Security Culture
eBook - ePub

Security Culture

A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  1. 232 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Security Culture

A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Book details
Book preview
Table of contents
Citations

About This Book

Security Culture starts from the premise that, even with good technical tools and security processes, an organisation is still vulnerable without a strong culture and a resilient set of behaviours in relation to people risk. Hilary Walton combines her research and her unique work portfolio to provide proven security culture strategies with practical advice on their implementation. And she does so across the board: from management buy-in, employee development and motivation, right through to effective metrics for security culture activities. There is still relatively little integrated and structured advice on how you can embed security in the culture of your organisation. Hilary Walton draws all the best ideas together, including a blend of psychology, risk and security, to offer a security culture interventions toolkit from which you can pick and choose as you design your security culture programme - whether in private or public settings. Applying the techniques included in Security Culture will enable you to introduce or enhance a culture in which security messages stick, employees comply with policies, security complacency is challenged, and managers and employees understand the significance of this critically important, business-as-usual, function.

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Security Culture by Hilary Walton in PDF and/or ePUB format, as well as other popular books in Business & Human Resource Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2016
ISBN
9781317058052
Edition
1
Topic
Business
Subtopic
Human Resource Management
Index
Business

Chapter 1
Introduction

The purpose of this chapter is to:
ā€¢ Introduce security culture and people risk concepts.
ā€¢ Discuss the purpose of this book and who it is for.
ā€¢ Explain how to use this book to improve security culture and reduce the risk that people pose to the business.
So what is this security culture book about? Why it is new and different and why is this area important? Why is there a growing need for information about security culture and people risk management? Here we lay down who this book is for, the purpose of the book and how to use it to improve security culture and deal with people risk in the organisation.

What Is This Book About?

Every business has a unique internal organisational culture that affects how it operates. How an organisation behaves in terms of its style and approach to security is its security culture. Organisational culture pervades every part of an organisation and impacts security. Even with good technical tools and security processes, an organisation is still vulnerable if the general attitude towards security is poor. People risk is the risk associated with people in the organisation compromising security (as opposed to technology risk, which can be caused by things like not having up-to-date antivirus software).
This book is a guide to improving employee attitude, behaviour and compliance in relation to security. It is a how-to guide that helps deal with and improve security culture and reduce people risk in organisations. Failure to give security culture and people risk in organisations the attention they deserve can lead to:
ā€¢ loss of intellectual property (IP);
ā€¢ compromised security systems;
ā€¢ damage to the brand and reputation of the CEO and Board members;
ā€¢ in the UK, potentially heavy fines by the Information Commissionerā€™s Office (ICO) for data loss;
ā€¢ major incidents that can threaten the survival of the organisation; and
ā€¢ minor incidents that can be expensive and time-consuming to resolve.
This book will help security, human resources (HR) and management personnel understand security culture and the risk that people pose to organisations. It will also identify the benefits of leveraging these. It will show how to develop and implement a security culture and people risk reduction strategy and awareness programme that provides measurable results. Based on the authorā€™s unique work portfolio, in-depth interviews and research, this book combines proven security culture strategies with ground truth and practical implementation experience to help achieve:
ā€¢ senior management buy-in;
ā€¢ greater employee compliance with security procedures;
ā€¢ reduced unintentional security or privacy breaches;
ā€¢ increased reporting of security or privacy breaches and employee behaviours of concern;
ā€¢ reduced ability to manipulate employees or make them less vulnerable to social engineering; and
ā€¢ reduced vulnerability of insider threat.
It will also help:
ā€¢ organisations be less vulnerable by deterring high-risk people from joining them;
ā€¢ improve employee attitudes to security, to view it as an important business-as-usual function; and
ā€¢ advise on metrics to measure the impact of security culture activities.
These are major and difficult security issues which can have severe and substantial impacts on an organisation. They are difficult to deal with as they extend beyond the security group in traditional terms, and delve into organisational values and norms, management practice and organisational communication.
There is little integrated and structured information on how to embed security in the culture of an organisation. This book draws all the best ideas together and provides an intervention toolkit to pick and choose from when designing a security culture programme.
This book also adds new information from actual organisations which have attempted to develop a security culture across sectors and in private and public settings. It is a vehicle to combine those ideas so that organisations can pick the gems for themselves, those parts that suit their particular context, environment and objectives. It is a method and ideas factory. What is good practice? What is bad? How do I get objective feedback on the bad, which I probably already know about but canā€™t prove? How do I effect long-lasting change in security attitudes and culture? Which are the most effective measures to get more bang for my buck? Are some measures more effective than others? If so, what are they? Currently there is little research and consolidated information about these areas, so this book helps collate this new information in one place. It draws on work within a leading UK government authority on security and advice given to organisations both in the UK and internationally.
Technical security consultancies often attempt to tackle ā€˜peopleā€™ and ā€˜cultureā€™ issues in organisations through awareness alone. This book seeks to move beyond ā€˜security consultingā€™ in the typical IT, physical and awareness sense, and builds upon constructs such as behaviour change and motivational theories. This is where it can add value as it is based on psychological and motivational theory and is written by an organisational psychologist who specialises in this area ā€“ and who also happens to be a risk management and security professional with practical experience. The blending of psychology with risk and security is where this bookā€™s unique positioning originates. Designed for daily use in an ever-changing world, Security Culture covers everything todayā€™s security, management and HR professional needs to know.

What Is the Need for This Book? The Rationale

All groups in an organisation need to be able to influence employee behaviour, none more so than senior managers and security personnel. The cost of not doing so is considerable, in the form of security breaches, privacy leaks and damaged reputation. Indeed, there are countless examples of such devastating security or privacy breaches: confidential information found on the street because it was carelessly thrown in a bin; files containing sensitive documents left in a public place; or personal information emailed to the wrong person. The consequences of these scenarios can be severe, and while policies may exist prohibiting these actions by employees, there are no technical or process controls to prevent them occurring (other than physically checking every sheet of paper or message that leaves a building).
Organisations need to do things differently from in the past, and this will involve utilising different skills and methods. It used to be enough to get line managers to deliver security messages to their direct reports and check that these requests were followed. Now, the security team needs to inspire and influence the business towards developing a security mindset. The aim is to have security done as a matter of course; for staff to want to provide feedback about how to continually improve security. This requires managers at all levels to be motivators and communicators and for staff to self-manage and also manage each otherā€™s behaviour in relation to security. Managers and employees also need to think of themselves as part of the security team, by proactively identifying potential issues and reporting behaviours of concern, not to mention breaches within the organisation.
But how do we encourage employees to develop and maintain a security-conscious attitude? How do we get employees to behave in the right way? As security professionals, we tell people over and over what they should do in relation to security, but the messages still do not seem to get through. How do we get people to comply with policies and procedures? These are questions consistently asked by security managers and HR professionals as they grapple with the culture and people aspects of their organisations.
This book will help answer these questions. It will use case studies to illustrate good practice and provide resources and interventions which can be applied easily. These issues are timely because security is a growing issue: in part due to recent global terrorist activities that increase national threat levels and risks to organisational and personal safety; but also due to the increased attention organisations and governments are paying to privacy issues and cyber threats. As such, security is an ongoing and escalating issue that organisations are struggling with as they strive to reduce risks as much as possible, and still stay in business.
It is not enough that organisations have good physical and IT security procedures in place to maintain the integrity of the system. If the people in the organisation donā€™t think about security as they go about their work ā€“ and donā€™t consider how they can protect the organisationā€™s information, people and assets ā€“ then technical controls will not be enough.
So why do organisations need help on this topic at this time? Security culture as a topic is in its infancy. A related field, safety culture, has research and information whose development dates back as far as the Chernobyl disaster in 1986 and the Piper Alpha oil-platform explosion in 1988. As a result, safety culture has become mainstream and has improved business operations. It is likely that security culture improvements will yield the same benefits, but security culture is nowhere near as closely monitored, managed and prioritised by organisation management and executive boards.
While the contents of this book are not a silver bullet to cure a weak security culture and improve people risk management, it is a toolkit of successful interventions to be applied within the unique context of each organisation. It provides a resource for managers to use for advice and ideas on establishing and maintaining optimal security behavioural norms within their organisations. Currently, organisations are attempting to develop these mechanisms in their own way ā€“ with unmeasured success.

What Organisational Problems Can This Book Help Solve? What Is It Designed to Accomplish?

This book will help clarify the problem of poor security culture and also assist in gaining buy-in to security as an enabling business function, motivating and influencing employees to follow security procedures and embedding security attitudes throughout the business. Security, and how to instil a security culture, needs to be treated as seriously as health and safety issues.
These ā€˜cultureā€™ and ā€˜peopleā€™ aspects are common areas to be hesitant about. For example, a security manager might find it easy to see how advice about other security disciplines (physical and IT) fit within the usual job responsibilities and duties: security culture, however, is much harder because it is about people and their behaviour. Inevitably, human resources issues will surface, and HR will need to be involved ā€“ as will senior management and other employees such as line managers or even the executive board. For example, if it was recommended that an organisation include security in the appraisal process in order to embed behaviour, then this would have to be endorsed from the top, and accepted by HR and line managers trained in how to correctly rate employees on their security objectives.
This book will be a guide to anyone seeking to identify and understand security issues more in terms of behaviour, as well as giving them the confidence to modify existing security practices in organisations at a strategic level. Its aim is to help security professionals influence and motivate employees to want to change their security behaviours, and to change employee attitudes and views of security through motivational theories. It will help people influence employees to want to comply with policy and procedures, and also help them see why it is important to do so ā€“ whether for personal reasons because it affects them and their role ā€“ but also to see how it fits the goals of the organisation, whether profit, public reputation, quality or safety.
It will be useful to the HR professionals, the security groupā€™s essential ally, for ensuring that organisational policies are correctly presented, documented, communicated and enforced. It should also lead to important conversations between HR and IT about matters such as the monitoring and review of staff internet usage and email accounts; mutual difficulties with audits; and ITā€™s internal access to sensitive HR data.
Security Culture will also be helpful to line managers in their role of influencing the training, learning and development of their employees. It is the line managers who bring organisational policies to life and act as change agents, choosing to focus the attention of employees in varying ways.

Summary

Applying the techniques in this book will enable an organisation to introduce or enhance a security culture which will help make security messages stick; get people to comply with policies and procedures; reduce security complacency; get senior management on board; and change employee attitudes to security ā€“ to view it as an important business-as-usual function.
The book does this by providing strategies to implement security procedures; illustrating examples through case studies of poor and optimal security practices; existing as a source of inspiration and offering food for thought; and providing a best-practice model by which to manage security culture.

Chapter 2
What Is Security Culture and People Risk? Why Are They Important?

The purpose of this chapter is to:
ā€¢ Provide a definition of security culture and people risk.
ā€¢ Outline how the nature of security has changed.
ā€¢ Discuss the current state of security and what the future holds.
ā€¢ Ascertain through key questions how secure an organisation is.
ā€¢ Identify the characteristics of strong and weak security cultures, and why it all matters.
ā€¢ Ascertain why some organisations have a poor security culture.
This chapter looks at what is meant by the terms ā€˜security cultureā€™ and ā€˜people riskā€™ and their effect on organisations. It explains why an organisationā€™s culture and people have an impact on its security. It describes how the nature of security has changed, the reality of where we are now and where we are predicted to go in the future. It also looks at why, although most security professionals agree that people are an organisationā€™s weakest link, they continue to ignore this important area of security ā€“ or at best pay it lip service through half-hearted security awareness programmes. In particular, it describes some of the challenges security professionals face in dealing with security culture and people risk, and identifies the skills required to do so. It asks the reader to consider how secure their organisation really is by examining some key questions and areas of their business. It then discusses some characteristics of organisations with strong and weak security-oriented cultures, and with low and high people risk. Finally, the chapter outlines the importance and benefits of security culture and people risk, and why people have so much trouble influencing it or tend to avoid dealing with it.

Security Relies on People to Behave in the Right Way

Let us say that an organisation has in place a range of ā€˜securityā€™ measures to safeguard whatever it needs to protect. The organisation might have secure premises or IT infrastructure; controlled access to systems or sites; and operational policies and procedures to govern the way things are done. But security still relies on people to behave in the right way.
An organisationā€™s culture has implications for its security. Even with good technical tools and physical security processes, an organisation is still vulnerable if the general attitude towards security is poor. For example, if there is a general lack of adherence to basic security policies or good practice by employees, coupled with managers failing to notice or address poor security behaviours, then the chances of negative outcom...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Contents
  5. List of Figures
  6. List of Tables
  7. About the Author
  8. Acknowledgements
  9. 1 Introduction
  10. 2 What Is Security Culture and People Risk? Why Are They Important?
  11. 3 Building the Business Case for Security Culture and People Risk Management: Getting Senior Level Buy-in and Commitment
  12. 4 Assessing Security Culture
  13. 5 How to Improve Security Culture: Intervention Toolkit
  14. 6 How to Prioritise What to Do Next
  15. 7 Metrics: Measuring the Impact on the Organisation
  16. 8 Case Studies
  17. Appendix A: Example Proposal for Funding for a Consultancy to Deliver a Security Programme Business Case
  18. Appendix B: Example of Senior Executive Team/Board Meeting Paper
  19. Appendix C: Sample Security Communications Plan
  20. Index