Management Perspectives

Experts predict that global businesses will spend a whopping $172 billion1 on cyber security this year (up from $150 billion in 2021). Despite such steep investments in cyber security systems, cyber attacks continue to break new records2 . This is because most attacks have more to do with faults in human behaviour3 than security technology itself.

Human behaviour can neither be predicted nor programmed or controlled by technological defences. That is why ‘security culture’ is becoming an increasingly important defence strategy. Security culture can be defined as, “a combination of beliefs (an internal feeling regarding cyber security which usually stems from one’s own experiences and external influences), values (what employees consider important from a security perspective), attitudes (how employees perceive security and approach situations that result in a behaviour), behaviours (actions that employees can do when they encounter a potential cyber threat), and social pressures (the shared expectations and modeled behaviours that comprise a group’s unwritten rules) that are reflected in the daily actions of employees.

Sculpting human behaviour is a complex process and even the most security-savvy organisations can find it challenging to sustain a robust security culture over the long term. Some of the roadblocks that organisations encounter while building a security culture include:

Mental biases:

Our minds are often clouded by distractions, emotions, and habits which can result in impulsive judgements and risky behaviour. Actions that employees take on a daily basis are a result of habits, past experiences, peer influence, and preconceived notions. Such biases4 impact security in many ways; they can create blind spots and result in miscommunication or misinterpretation of a well thought-out security program.

Poorly-drafted or implemented security policies:

Information security policies and procedures are one of the most fundamental tools that organisations use to influence cyber security culture. When policies and procedures are not drafted or implemented well or not communicated properly, they can be one of the least effective tools from a cultural standpoint. If employees are not adhering to policies, or working around them, it is likely that they are not properly designed or are preventing them from performing their jobs effectively. It is a natural response. If a worker confronts an obstacle, they will find ways to bypass it. So the directive to ‘change passwords every six weeks’ is all too easy to ignore and forget.

Failure to lead by example:

It is impossible for organisations to be successful in cultural change if leaders themselves do not walk the talk and promote the importance of positive security behaviour. Everyone knows that culture is infectious and actions that leaders take can have a big impact on people. If leaders blatantly ignore security protocols or avoid participating in cyber security training, then they are setting a bad example in front of employees. Eventually, employees will get worse, not better.

Absence of a continual improvement model:

Technology is continuously evolving in sophistication and hackers too are evolving alongside it. The type of attacks an organisation experiences today most likely won’t be the same as what it experiences tomorrow. In absence of a model for continuous improvement, sporadic or episodic training initiatives will not make significant impact on culture. Subsequently, the organisation and its employees will be left vulnerable and exposed to a range of threats that they have not adequately been prepared for.

Programs that work against human nature:

Security culture is not one-size-fits-all. Every organisation is unique from a security perspective and every employee has a different level of security maturity. Additionally, human beings are inherently social creatures of habit. Security programs that do not account for this reality often tend to fail because organisations expect too much from their employees or its working against their basic human nature.

How can organisations avoid these cultural roadblocks?

The first step organisations should take is to invest their time and effort in identifying and understanding cultural challenges using a data-driven approach. Start by creating a baseline assessment of the attitudes, beliefs, biases, behaviours, and social norms that exist in the organisation and create a strategy to track and improve those metrics over time. Ensure your information security policy is a ‘living document’ that updates as employee requirements and the technology landscape changes. Get leadership teams to recognise and practise security culture as a core pillar of the organisation’s foundation and not label it as some risk mitigation initiative. Training programs and phishing simulation exercises must always include real-world examples, must be exciting (even gamified), engaging, and should test workers on the latest threats. An overarching cyber security committee from diverse departments should ensure that security programs are updated regularly and work in favour of employees, not against them.

Keep in mind that security culture is not something that can be built overnight. Having said that, sustained investments in security culture will bring better security RoI in the long run and help organisations build a human defence layer that every industry today desperately needs.