The Security Culture Playbook – An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

About the Authors viii Acknowledgments xii Introduction xxv Part I: Foundation 1 Chapter 1: You Are Here 3 Why All the Buzz? 4 What Is Security Culture, Anyway? 8 A Problem of Definition 9 A Problem of Overconfidence 11 Takeaways 12 Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13 A View from the Top 14 Telling the Human Side of the Story 15 What’s the Cost of Not Getting This Right? 16 Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19 Your People and Security Culture Are at the Center of Everything 20 The Implication 22 Getting It Right 24 Takeaways 25 Chapter 3: The Foundations of Transformation 27 The Core Thesis 29 The Knowledge-Intention-Behavior Gap 29 Three Realities of Security Awareness 31 Program Focus 31 Extending the Discussion 33 Introducing the Security Culture Maturity Model 33 The Security Culture Maturity Model in Brief 35 The S-Curves 36 The Value of the Security Culture Maturity Model 37 You Are Always Either Building Strength or Allowing Atrophy 37 Takeaways 38 Part II: Exploration 39 Chapter 4: Just What Is Security Culture, Anyway? 41 Lessons from Safety Culture 42 A Jumble of Terms 44 Information Security Culture 45 IT Security Culture 45 Cybersecurity Culture 46 Security Culture in the Modern Day 46 Technology Focus 47 Compliance Focus 48 Human-Reality Focus 49 Takeaways 51 Chapter 5: Critical Concepts from the Social Sciences 53 What’s the Real Goal—Awareness, Behavior, or Culture? 54 Coming to Terms with Our Irrational Nature 55 We Are Lazy 56 Why Don’t We Just Give Up? 60 Security Culture—A Part of Organizational Culture 61 Takeaways 62 Chapter 6: The Components of Security Culture 63 A Problem of Definition 64 The Academic Perspective 64 The Practitioner Perspective 65 Defining Security Culture 66 Security Culture as Dimensions 67 The Seven Dimensions of Security Culture 69 Attitudes 69 Behaviors 69 Cognition 69 Communication 70 Compliance 70 Norms 70 Responsibilities 71 The Security Culture Survey 71 Example Findings from Measuring the Seven Dimensions 72 Normalized Use of Unauthorized Services 73 Confidentiality and Insider Threats 74 Last Thought 74 Takeaways 75 Chapter 7: Interviews with Organizational Culture Experts and Academics 77 John R. Childress, PYXIS Culture Technologies Limited 78 Why Is Culture Important? 78 Why Do You Find Culture Interesting? 79 Is There a Specific Definition of Culture That You Find Useful? 79 What Actions Can Be Taken to Direct Cultural Change? 80 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 81 How Does a Culture Evolve (or How Often?) 82 Professor John McAlaney, Bournemouth University, UK 82 Why Is Culture Important? 83 Why Do You Find Culture Interesting? 83 Is There a Specific Definition of Culture That You Find Useful? 83 What Actions Can Be Taken to Direct Cultural Change? 84 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 85 How Does a Culture Evolve (or How Often?) 85 Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida 86 Why Is Culture Important? 86 Why Do You Find Culture Interesting? 86 Is There a Specific Definition of Culture That You Find Useful? 87 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 87 Michael Leckie, Silverback Partners, LLC 87 Why Is Culture Important? 88 Why Do You Find Culture Interesting? 89 Is There a Specific Definition of Culture That You Find Useful? 90 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 90 What Actions Can Be Taken to Direct Cultural Change? 91 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 93 How Does a Culture Evolve (or How Often?) 93 Part III: Transformation 95 Chapter 8: Introducing the Security Culture Framework 97 The Power of Three 99 Step 1: Measure 100 Know Where You are 101 Decide Where You Want to Be 102 Find Your Gap 104 Step 2: Involve 106 Building Support 106 Different Audiences 108 Step 3: Engage 109 Rinse and Repeat 111 Benefits of Using the Security Culture Framework 111 Takeaways 112 Chapter 9: The Secrets to Measuring Security Culture 113 Connecting Awareness, Behavior, and Culture 115 How Can You Measure the Unseen? 116 Using Existing Data 116 The Right Way to Use Data 119 Methods of Measuring Culture 119 Observation 120 Experimentation 121 Interrogation (Surveys and Interviews) 121 A/B Testing 122 Multiple Metrics, Single Score 124 Trends 125 A Note Regarding Completion Rates 127 Takeaways 128 Chapter 10: How to Influence Culture 129 Resistance to Change 130 Be Proactive 131 The Complexity of Culture 133 Using the Seven Dimensions to Influence Your Security Culture 134 Attitudes 134 Behaviors 136 Cognition 138 Communication 140 Compliance 141 Norms 143 Responsibilities 144 How Do You Know Which Dimension to Target? 146 Takeaways 147 Chapter 11: Culture Sticking Points 149 Does Culture Change Have to Be Difficult? 150 Using Norms Is a Double-Edged Sword 151 Failing to Plan Is Planning to Fail 152 If You Try to Work Against Human Nature, You Will Fail 153 Not Seeing the Culture You Are Embedded In 155 Takeaways 156 Chapter 12: Planning and Maturing Your Program 157 Taking Stock of What We’ve Covered 158 View Your Culture Through Your Employees’ Eyes 159 Culture Carriers 160 Building and Modeling Maturity 161 Exploring the Data 162 Culture Maturity Indicators 162 Level 1: Basic Compliance 165 Level 2: Security Awareness Foundation 165 Level 3: Programmatic Security Awareness & Behavior 166 Level 4: Security Behavior Management 167 Level 5: Sustainable Security Culture 168 There Are Stories in the Data 170 A Seat at the Table 174 Takeaways 175 Chapter 13: Quick Tips for Gaining and Maintaining Support 177 You Are a Guide 178 Sell by Using Stories 179 Lead with Empathy, Know Your Audience 180 Set Expectations 184 Takeaways 185 Chapter 14: Interviews with Security Culture Thought Leaders 187 Alexandra Panaretos, Ernst & Young 188 Why Is Culture Important? 188 Why Do You Find Culture Interesting? 189 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 190 Dr. Jessica Barker, Cygenta 193 Why Is Security Culture Important? 193 Why Do You Find Culture Interesting? 194 What Actions Can Be Taken to Direct Cultural Change? 194 What Is Your Most Interesting Experience with Culture? 195 Kathryn Tyrpak, Jaguar Land Rover 195 Why Is Culture Important? 195 Why Do You Find Culture Interesting? 196 Is There a Specific Definition of Culture That You Find Useful? 196 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 196 What Actions Can Be Taken to Direct Cultural Change? 197 Lauren Zink, Boeing 197 Why Is Culture Important? 198 Why Do You Find Culture Interesting? 198 Is There a Specific Definition of Culture That You Find Useful? 199 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 199 Mark Majewski, Rock Central 200 Why Is Culture Important? 200 Why Do You Find Culture Interesting? 200 Is There a Specific Definition of Culture That You Find Useful? 201 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 201 What Actions Can Be Taken to Direct Cultural Change? 201 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 202 How Does a Culture Evolve (or How Often?) 202 Mo Amin, moamin.com 203 Why Is Culture Important? 203 Why Do You Find Culture Interesting? 203 Is There a Specific Definition of Culture That You Find Useful? 203 How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 203 What Actions Can Be Taken to Direct Cultural Change? 204 Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 204 How Does a Culture Evolve (or How Often)? 205 Chapter 15: Parting Thoughts 207 Engage the Community 208 Be a Lifelong Learner 209 Be a Realistic Optimist 210 Conclusion 211 Bibliography 213 Index 217