Building a Security Behavior and Culture Program (SBCP)
Feb 22, 2023 | By: Stephen Boals
Just What is a Cybersecurity Culture?
Most organizations have a Security Awareness Training (SAT) program, and a foundation for what they believe is a core set of capabilities that they utilize to reduce their human cybersecurity risk levels. But even with a well-managed, consistent program, risky employee behavior still exists. While these core capabilities provide value and a temporary “awareness effect”, they typically only focus on compliance requirements, and are seen as a burden by users, IT and cybersecurity personnel. As a result, most programs provide a short-term compliance benefit. But are employees really changing their online behavior to truly create a new sense of security culture? In fact, many of the vendors and products are built on the premise that humans are the problem, not part of the solution.
In Gartner’s latest 2022 Innovation Insight on Security Behavior and Culture Program Capabilities Report, they state the following:
“The traditional security awareness computer-based training (SACBT) market has settled into a state of standard, stable and largely commoditized capabilities, including legacy training content, high end video, mock phishing simulations, report phish button and gamification (chart summarized in text). “Gartner research shows that these core activities do not deliver and sustain the tangible behavior and culture change required to reduce cybersecurity risk exposure. Social engineering is a perennial top attack vector, and the vast majority of breaches (82%¹) involve human error. While these core awareness capabilities achieve compliance objectives, they fail to sufficiently influence behavior.”
¹ Source: Verizon DBIR 2022
But What Defines a Culture?
“Emerging SBCP capabilities focus on risk reduction via tangible employee behavior management. Innovative solutions adopt behavioral science principles, data analytics and automation to build and measure a digitally secure culture.” Gartner, 2022
Culture is an incredibly complex concept, and a key element of any operating society or subset, including business focused corporations, and is touted as the new requirement to advance your cybersecurity program. It’s hard to define a cybersecurity culture, but below are the seven recognized traits of culture, and a brief description of each and how it applies to cybersecurity:
Learned. Culture is not inherent; it is learned through socialization and education. It is passed down from one generation of employee to another, and is constantly changing as new ideas and technologies develop. In cybersecurity, the right training program lays the foundation for educating your populous. Employees, management, executives, and your board all need to learn from the same source, and not only learn, but understand the basis of behavior in the cybersecurity realm with both an awareness of self, and of the organization as a whole.
Transmitted. Culture is transmitted through direct contact between members of a society. It is also spread through literature, art, media, and other forms of communication. If your security teams are equipped with the right tools to create the baseline for a cultural shift, then the sharing (transmitting) of the cultural norms will be viral. As each quarterly training session passes and with each executive or board member you educate, you transmit the culture one employee at a time.
Based on Symbols. Culture is based on symbols, which are used to communicate and represent the values and beliefs of a society/entity. Symbols can be anything from words to objects, and are used to convey information about a culture. In the cybersecurity realm, it is both the language that defines cybersecurity and the threats faced, but to truly build a culture, it is also requires an understanding of the terminology used in defining human behavior in simplistic and understandable terms. Most organizations lack the latter, or have no means to measure (see our myQ stylizer and cybermetrIQs dashboard).
Changeable. Culture is not static, it is constantly changing and evolving. New ideas, technologies, and beliefs can shape a culture and its beliefs. This is one of the most difficult aspects in cybersecurity and building a Security Behavior and Culture Program (SBCP). Things change so fast, it seems on a minute-by-minute basis, and the constant attack fluctuations are mind numbing. Security “Awareness” just can’t keep up, and a training program that focuses on static content vs a behavioral focus cannot be changeable and is preventative to cultural change.
Integrated. Culture is integrated into the everyday lives of its members. It influences how people interact with each other, how they work, and how they view the world. In a true, stable cyberculture, people are not seen as the problem, but as the solution. With a behavioral shift, they become integrated into the overall system that protects an organization. Unfortunately, most attempt to build this culture create a siloed atmosphere where users feel isolated instead of integrated. To create integration, successful organizations make cybersecurity a true piece of their human resources efforts, performance reviews and integrated technologically to their people management systems.
Ethnocentric. Culture is often ethnocentric, meaning that it is seen as superior to other cultures. This can lead to a sense of superiority and even discrimination against those of different cultures. In cybersecurity culture, there is more of a positive effect (superiority and discrimination are so negative), mostly around peer pressure and the rise of cultural norm acceptance. There are those who abide by cultural norms, and those will outweigh those that don’t, and set the example for culture building.
Adaptive. Culture is adaptive, meaning that it can change and evolve to fit the needs of a particular society or environment. This allows cultures to survive in different situations and contexts. Adaptive cybersecurity culture is the ultimate human defense platform. If you change risky behaviors and leverage technology to help humans think in the moment and “Do”, you are better protected today, and for those attacks you have not seen.
Overall, culture is a complex and diverse concept, made up of many different traits, and setting out to build a cybersecurity culture without the right tools will result in even higher human risk and eventually a breach.
How do I get Started in Creating a Cyber Security Culture?
Since the beginning, this was the challenge that cyberconIQ’s Human Defense Platform was designed to addresses and remains our focus today: how to understand an individual’s personality (risk-style), apply behavioral science principles, data analytics and require minimal staff effort to help cybersecurity leaders reduce risk via measurable culture change.
Changing culture takes time, effort, and the support of all levels of management. It requires a stepped process in which an organization encourages, guides, and exposes employees to adopt behaviors and mindsets that are tied to the overall organization’s values and goals. Cultural change is required to better align the behaviors of employees with business objectives and desired outcomes. If you are ready for your next step in cybersecurity and want to leverage your dormant human firewall, reach out today.
Contact us for a free recording of the webinar on this topic!
Building Cyber Resilience: The Shift from Cyber Awareness to Enhanced Security Culture