Research of more than 10,000 financial services employees in the Nordic region has found that a gender balance is crucial for maintaining good security and reducing risk.
Released today, the first Security Culture Report, published by security culture research company CLTRe and available to download, found that balance is key for organizations looking to reduce risk.
Among its key findings were that: experience improves an organizations’ security culture and consequently risk is reduced, that a holistic security culture program is required as opposed to security awareness training, and that some industries have alarmingly low levels of maturity of security norms and compliance.
Analyzing the seven key dimensions of security culture: employee attitudes; organizational norms; employee behaviors; compliance to security policies; quality of communication; cognitive aspects of security and individual responsibility, CLTRe founder and co-author Kai Roer said: “Information about these dimensions is vital when it comes to improving security culture, and thus reducing risk in the organization.”
The report found that across the seven dimensions of security culture, in general females are more risk averse when it comes to security culture, better at complying with norms and more open to accepting regulations than their male colleagues. Yet men report a higher understanding and knowledge of the security requirements and practices, but also a lower compliance with them. “These findings lead us to believe that a better security culture can be created through increased gender balance in the workplace”, the report said.
In terms of age, the report claimed that security culture improves with age as despite young people having a better understanding of technology and thus should have a better understanding of internet security, CLTRe’s findings suggest that attitudes towards security culture improve with age, not as a result of greater exposure to technology.
“Putting these factors together, we believe that a security culture program that aims to improve security culture, should aim for gender balance,” says Roer. “We also see a strong correlation between adherence to norms, and secure behavior. No such correlation is found between awareness and behavior, leading us to conclude that security awareness training programs are all in desperate need of modernization. Move away from boring trainings, apply peer pressure and group dynamics instead.”
The report claimed that security culture must be measured in order to understand and manage change, and that is done by applying ‘socio-informatic principles and methods’.
“The essential logic of this approach is that if we want to change the reality, we first need to have valid information about the true state of the socio-technical reality,” the report said: “To measure reality in a precise way a rigorous scientific approach needs to be undertaken, one that results in sophisticated metrics. When such metrics are put into practice, the true state of security culture can be assessed and effective decisions can be made on the information generated.”
The report said that elements of security culture that may be more important than the quality of IT solutions, include: what employees think about taking care of sensitive information; how employees perceive their role in organizational security; awareness of communication channels for reporting problems; employee awareness and adherence to organizational policies regarding security; what employees know about security-related issues; how employees see actions of others and are subject to peer-influence and what actions do employees themselves perform.
Asked why a company should measure its security culture, Roer told Infosecurity that the challenge is to know if secure practices are being practiced. “We have all seen the compliance focused, mandatory awareness trainings where the employee just clicks through the slides. The CISO gets a completion rate of the trainings, say 53%, but no culture has been formed, no changed behavior is seen,” he said.
“Measuring security culture is vital in order to document the effectiveness of the security culture activities (as required by GDPR). Measuring culture shows how it changes and evolves over time, identifies pitfalls and weak spots in the organization, and allows the CISO to better align the security culture program’s focus to the needs of the organization.
“Imagine a map of the whole organization, where you visualize the differences in cultures. Using that map, you can focus your effort where it matters, instead of blasting off lots of actions that yields no results at all.”
Roer also said that organizations should be doing more to test how effective their culture is, stop measuring the completion rate of awareness trainings, and instead map the security culture from individual employee, via teams and departments, all the way to the top.
“You will be surprised of the level of details, and the conversations they enable when measuring culture throughout the organization.”