What is Security Culture?

What is Security Culture?

Security Culture is the ideas, customs and social behaviors of an organization that influence its security. As defined by Kai Roer and Perry Carpenter, results of a study conducted by Forrester Consulting on behalf of KnowBe4. 

Having a Security Culture within your organizations has been the buzz lately. Your organization needs more than just security awareness — “it signals that people understand that security technologies do not offer full or sufficient protection against data breaches.”

When it comes to measuring security culture, Roer and Carpenter recommend measuring across seven distinct dimensions:  

• Attitudes: Employee feelings and beliefs about security protocols and issues. 

• Behaviors: Employee actions that impact security directly or indirectly. 

• Cognition: Employee understanding, knowledge and awareness of security issues and activities. 

• Communication: How well communication channels promote a sense of belonging and offer support related to security issues and incident reporting. 

• Compliance: Employee knowledge and support of security policies. 

• Norms: Employee knowledge and adherence to unwritten rules of conduct related to security.

• Responsibilities: How employees perceive their role as a critical factor in helping or harming security.

Humans can be a one of the weakest link in your organization, the vast majority of data breaches can be traced back to social engineering or some form of human error. So moving into 2023 an organization needs to continue to improve technology but also stay committed to place an intense and intentional focus on building-up our human side.

Surveying over 1,000 security professionals with manager-level responsibility or above, Forrester found that 94% of respondents believe that a strong security culture is a critical component of a good security program.  Great, right? Well, The study also indicates that they found no basic definition what that meant.

Below are 5 main areas the definitions fell into: 

• Close to 30% of respondents believed that security culture is compliance with security policies.  

• Close to 25% said that it was having an awareness and an understanding of security issues.  

• 22% said that it was a recognition that security is a shared responsibility across the organization.  

• Close to 15% indicated that it had something to do with establishing formal groups of people that could help influence security decisions. 

• Over 10% said that a good security culture meant that security was embedded into the organization. 

CorpInfoTech has been helping our customers develop a Culture of Security for years. This is not just the new fad to us, it is our culture. We would love to help make it part of your culture.

Source: A Forrester Consulting Thought Leadership Paper Commissioned By KnowBe: The Rise of Security Culture