I appreciate that organizations are beginning to realize that they need to understand their corporate culture in their implementation of awareness programs. It is long overdue. Unfortunately as a concept, it is being grossly misapplied. In short, you don’t want to adhere to culture, you want to improve culture.
To utilize culture, you need to understand what a security culture actually is. When I co-wrote Advanced Persistent Security, the best definition that my co-author and I found was that security culture is the consolidated behaviors within an organization as they pertain to security. While it is a concise definition, it is not intuitively easy to understand and apply.
In many ways, a security culture is peer pressure and as such is self-perpetuating. Think of an organization dress code. If everyone wears a suit (or female equivalent) to work, anyone not wearing a suit will usually feel awkward and frequently be instructed to wear a suit in the future. Alternatively, if nobody wears a suit, anyone wearing a suit will be blatantly or subliminally pressured into not wearing a suit in the future.
With security, consider wearing badges. As a consultant who helps organizations with awareness programs, I frequently go to customer facilities and when I am provided with a badge, I put it on and wear it appropriately. However, as I walk around the facility, if I am the only person wearing the badge, I will take it off, as I don’t want to stand out. That is would be true for everyone in an organization, including new employees. This is true for writing down passwords or not. This is true for allowing tailgaters through doors or not. This is even true for phishing for the most part.
A security culture creates and reinforces security behaviors. These security behaviors are not just for preventative behaviors, but for detection and reaction as well. For example, protection involves employees knowing to clean their desktops and lock the drawers at the end of the day. Detection means that employees will notice when there are other assets that are not locked up. Reaction means that when an employee detects that assets are left vulnerable, they know to what to do in response.
In the above example, in a strong security culture, people will be instructed how to behave and act. They will be walked through the process of closing up their desk at the end of the day, and also told how to police the area before departure, if they are the last person to leave. If a person leaves their area unsecured, another person will notice and inform them of the issue. If they don’t, a security guard will likely perform rounds and find the issue.
There are also weak security cultures that encourage and facilitate poor security behaviors. In the best cases, weak cultures will result in bad behaviors with regard to protection, detection, and reaction. In the worst case, some employees will tell other employees not to behave appropriately. For example, they might encourage others not to lock their desks, so people can access their resources. They might encourage or require shared computer accounts and passwords.
So when you consider how culture fits into awareness programs, in essence to improve awareness, you want to improve the culture.
However when I see culture mentioned in the generation of awareness programs, it is typically to determine how to design materials that will be best accepted by the organization. The talk is about how to word materials to best align with organizational lingo, themes, messaging, etc. While it is important to consider those things, the focus should not be to put out information, but how to impact individual behaviors and the overall culture.
As I discussed previously, information should strive to improve behaviors. When enough people change their behaviors, it will change the culture. The culture will in turn drive behaviors. Clearly, awareness practitioners want to provide information to change behavior, and that information should be as influential as possible. The information must however be designed with the specific intent to improve the culture and not to just adhere to it.
To this end, you need to consider that an awareness program should be more than a series of communications. Those are tactics that frequently have minimal effect. If you truly want to integrate culture into your awareness program, you need to consider high-level strategies that accomplish this.
While high-level strategies to improve culture will be the subject of future articles, examples of such strategies include implementing technologies that enforce behaviors, getting management support to promote proper behaviors, and operational enforcement such as having guards look for violations.
Such strategies are frequently beyond the authority and responsibility of most awareness managers. Clearly when these people create and distribute materials, they align with their organizations’ respective cultures. However, the goal must always be to improve behaviors and change the culture.