Measuring Security Culture — it works!

Measure Security Culture — it works!

Finally a method to measure your security culture!

For years, the (information|cyber) security industry has been pouring money into security awareness programmes. According to Gartner, some 2.6b USD was invested in computer based security culture programmes in 2015 alone. That is, the 2.6b USD only includes the money spent on computer based training programmes — imagine the amount if we add posters, live classes, one-on-ones and all those stickers printed and distributed!

One important question has been posed regarding this spending on security awareness programmes: is it working?

Some are firm believers in the need for training and developing the employees, while others are making claims that the investment in security awareness programmes are a waste of time and money — money that would be better spent on other security controls.

The problem is that no-one knew the answer. The claims (and investments) where based on gut-feelings, personal opinions and discourses. No facts were available to analyse. No method of measuring security culture existed. And most people where either too busy doing their job, or pursuing the latest security product fad (er trend).

This went on for decades. Yes, decades. We are now 2016, and we have been training employees since the 1990’s if we look at ICT (cyber….), and centuries when we consider the scope to be information security (encryption is not something that came about with the Internet…).

No-one knows the answer!

Thus, the answer has eluded the industry (and everyone else) for decades. There has been no way to measure the effectiveness of such programmes, no way to measure it’s usefulness. There has been no scientific method, no models or analytics to support the claims — no matter which school of thought you belong to.

Until now, that is.

We know the answer

My team and I have been hard at work to solve this puzzle, and I am very happy to announce that we know. Yes, we know the answer!

After collecting data from more than 10 000 employees in the bank and finance sector in the Nordics, we have some very fascinating results to show. The most pressing question, is of course this:

Can we measure security culture?

The short answer is a resounding yes! We have created a scientifically sound method to measure and analyse security culture in organisations. We have used this to create a model where we can compare security cultures across industry sectors, across borders, across age and gender, and we are only starting to see the results of this work.

A few of our initial findings includes:

  • Sweden has a lower security culture score than Norway, industry by industry
  • Banks have higher security cultures than Real Estate Agencies (as would be expected)
  • There is little difference in security cultures across genders
  • Age matters — higher age correlates with better security culture, also when considering cyber security

These are some of the initial findings we have in the current sample. We are working closely to analyse and further digest the data. And as you may know, you can add your own employees too: is our tool to measure security culture.

Is it worth to invest in security awareness programmes?

Our findings seems quite clear when it considers the value of investing in training employees in secure behaviours. In other words, we have data that can serve to silence the debate of whether or not to invest in security culture programmes — our data is conclusive:

Organisations with active security culture programmes, that has run over time (several years), shows a higher security culture score than organisations in the same industry with no / smaller programmes.

These findings can serve to help moving the debate to where it should be: instead of doubting the value of investing in security culture programmes, let us discuss how to make the most of our investment into such activities.

Disclaimer: CLTRe (pron. culture) is a provider of services measuring security culture. We do not provide security culture/awareness training programmes. And if you did not know, I am the creator of the Security Culture Framework, and author of the book Build a Security Culture. So, yes, I am biased!

Do you want to know more about the security culture in your organisation? I will be happy to show you!

Measuring Security Culture — it works! was originally published in Kai Roer’s Security Culture Ramblings on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Kai Roer’s Security Culture Ramblings - Medium authored by Kai Roer. Read the original post at: