Canadian Cyber Security Journal
Filed under: Featured, Trends

Study Reveals an Urgent Need to Quantify Cybersecurity Culture

Studies have shown that organizations with strong cybersecurity cultures experience increased visibility into potential threats, reduced cyber incidents and greater post-attack resilience among other benefits. However, cybersecurity culture has historically been seen as an abstract concept and difficult to quantify.

To help overcome this challenge, Infosec, a cybersecurity education company helping IT and security professionals, comes up with a survey to classify cybersecurity culture and systematically measure results, allowing organizations to turn this important security variable into a data-driven element in their cybersecurity strategy.

The survey defines a strong cybersecurity culture as an organization’s collective awareness, attitudes and behaviors toward security, is based on employees willingly embracing security best practices both professionally and personally.

“Few metrics offer better insight into the effectiveness of your security awareness training program than your cybersecurity culture,” Jack Koziol, Infosec CEO and founder says. However, he believes, it is also an extremely challenging metric to quantify and track over time.

The survey leverages the latest research into security culture assessment to help our clients show the impact of training beyond measurements like phishing click rates and training completion.

The survey leverages the latest research into security culture assessment to help our clients show the impact of training beyond measurements like phishing click rates and training completion.

The study also collects employee feedback and introduces a scalable way to analyze and measure employee attitudes and perceptions towards security practices, policies and training strategies across five cultural domains::

Confidence: how employees classify their own ability to put their cybersecurity knowledge to practical use

Responsibility: how employees perceive their role in organizational security

Engagement: how willingly employees participate in an organization’s security awareness and training program and apply available resources and support to improve security behaviors

Trust: How employees perceive the security posture and processes at their organization

Outcomes: How employees perceive the consequences of a security incident at their organization

“Traditional security awareness and training success metrics like phishing clicks are important, but the majority of our clients are driving behavior change beyond just the inbox. They are looking to shift the way employees think and feel about cybersecurity,” says Koziol.

“Interactive games can fundamentally change the way employees perceive security functions and learn how they personally contribute to keeping data secure. Cultural assessments are one way our clients can measure this perception shift over time,” he states.

According to a Forrester report authored by analysts Jinan Budge and Claire O’Malley, “Cultural change takes time and results are difficult to measure.”

One technique they recommend CISOs is “surveying the workforce to measure motivation, ability and triggers. This will allow you to quantify the strengths and weaknesses of an existing or potential SA&T [security awareness and training] program and gain insight into the current state of security culture

Engagement levels can vary greatly between departments and individual employees. The best way to measure engagement and satisfaction with security communications, training and awareness activities is to simply ask employees what they think. Additionally, many respondents do not see the direct connection between cybersecurity knowledge and skills learned at work and how they can be applied at home and in their day-to-day lives.

By teaching and reinforcing cybersecurity best practices as life skills, rather than work skills, IT and security teams can make training more relevant and engaging to every employee.

Enjoy this article? Don’t forget to share.