Security culture — one rule to rule them all

Culture is an interesting thing. We all live in it, we embrace it and we are totally dependent on it. It is also very easy to dismiss — it is only when we see other groups of people, and realizing they are not doing things like we do, that we start grasping that there may be more to life than «How it´s done here».

Funnily enough, as soon as we discover this new group, and realize their differences, we are very quick to from opinions about «them» and how «they» are doing something strange, or even wrong. «We» and «our» way are considered the only right and righteous path to success, glamour and, well, security.

Security culture is no different, being a sub-culture, and easily dismissed as not relevant or even being a wrong path by some. Personally, I find it most intriguing when people who are not from a humanistic / social scientific background (say they have an infosec background), comes up to me and makes the claim «security culture will never work».

Or, as this morning on twitter, when Chris Hoff says:

I don’t subscribe to a “security culture”

Chris, how on earth can you not subscribe to a security culture? This felt like a kick in the belly, and my gut response was to write a long, angry post aimed to convince Chris that he needed to change his opinion. I mean, how can one not subscribe to security culture? It must be an ill-informed and badly judged decision for sure, right? Surely, Chris must be jumping to conclusions, me and Wolfgang being outstanding people and all?

STOP! Just Stop it!

Now I am the one jumping to conclusions — I read one tweet, and decide that a man I deeply respect and look up to (and occasionally disagree with), is wrong? Am I being tricked by my brain? Of course I am — this is the Dunning-Kruger effect playing me!

This is an interesting phenomena with humans — we make claims we have no support for, and we do so with a conviction that what we claim is true, and the only truth there is. The Dunning-Kruger effect above is only one of the many studies Psychology has undertaken to better understand our human biases.

Another of my favorite biases is the confirmation bias: as soon as we have made up our mind about a subject, our mind (and this happens automagically, mind you!) just stops looking for proof of us being wrong, instead it filters away any information that may have a negative impact on our decision, and leaves us only with information that confirms our idea.

These biases (and there are many more!) were probably not so bad from a hunter and gather society perspective.

In a scientific society where knowledge is being hunted and gathered, knowing when you are right or wrong — or when you just don´t have enough facts about your topic, becomes critical. I like to believe I live in a scientific society, where real knowledge matters, and where each and every one of us is responsible (as well as accountable) for the knowledge we hunt, gather and spread around to others. By digging deeper into twitter, I soon discover that Chris is at some conference, where someone is talking about infosec culture.

I have seen those bars, and I agree that this is not a culture I embrace. More important, it is not the security culture I preach. Im starting to wonder, what prompted these tweets?

What is going on?

Psychology, is what is going on. Our mind and our culture is playing tricks on us.

My background, training and thought processes are trained and formed to solve ICT-challenges. Over quite a few years, I have had the fortune to work with people, and while doing so I learned (sometimes the hard way) that people are not like technology — people form their own ideas and make up their own minds. I came to realize that if I were to be successful with securing systems and organizations, I needed to really understand people. I set out to find the answer to questions like

  • what drives them
  • what forms their behaviors
  • what is culture
  • how do people change

and I went back to university to read up on social sciences. And like Chris, I try to be sharp and critical:

Very few infosec people I know of, do this. Instead, they make claims about people, behaviors and culture, yet they may have very little understanding about real people, and how real people functions — alone and in groups.

In this particular slide (which is what prompted Chris’ question above), security culture is being touted as 2FA and email encryption. I will agree that technology should be used to inform and form security culture, and as such these examples may be used as controls. However, this is not culture. Nor security culture. This is technology.

DISCLAIMER: I did not see the presentation, nor any other slides, so again I am drawing conclusions out of context! I am sure Stefan’s Andrew’s other slides did dig deeper into this.

Others also engaged in the topic:

Do we need rules?

Rules — everybody hates them! Especially when it comes to security, right?

The subtopic of Social Psychology have spent the better part of 7 decades to understand how individuals function in a social setting. (in)famous experiments like the Stanford Prison Experiment, the Milgram Experiments and the experiments of Dr. Solomon Asch are just a few, that shows us how extremely powerful other people are on us as individuals when forming opinions and changing behaviors.

We are social creatures, who first and foremost adjust and adapt to our surroundings. We change as needed, to make sure we survive. To do that, we pick up the rules — written or unwritten — of the group we want to conform with. We pick up these rules automagically, on autopilot, most of the time not even realizing that we are, and how we are changing our own behaviors to meet the perceived requirements of said group. Together, they help form an understanding of what culture is, and how it is being influenced. It quickly becomes evident that rules are important:

  • Culture apply rules of acceptable behavior — what is allowed and what is forbidden for members of this group. As societies evolve and grow, rules change. Some rules turns into formal rules (laws, policies, regulations), while most rules are informal (group habits, dress codes, language, greetings etc).
  • Innovation informs rules — new innovations enables people to do new things, or to be more efficient (guns means better chance of hunting and more efficient war), while often also introducing new risks that needs to be regulated (guns are used for murder of civilians, robbery etc). I cannot think of any technological innovation that comes without a possible need for rules.
  • Ignorance is bliss — if you do not know the rules, they are easily broken. Sometimes that means you get away with it, other times you don´t. The perceived severity of your crime dictates the groups response.

This is not an argument to substitute culture with rules. Culture is more than just rules, however, understanding the role of rules in culture will help us align our culture-building efforts to be more efficient.

Culture is not an option — it is always mandatory.

The interesting thing is how the mandatory part of most culture is hidden to us: most of the time, culture do not feel mandatory. Only when you try to move outside of the groups rule, do they become evident to you. Culture is the building block of human societies.

Humans cannot survive alone, which in turn mean we form groups and societies. For groups and societies to function, they need rules to regulate what is acceptable (or not) behavior. For you, as a person, this boils down to accepting the rules and be a member of a group, or dismiss the rules at your own peril.

Security culture is, just like safety culture and organizational culture, sub-cultures of (duh) culture. It is the part of culture that promise you a safe and secure place in your group — your group will help secure and protect you, as long as you do the same for the group by accepting the rules.

Do you get it yet?

The real challenge Hoff and others are pointing to, is the same thing as I try to fix with the Security Culture Framework. And surely, digging a bit deeper into the tweets, Chris get’s it:

Culture is truly impactful. As such, it should be treated with care and understanding. Just because you are into infosec does not automatically make you an expert on building and maintaining security culture. As I have said in my books, talks, trainings and the Security Culture Framework — you need help to understand culture. You should not do it alone, instead you should bring on those who know.

Culture is not new, it has been with humans since the start. Let us apply the techniques, methods and structures shown to work over millennias.

To build and maintain security culture, we can learn from social sciences, and from other areas where culture have been successfully managed, like safety culture and to some extent organizational culture. It is, however, not so that security culture is a silver bullet. It is one of the controls to apply — just like that firewall, IAM or crypto. Leave it out at your own peril!


Security culture — one rule to rule them all was originally published in Kai Roer’s Security Culture Ramblings on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post authored by Kai Roer. Read the original post at: Kai Roer’s Security Culture Ramblings - Medium