Chapter 1
Introduction
So what is this security culture book about? Why it is new and different and why is this area important? Why is there a growing need for information about security culture and people risk management? Here we lay down who this book is for, the purpose of the book and how to use it to improve security culture and deal with people risk in the organisation.
What Is This Book About?
Every business has a unique internal organisational culture that affects how it operates. How an organisation behaves in terms of its style and approach to security is its security culture. Organisational culture pervades every part of an organisation and impacts security. Even with good technical tools and security processes, an organisation is still vulnerable if the general attitude towards security is poor. People risk is the risk associated with people in the organisation compromising security (as opposed to technology risk, which can be caused by things like not having up-to-date antivirus software).
This book is a guide to improving employee attitude, behaviour and compliance in relation to security. It is a how-to guide that helps deal with and improve security culture and reduce people risk in organisations. Failure to give security culture and people risk in organisations the attention they deserve can lead to:
ā¢ loss of intellectual property (IP);
ā¢ compromised security systems;
ā¢ damage to the brand and reputation of the CEO and Board members;
ā¢ in the UK, potentially heavy fines by the Information Commissionerās Office (ICO) for data loss;
ā¢ major incidents that can threaten the survival of the organisation; and
ā¢ minor incidents that can be expensive and time-consuming to resolve.
This book will help security, human resources (HR) and management personnel understand security culture and the risk that people pose to organisations. It will also identify the benefits of leveraging these. It will show how to develop and implement a security culture and people risk reduction strategy and awareness programme that provides measurable results. Based on the authorās unique work portfolio, in-depth interviews and research, this book combines proven security culture strategies with ground truth and practical implementation experience to help achieve:
ā¢ senior management buy-in;
ā¢ greater employee compliance with security procedures;
ā¢ reduced unintentional security or privacy breaches;
ā¢ increased reporting of security or privacy breaches and employee behaviours of concern;
ā¢ reduced ability to manipulate employees or make them less vulnerable to social engineering; and
ā¢ reduced vulnerability of insider threat.
It will also help:
ā¢ organisations be less vulnerable by deterring high-risk people from joining them;
ā¢ improve employee attitudes to security, to view it as an important business-as-usual function; and
ā¢ advise on metrics to measure the impact of security culture activities.
These are major and difficult security issues which can have severe and substantial impacts on an organisation. They are difficult to deal with as they extend beyond the security group in traditional terms, and delve into organisational values and norms, management practice and organisational communication.
There is little integrated and structured information on how to embed security in the culture of an organisation. This book draws all the best ideas together and provides an intervention toolkit to pick and choose from when designing a security culture programme.
This book also adds new information from actual organisations which have attempted to develop a security culture across sectors and in private and public settings. It is a vehicle to combine those ideas so that organisations can pick the gems for themselves, those parts that suit their particular context, environment and objectives. It is a method and ideas factory. What is good practice? What is bad? How do I get objective feedback on the bad, which I probably already know about but canāt prove? How do I effect long-lasting change in security attitudes and culture? Which are the most effective measures to get more bang for my buck? Are some measures more effective than others? If so, what are they? Currently there is little research and consolidated information about these areas, so this book helps collate this new information in one place. It draws on work within a leading UK government authority on security and advice given to organisations both in the UK and internationally.
Technical security consultancies often attempt to tackle āpeopleā and ācultureā issues in organisations through awareness alone. This book seeks to move beyond āsecurity consultingā in the typical IT, physical and awareness sense, and builds upon constructs such as behaviour change and motivational theories. This is where it can add value as it is based on psychological and motivational theory and is written by an organisational psychologist who specialises in this area ā and who also happens to be a risk management and security professional with practical experience. The blending of psychology with risk and security is where this bookās unique positioning originates. Designed for daily use in an ever-changing world, Security Culture covers everything todayās security, management and HR professional needs to know.
What Is the Need for This Book? The Rationale
All groups in an organisation need to be able to influence employee behaviour, none more so than senior managers and security personnel. The cost of not doing so is considerable, in the form of security breaches, privacy leaks and damaged reputation. Indeed, there are countless examples of such devastating security or privacy breaches: confidential information found on the street because it was carelessly thrown in a bin; files containing sensitive documents left in a public place; or personal information emailed to the wrong person. The consequences of these scenarios can be severe, and while policies may exist prohibiting these actions by employees, there are no technical or process controls to prevent them occurring (other than physically checking every sheet of paper or message that leaves a building).
Organisations need to do things differently from in the past, and this will involve utilising different skills and methods. It used to be enough to get line managers to deliver security messages to their direct reports and check that these requests were followed. Now, the security team needs to inspire and influence the business towards developing a security mindset. The aim is to have security done as a matter of course; for staff to want to provide feedback about how to continually improve security. This requires managers at all levels to be motivators and communicators and for staff to self-manage and also manage each otherās behaviour in relation to security. Managers and employees also need to think of themselves as part of the security team, by proactively identifying potential issues and reporting behaviours of concern, not to mention breaches within the organisation.
But how do we encourage employees to develop and maintain a security-conscious attitude? How do we get employees to behave in the right way? As security professionals, we tell people over and over what they should do in relation to security, but the messages still do not seem to get through. How do we get people to comply with policies and procedures? These are questions consistently asked by security managers and HR professionals as they grapple with the culture and people aspects of their organisations.
This book will help answer these questions. It will use case studies to illustrate good practice and provide resources and interventions which can be applied easily. These issues are timely because security is a growing issue: in part due to recent global terrorist activities that increase national threat levels and risks to organisational and personal safety; but also due to the increased attention organisations and governments are paying to privacy issues and cyber threats. As such, security is an ongoing and escalating issue that organisations are struggling with as they strive to reduce risks as much as possible, and still stay in business.
It is not enough that organisations have good physical and IT security procedures in place to maintain the integrity of the system. If the people in the organisation donāt think about security as they go about their work ā and donāt consider how they can protect the organisationās information, people and assets ā then technical controls will not be enough.
So why do organisations need help on this topic at this time? Security culture as a topic is in its infancy. A related field, safety culture, has research and information whose development dates back as far as the Chernobyl disaster in 1986 and the Piper Alpha oil-platform explosion in 1988. As a result, safety culture has become mainstream and has improved business operations. It is likely that security culture improvements will yield the same benefits, but security culture is nowhere near as closely monitored, managed and prioritised by organisation management and executive boards.
While the contents of this book are not a silver bullet to cure a weak security culture and improve people risk management, it is a toolkit of successful interventions to be applied within the unique context of each organisation. It provides a resource for managers to use for advice and ideas on establishing and maintaining optimal security behavioural norms within their organisations. Currently, organisations are attempting to develop these mechanisms in their own way ā with unmeasured success.
What Organisational Problems Can This Book Help Solve? What Is It Designed to Accomplish?
This book will help clarify the problem of poor security culture and also assist in gaining buy-in to security as an enabling business function, motivating and influencing employees to follow security procedures and embedding security attitudes throughout the business. Security, and how to instil a security culture, needs to be treated as seriously as health and safety issues.
These ācultureā and āpeopleā aspects are common areas to be hesitant about. For example, a security manager might find it easy to see how advice about other security disciplines (physical and IT) fit within the usual job responsibilities and duties: security culture, however, is much harder because it is about people and their behaviour. Inevitably, human resources issues will surface, and HR will need to be involved ā as will senior management and other employees such as line managers or even the executive board. For example, if it was recommended that an organisation include security in the appraisal process in order to embed behaviour, then this would have to be endorsed from the top, and accepted by HR and line managers trained in how to correctly rate employees on their security objectives.
This book will be a guide to anyone seeking to identify and understand security issues more in terms of behaviour, as well as giving them the confidence to modify existing security practices in organisations at a strategic level. Its aim is to help security professionals influence and motivate employees to want to change their security behaviours, and to change employee attitudes and views of security through motivational theories. It will help people influence employees to want to comply with policy and procedures, and also help them see why it is important to do so ā whether for personal reasons because it affects them and their role ā but also to see how it fits the goals of the organisation, whether profit, public reputation, quality or safety.
It will be useful to the HR professionals, the security groupās essential ally, for ensuring that organisational policies are correctly presented, documented, communicated and enforced. It should also lead to important conversations between HR and IT about matters such as the monitoring and review of staff internet usage and email accounts; mutual difficulties with audits; and ITās internal access to sensitive HR data.
Security Culture will also be helpful to line managers in their role of influencing the training, learning and development of their employees. It is the line managers who bring organisational policies to life and act as change agents, choosing to focus the attention of employees in varying ways.
Summary
Applying the techniques in this book will enable an organisation to introduce or enhance a security culture which will help make security messages stick; get people to comply with policies and procedures; reduce security complacency; get senior management on board; and change employee attitudes to security ā to view it as an important business-as-usual function.
The book does this by providing strategies to implement security procedures; illustrating examples through case studies of poor and optimal security practices; existing as a source of inspiration and offering food for thought; and providing a best-practice model by which to manage security culture.
Chapter 2
What Is Security Culture and People Risk? Why Are They Important?
This chapter looks at what is meant by the terms āsecurity cultureā and āpeople riskā and their effect on organisations. It explains why an organisationās culture and people have an impact on its security. It describes how the nature of security has changed, the reality of where we are now and where we are predicted to go in the future. It also looks at why, although most security professionals agree that people are an organisationās weakest link, they continue to ignore this important area of security ā or at best pay it lip service through half-hearted security awareness programmes. In particular, it describes some of the challenges security professionals face in dealing with security culture and people risk, and identifies the skills required to do so. It asks the reader to consider how secure their organisation really is by examining some key questions and areas of their business. It then discusses some characteristics of organisations with strong and weak security-oriented cultures, and with low and high people risk. Finally, the chapter outlines the importance and benefits of security culture and people risk, and why people have so much trouble influencing it or tend to avoid dealing with it.
Security Relies on People to Behave in the Right Way
Let us say that an organisation has in place a range of āsecurityā measures to safeguard whatever it needs to protect. The organisation might have secure premises or IT infrastructure; controlled access to systems or sites; and operational policies and procedures to govern the way things are done. But security still relies on people to behave in the right way.
An organisationās culture has implications for its security. Even with good technical tools and physical security processes, an organisation is still vulnerable if the general attitude towards security is poor. For example, if there is a general lack of adherence to basic security policies or good practice by employees, coupled with managers failing to notice or address poor security behaviours, then the chances of negative outcom...