: Windows + L” which can be left on a laptop with an absent user and unlocked screen. These small measures serve to teach the importance of cyber security on a continuous basis.
“An auditable register of annual cyber security training is desirable, however, people must continuously learn throughout the year.”
Psychologist Kurt Lewin suggests that the first phase in the process of cultural change comes with ‘unfreezing’ the existing organisational culture. To do this people must be reminded of the reason for change and be able to draw direct links between how change will bring about benefits or reduce negative impacts. Motivation through associated loss (i.e., if an outcome isn’t realised, bad things will happen), addresses the latter and can be a powerful tool. An example of this might be to display the link between poor cyber security practices, the financial hit from a subsequent ransomware pay-out, and the resulting absence of end of year bonuses. A less extreme example would be mandatory retraining for team members who fail a simulated phishing test. Both examples play to negative emotional connotations and people’s loss-aversion bias. These approaches should be mixed with initiatives that emphasise direct benefits. An example of this might be to enter team members, who correctly identify a malign email and report it to their IT teams, into a prize raffle.
The sustainability of a good security culture depends on executives understanding how to create a critical mass of desired behaviour. Engaging the whole team’s cooperation is essential to overcoming uncertainty and resistance to working with new procedures or technologies. A well-structured communications plan is essential to engaging cooperation. If it isn’t precisely clear to everyone what the aim and the benefit of cooperating is, it is far more likely that rumours may supplant the desired narrative and divergent working practices such as ‘Shadow IT’ will disrupt the change process.
4. Cultural Inventiveness
It has been said many times that ‘culture eats strategy for breakfast’; cultural inventiveness is one reason why. Our species has a unique ability to interrogate and replicate processes that lead to novel outcomes, we are also extremely good at finding more efficient ways to comparable results. This is the basis of a word of warning to transformation strategists. The use of cyber policies plays an important part in creating standardised cyber security practices and making them replicable. However, the policy must be realistic, simple, and account for people’s inventiveness in finding different ways to the prescribed outcome. The concept of ‘desire pathways’ illustrates this (picture A):
Cyber Security Practices
“policy must be realistic, simple, and account for people’s inventiveness in finding different ways to the prescribed outcome.”
Policy, or its overarching strategy, that disregards people’s inventiveness can result in the (metaphorical) cyber security practice seen in the first picture. If a critical mass of people moves towards adopting shadow processes it can become an up-hill battle to enforce conformity. It is far better for executives to re-visit the strategy and absorb working practices in a manageable and secure way. This compromise is seen in the University of Ohio’s approach to campus design whereby landscape designers waited to see where people created desire pathways and then paved the routes. The outcome was still the same, the method was effective and sustainable for its environment (pictures B and C).
5. Social Imitation and Conformity
Leaders have a large part to play in ensuring employees embrace the new cyber security culture and that it becomes the status quo. For example, a clear desk policy is far more likely to succeed if everyone in the office sees line managers store items such as laptops or confidential materials in a locker at the end of the day. Small changes to working practices which make desired behaviour more visible will gradually help move whole teams to adopt and embed the cyber conscious culture. Other examples of how imitation and conformity are leveraged for cultural transformation can be found in the activities governmental working groups have carried out during the pandemic. One of the most well-known pieces of messaging in the UK, “hands, face, space”, nudges for changes in behaviour regarding hand sanitisation, mask wearing, and social distancing. In turn, these behaviours, observed and conducted millions of times a day, have helped to contribute to the culture of “the new normal”. Could you devise a three-word phrase to nudge recognition of a malicious email? Could it help start a behavioural change in your team and save you from the next email compromise?
“Leaders have a large part to play in ensuring employees embrace the new cyber security culture and that it becomes the status quo.”
Discover more about our Cyber Advisory practice
 KnowBe4 Research, The Security Culture Report 2021: A Global Security Culture Perspective During a Pandemic.
 The use of hardware, software, or IT processes by an individual or department without the knowledge of the IT security group.
 Working groups have included the Independent Scientific Pandemic Insight Group on Behaviours (SPI-B).
Download our latest report