Define a Strong Security Culture

Learning Objectives

After completing this unit, you’ll be able to:

Describe a strong security culture.
Describe ways to measure your security culture.
Explain how to mature your security culture.

What Is a Strong Security Culture?

A strong security culture is where people prioritize security when making decisions, are aware of the threat landscape, know what red flags to be on the lookout for, report all suspicious activity and understand their role in securing the organization.

Security doesn’t just come from surface-level training courses or phishing emails; it comes from people actively choosing to take part in a secure culture. When this happens, values are adopted that guide decision making, even if outcomes aren't always easily quantified or seen right away. Let's look at an example.

Meet Sean and Renee. Sean works at a multinational technology conglomerate that does not have an established security culture. Renee works at a university that invests a lot of time and resources on security awareness and training. Let’s look at two different scenarios to see how Sean and Renee’s security culture is reflected in their thinking and behavior.

A person sitting at a desk with a laptop next to a scene of a person standing at a whiteboard.

Scenario 1: A Phishing Email

The same phishing email, disguised as a message from a bank, arrives in Sean and Renee’s email box. The email has multiple grammatical errors, a link that is clearly suspicious, multiple font sizes, is unformatted, and the sender’s email address is unfamiliar. Sean thinks to himself, “This email looks very suspicious. I don’t even bank with them. I’ll ignore it, and delete it later.” Renee thinks to herself, “This email looks very suspicious. I’ll report it to the information security team right away so they can investigate it further.”

Technically, there is nothing wrong with Sean’s response. However, ignoring a suspicious email may result in someone else in the organization engaging with it. Sean does not think of these potential consequences because he isn’t really sure about the security policies, nor does he feel a sense of responsibility for data and information outside of his specific job. These factors influence Sean’s high-risk decision-making and actions, which open the organization to a greater likelihood of a security incident.

Renee’s response, on the other hand, demonstrates her awareness of potential security threats. When she reports a suspicious email, she provides the cyber team an opportunity to investigate it and remove all instances of it in the organization’s systems to avoid a potential incident and further damage.

Scenario 2: A Universal Serial Bus (USB) Device

Sean and Renee each find a USB device on the floor of an office corridor with Payroll 2022 written on it. Sean thinks to himself “LOL—this is going to be good. I’ll take it back to my desk, plug it in, and investigate how my salary compares to others in the company.” Renee thinks to herself, “As much as I want to look at this, I am going to take it to the information security team because it could be a trap.”

Curiosity often gets the better of us, especially when it comes to private or confidential information. However, plugging in a random USB has the potential to trigger a cyber incident. Even though Renee is curious, she recognizes the potential risks of plugging in a random USB, and makes the most secure decision to hand it in to the information security team to investigate.

These situations represent choices that you and people in your organization make every day. An organization with individuals who think and act like Renee likely has a strong security culture that will help minimize cyber threats. Employees will be more likely to spot suspicious activity and the organization will have plans in place to deal with it quickly and reduce the likelihood and/or impact of an attack.

How to Measure Your Security Culture

As mentioned in Unit 1, there are several tools organizations can use to measure the current state of their security culture. One tool is the security culture framework identified in the International Journal of Network Security & Its Applications 2021 research article, “Designing a Cyber-Security Culture Assessment Survey Targeting Critical Infrastructure During Covid-19 Crisis.

The security culture dimensions are layered into two levels: organizational and individual. Questions within the organizational level dimension aim to assess whether specific security aspects have been taken into consideration and to what extent. Questions within the individual level dimension are where the beliefs, emotions, attitude, and behavior of employees is examined using a variety of psychological, behavioral, emotional and specialization assessments. Below are the two levels along with sample questions and statements:

Organizational Dimensions

Assets
- Have you ensured that sensitive data or systems are regularly accessed?
Continuity
- Do you have enough capacity to ensure that data availability is maintained?
Access and trust
- Do you automatically disable dormant accounts after a set period of inactivity?
Operations
- Do you have all the necessary policies and procedures properly documented?
Defense
- Do you maintain an up-to-date inventory of all of the organization’s network boundaries?
Security Governance
- Do you regularly organize vertical and horizontal security meetings?

Individual Dimensions

Attitude
- I feel comfortable and support my organization’s approach towards information security.
Awareness
- Are you aware of all the devices and systems you are responsible for?
Behavior
- What would you do if you saw a colleague badge-surfing in the office or requesting access to files that aren’t in their purview?
Competency
- What is necessary for a person to turn a plain text message into an encrypted message?

These dimensions were applied in the 2021 study, “Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework” to demonstrate how a security culture assessment can guide organizations to key security vulnerabilities, enabling them to take active steps towards improving their security.

For example, in one scenario, an employee running the security assessment was alerted to security issues within an electricity substation's physical safety measures. Insights from this assessment paved the way for improvements in existing mitigations and implementation of new strategies, culminating in leadership-approved changes that strengthened overall organizational security measures.

Use of this security culture assessment, and others like it, can be helpful in defining the current state of an organization’s security culture and in strengthening its security controls.

How to Mature Your Security Culture

Creating and improving a secure environment is one of the most important investments an organization can make. One of the key components to making this a reality is maturing your security culture and deliberately putting in place processes and protocols to help protect assets from both internal and external threats. Maturing your security culture involves a number of steps, including:

Leadership commitment
- It is important that leaders at all levels of the organization consistently demonstrate and communicate a commitment to security to help build a sense of trust and ownership among employees.
Employee education and training
- Providing employees with education and training at regular intervals on security best practices and policies is essential to ensure that they understand their role in protecting the organization's assets.
Establishing clear policies and procedures
- Developing and communicating clear policies and procedures for handling sensitive information and responding to security threats can help to ensure that all employees understand their responsibilities and are able to take appropriate action when needed.
Regular testing and assessment
- Regularly testing and assessing the organization's security posture can help to identify vulnerabilities and ensure that appropriate measures are in place to mitigate them.
Incorporating security into business processes
- Ensuring that security is considered as part of all business processes, including decision-making and enterprise risk management, can help to embed a culture of security within the organization.

There are several cybersecurity maturity models to assist organizations in consistently implementing and continuously monitoring these steps (and others) in an effort to mature their security culture, including:

NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), the CSF is a framework that helps organizations manage and improve their cybersecurity risks.
ISO/IEC 27001: This is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an organization's information security management system (ISMS).
CMMI: The Capability Maturity Model Integration (CMMI) is a process improvement approach that helps organizations improve their processes for developing and maintaining products and services.
CIS: The Center for Internet Security (CIS) Critical Security Controls (CIS Controls) were developed to help organizations establish awareness of and explore protections against cyberthreats.

Each maturity model has its own strengths and limitations, and the best one for a particular organization will depend on the organization’s needs and goals.

Sum It Up

In this module, you’ve been introduced to security culture. You’ve learned how to define, measure and mature your security culture, including sample questions to ask to evaluate your current state and achieve the security culture you want now and in the future.

Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Career Path on Trailhead.

Looking for Help?