Blogs & Opinions 02.05.2024

Security Culture: Out With Ephemeral, In With a Lasting Psychological Approach

What exactly is a security culture and how can organisations build and maintain one?

Developing a security culture is vital to defending organisations against cyber breaches, so why do so many organisations get it so wrong? Andrew Rose, CISO at SoSafe, shares how they use psychology to create a security culture that does way more than pay lip service

Forrester predicts that in 2024, more than 90% of all cyber attacks will involve the human factor, leading CISOs to prioritise human risk. Cybersecurity culture creates a sound foundation, or essential building block, in creating a human layer of defence against cyber attacks. Culture can influence interactions, values and ultimately, behaviour.

But what exactly is a security culture and how can organisations build and maintain one?

“Awareness alone does not change behaviour—ask any driver who doesn’t adhere to the speed limit!”

Security culture may sound like a vague term, but there’s specific guidance about what this constitutes. The UK government’s National Technical Authority for Physical and Personnel Protective Security offers a definition. It describes a security culture as a “set of values shared by everyone in an organisation that determine how people are expected to think about and approach security.” Put simply, a security culture ensures that your colleagues and peers make sensible choices about security, even when nobody reminds them.

Security culture is a significant component of the human risk management approach to cybersecurity, recognising that technological defences and suitably trained people are critical to an organisation’s safety. It’s well recognised that awareness alone does not change behaviour—ask any driver who doesn’t adhere to the speed limit! Similarly, traditional security awareness concepts do not treat the risk. We need to approach the human factor more holistically.

At SoSafe, we introduced The Behavioural Security Model  in 2022 as a way to benchmark whether a security culture is truly comprehensive based on four dimensions:

  • Knowledge involves understanding cybersecurity threats and best practices through a sound training programme with continuous, contextual knowledge delivery.
  • Context ties security actions to the employee’s daily tasks, emphasising the need to receive knowledge that is personalised and relevant.
  • Motivation drives employees to adopt secure behaviours through positive reinforcement, such as rewards or recognition.
  • Behaviour focuses on integrating these security actions into everyday actions and routines, creating secure habits.

These dimensions are not separate entities but an interwoven system that encourages employees to be proactive. The model’s holistic approach aims to strengthen every aspect of how employees interact with cybersecurity. The interplay of these four dimensions creates a strong line of defence that promotes individual and collective security efforts.

Anytime there’s a focus on culture, there are tangible benefits to incorporating concepts and approaches from psychology, which is, after all, the study of the human mind and how it functions. We can break this down into three notable behaviours:

1: Learning through observation:   We should also see the rise of ‘security champions’, employees who provide a feedback loop to the security function, draw attention to localised security issues, and act as a local source of expertise and insight.

2: Learning without fear: Creating an environment of psychological safety is critical to getting employees to a place where they can consistently follow standard practice. Research shows that people learn faster from exercises than from a textbook. That means we need to ensure that plenty of time in training is spent on real-life problems. There will be mistakes, but if they are made in a safe and fearless space or linked to learning modules that support the person to learn from said mistake, this can ensure the same error is not made in real life.

3: Creating lasting habits: From there, habits must be created. In his seminal work The Power of Habit: Why We Do What We Do in Life and Business, reporter Charles Duhigg explains the concept of a habit loop. Habits consist of three parts: cue, routine, and reward. A cue is a prompt that pushes the brain into ‘automatic mode.’ In this example, it could be opening or reading an email. From there, a routine must be followed, for example, not clicking on strange links or attachments or reporting suspicious mail. And finally, there’s a reward, which in some cases might be the most challenging to implement. You can’t give every employee a biscuit each time they don’t cause a damaging malware attack. However, perhaps the easier way is to work with positive reinforcement, congratulating the employee for correct and secure behaviour and possibly linking it to badges in a gamification system. We all love collecting recognition of our achievements, so why not use them to reward safe cyber behaviour?

Without a proper, disciplined approach, a security culture can become overly ephemeral. Thankfully, incorporating long-studied academic research and theory into the deployment of a security culture means that organisations can create a useful, beneficial, and resilient culture.

Investing in a security culture that goes beyond ticking compliance boxes and knowledge transfer – and truly involves people in addressing human risk – will have a lasting impact on a company’s risk levels. In an ever-changing threat landscape, an organisation with a strong security culture can respond, remain adaptable and flexible, and always prioritise cybersecurity, the most significant business risk of our time.

In the end, technological defences are necessary but not a complete solution – people and the creation of human-centric security cultures will make the difference.

Andrew is the chief security officer at SoSafe, the EU’s leading security awareness company. Andrew has 25+ year of experience as CISO for UK Air Traffic Control, Mastercard, Proofpoint, and two ‘magic circle’ global law firms; he was also principal analyst at Forrester Research. Andrew has been recognised with many awards including ‘European CISO of the year’ (2018), ‘Best Security Awareness Campaign’ (2015), and is regularly listed in the CSO30 (2020-2023). He is also included in Onalytica’s list of most influential global cybersecurity professionals. Andrew is a regular speaker at global security conferences such as RSA, Blackhat and Infosec, and has contributed to media outlets such as the Wall Street Journal, The Financial Times, The Washington Post, Wired Magazine and CNBC TV.

Latest articles

Be an insider. Sign up now!