CLTRe, a Norwegian security culture research company, today released its Security Culture Report 2017, which studied more than 10,000 employees across five verticals in two countries within the Nordics to determine how risk and security is understood and actioned.
The study was done in conjunction with University of Ljubljana.
The more than 200-page report, which focuses on "insights into the human factor" and how attributes of security culture can impact the overall risk posture of an organization. It is unique in how it looks at age, experience, gender and attitudes influence risky behaviors and security culture.
According to the report, one of the main goals of this project was to demonstrate how security culture is one of the "most important yet most overlooked" aspects of organizational security, yet an important mechanism to reduce risk in employee behavior.
"Our findings are very clear, females report better compliance with rules and less risky security behavior than their male counterparts," said Kai Roer, founder of CLTRe, and co-author of the report. "Men, on the other hand, report better knowledge of the rules as well as better understanding of risk and technology, while not following those rules as closely as their female colleagues."
Roer founded CLTRe, a research-driven software-as-a-service company serving the global market, to provide a solution for organizations needing to quantify the impact and effectiveness of security culture investments. The paper, co-authored with Gregor Petric, Ph.D., Associate Professor of Social Informatics and Chair of the Center for Methodology and Informatics at the Faculty of Social Sciences, University of Ljubljana (Slovenia), was based on data using the CLTRe Toolkit, leveraging big data, statistical prediction, organizational psychology, and survey methodology.
Also related to gender balance, the report shows that females are more positive toward having security controls in place, and are more likely to avoid risky use of the Internet.
"Putting these factors together, we believe that a security culture program that aims to improve security culture, should aim for gender balance," Roer said. "We also see a strong correlation between adherence to norms, and secure behavior."
The report identifies seven core dimensions of security culture: behaviors, attitudes, cognitions, compliance, communication, norms, and responsibilities.
The research also examines the authors' perceived differences between security culture and security awareness. In fact, the report goes as far to say that security culture programs are more critical than security awareness programs.
According to the report:
"Scientific research of organizational behavior (Ajzen, 2011) convincingly shows that human behavior is dependent not only on knowledge (awareness), but to larger extent on organizational culture, norms, attitudes and other socio-psychological factors. Awareness is just one of many factors contributing to secure behavior."
"More important are attitudes toward information security issues, perceived norms regarding what is right and wrong regarding information security, involvement in organizational communication processes, and awareness of security policies," it reads.
However, many organizations do use security awareness training to impact security culture. In a previous interview, Masha Sedova, co-founder of Elevate Security, a good awareness program gets feedback from the rest of the security organization into what the top people-centric risks are for the company and, then creates an effective campaign to address those risks.
"Security awareness was initially started about 10 years ago with the advent of regulation and compliance requirements," Sedova said. "Unfortunately, they were designed with the wrong question in mind. They ask 'show me how many people have taken your training.' Instead they should have asked 'show me metrics that your program yields improvement in X behavior.' The companies leading the charge in the awareness space today are creating their programs around this question."
Sedova's position supports that of the content in the report, not necessarily that security awareness programs are ineffective, but they should be focused more on modifying and improving human behaviors versus merely putting people through technical programs. The focus needs to be on identifying underlying behaviors that drive risky action and changing those behaviors.
CLTRe's research also demonstrates how important it is to consider security culture in running a more secure organization. The topics the authors consider at least indirectly linked to security culture, from how people work to the results generated, include General Data Protection Regulation (GDPR) and compliance, human factors, and pragmatic threats.
"The ability to quickly and proactively single out units, departments and teams that require extra attention to deal with these threats can be critical to protecting an organization."