Security culture matters to executives, but these individuals are struggling to implement it. In a November 2019 study commissioned by KnowBe4, 94% of individuals with managerial duties or higher in security or risk management said that security culture was important for their organization’s success. Even so, Security Magazine shared that 92% of respondents were still experiencing security incidents and working on integrating their security strategies with their business strategies despite having embedded security culture in their organizations.
These findings beg several questions. Is it possible for organizations to evaluate the effectiveness of their security cultures? If so, are there larger trends that could help organizations in different industries strengthen their security cultures?
The Multiple Dimensions of a Security Culture
KnowBe4 arrived at an answer in its report, “Measure to Improve – Security Culture Report 2020.” In this study, the security awareness training provider collected data from 120,050 employees working at 1,107 organizations spread across 24 countries and 17 industry sectors. It did this for the purpose of developing an objective scientific method to evaluate and compare the relative components of an organization’s security culture.
For this task, KnowBe4 broke down its analysis into seven different components:
- Attitudes: How employees feel towards the organization’s security protocols and issues.
- Behaviors: Employees’ activities and actions that affect an organization’s security.
- Cognition: The knowledge that employees have of security issues and activities.
- Communication: The types of channels that the workforce can use to discuss and share support for security-related issues.
- Compliance: The awareness that employees have of their organization’s security policies and how they follow them.
- Norms: The extent to which employees are knowledgeable of and adhere to the organization’s unwritten codes of security conduct.
- Responsibilities: How employees view their role in either supporting or (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/featured/report-organizations-security-culture/