BuildaSecurityCultureKaiRoer

BuildaSecurityCulture

KAIROER

Everypossibleefforthasbeenmadetoensurethattheinformationcontainedinthisbookisaccurateatthetimeofgoingtopress,andthepublisherandtheauthorcannotacceptresponsibilityforanyerrorsoromissions,howevercaused.Anyopinionsexpressedinthisbookarethoseoftheauthor,notthepublisher.Websitesidentifiedareforreferenceonly,notendorsement,andanywebsitevisitsareatthereader’sownrisk.Noresponsibilityforlossordamageoccasionedtoanypersonacting,orrefrainingfromaction,asaresultofthematerialinthispublicationcanbeacceptedbythepublisherortheauthor.

Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,aspermittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced,storedortransmitted,inanyform,orbyanymeans,withthepriorpermissioninwritingofthepublisheror,inthecaseofreprographicreproduction,inaccordancewiththetermsoflicencesissuedbytheCopyrightLicensingAgency.Enquiriesconcerningreproductionoutsidethosetermsshouldbesenttothepublisheratthefollowingaddress:

ITGovernancePublishing

ITGovernanceLimited

Unit3,CliveCourt

Bartholomew’sWalk

CambridgeshireBusinessPark

Ely,Cambridgeshire

CB74EA

UnitedKingdom

www.itgovernance.co.uk

©KaiRoer2015

TheauthorshaveassertedtherightsoftheauthorundertheCopyright,DesignsandPatentsAct,1988,tobeidentifiedastheauthorofthiswork.

FirstpublishedintheUnitedKingdomin2015

byITGovernancePublishing

ISBN978-1-84928-719-7

ACKNOWLEDGEMENTS

ThisbookisthedirectresultofmyengagementanddevelopmentoftheSecurityCultureFramework.All the peoplewhohave been involved in the development anduse of theframeworkaremyinspirationtowritethisbook.

TheSecurityCultureFrameworkissomethingthatevolvedinmymindaftermanyyearsofwatchingsecurityawarenesstrainingprogrammesbeingrunseeminglywithoutcontrol,metrics andproperplanning.Discussing the topicwithLarsHaug,wequicklycameupwiththeconceptofaholisticframeworktohelpbuildandmaintainsecurityculture.TheframeworkgainedinterestinboththeUSAandEurope,withinboththepublicandprivatesectors.Financialinstitutions,universitiesandmanyothersusetheframeworktoday.

RoarThon,attheNorwegianNationalSecurityAgency,isoneoftheveryfewexpertsonsecurityculture.Hisinput,questionsandsupportarealwayshelpful,andhisgenerosityisoutofthisworld.MoAmin,aLondon-basedsecurityconsultant,dedicatedmanyhoursofhisprecioustimetoreviewthemanuscriptandconceptforthebook.AminisalsoakeyresourceontheSecurityCultureFrameworkcommunity,andaninspirationtofollow.Mythanks also to Wolfgang Goerlich for his helpful comments and feedback during thereviewprocess.

A special note to Michael Santarcangelo, who provided deep insights through hisquestionsandideas.Ithankyou,sir!

NumerousdiscussionsaboutsecurityawarenessandculturewithfinefolkssuchasJavvadMalik, Thom Langford, Quentyn Taylor, Trond Sundby, Rune Ask, Troy Hunt, JoshuaCorman, Per Thorsheim and Brian Honan helped me gain an understanding of whatsecurity culture is, and how to best bring it about.We may not always agree, but wecertainlydolearn!

ThisbookwouldneverhavebeenwereitnotforJoePettitatInformationsecurityBuzz.Hisintroductionsandcontinuedsupporthasbeenvital.VickiUttingatITGovernancehasbeenagreatassetwhenItoremyhairoutoverwritingthisbook.

Totheinformationsecuritycommunityworldwide:thankyouforkeepingmeontheedge,forchallengingmyassumptionsandforkeepingmesafe!

Most importantly, thank you tomy dearwife,Karolina, and Leo,my son.You are thelight.

ABOUTTHEAUTHOR

KaiRoerisamanagementandsecurityconsultantandtrainerwithextensiveinternationalexperiencefrommorethan30countriesaroundtheworld.Heisaguestlectureratseveraluniversities, and the founder of The Roer Group, a European management consultinggroupfocusingonsecurityculture.

Kai has authored a number of books on leadership and cybersecurity, and has beenpublished extensively in print and online, and has appeared on radio, television andfeaturedinprintedmedia.HeisacolumnistatHelpNetSecurityandistheCloudSecurityAllianceNorwayChapterPresidentsince2012.

Kai is apassionatepublic speakerwhoengageshis audiencewithhis entertaining styleanddeep topic knowledgeof humanbehaviours, psychology and cybersecurity.He is aFellowoftheNationalCybersecurityInstituteandrunsablogoninformationsecurityandculture(roer.com).KaiisthehostofSecurityCultureTV,amonthlyvideoandpodcast.

FOREWORD

“Mayyouliveininterestingtimes”isanoldsayingandonethatiscertainlyapplicabletocybersecuritytoday.Astheunfoldingeventsofthepastfewyearshaveshownus,weareindeedlivingininterestingcybertimes.Theevolvingcyberbreachesofeverysector,beitretail, government, education, financial or others, have been the main focus of thetechnology conversation this entire year. Big box retailers have been hacked, sensitivedataatbanksbreached,andnationstatesstandreadytowagecyberwarfare.

WehavedevelopedcomputersandtheInternetandattachedmanyofthemostimportantaspectsofourlivestoit.Nowwefindthoseconnectionsareatriskduetotheactivitiesof‘badactors’bentonmaliciousactivity.Wetrytodefendourdigitalsystemswithproperlyconfiguredsoftandhardware,butintheenditisoftena‘people’problemthatpermitsalarge portion of the breaches we read about. People are just not following appropriateprocedurestherebyallowingimproperaccesstosystems.Asmanyareaware,thebestwayto reducehuman errorswe encounter is through effective education and training.Sadlysucheducationandtrainingaroundtheglobeisspottyatbestandoftenwhollyinadequate.

Withthisbook,KaiRoerhastakenhismanyyearsofcyberexperienceandprovidedthosewithavestedinterestincybersecurityafirmbasisonwhichtobuildaneffectivecybersecuritytrainingprogramme.Thisrequireschange,andunderstandinghowthecultureofanorganisationneedstochangetobeeffectiveisvitalforcybersuccess.Eachchapterisfilledwithvaluableinsights,examplesandintuitivethoughtsbasedonhisexperiencesthatcaneasilybe transferred to theworkplace.Assystemadministratorsscramble tohardentheirrespectivedefences,thisworkcouldn’thavecomeatabettertime.Anyoneobtainingthisbookwillfinditavaluableandinformativeread.

Dr.JaneLeClair

ChiefOperatingOfficer

NationalCybersecurityInstitute,Washington,D.C.

CONTENTS

Introduction

Culture:Doesithavetobesohard?

Chapter1:WhatIsSecurityCulture?

Chapter2:TheElementsofSecurityCulture

Chapter3:HowDoesSecurityCultureRelatetoSecurityAwareness?

Attention

Retention

Reproduction

Motivation

Chapter4:AskingforHelpRaisesYourChancesofSuccess

Chapter5:ThePsychologyofGroups,AndHowtoUseIttoYourBenefit

Chapter6:MeasuringCulture

Chapter7:BuildingSecurityCulture

Metrics

UsingSMARTgoals

TheOrganisationpart

Topics

Planner

SettingupyourorganisationtousetheSecurityCultureFramework

Chapter8:TimeIsonYourSide

ITGResources

INTRODUCTION

Culture:Doesithavetobesohard?Inthisbook,Ilookatorganisationalculturewithinformationsecurityglasses.Inmyyearsof working in the information security industry, I have come across a number ofchallenges: technical, compliance, and increasingly awareness and security behaviour.Throughmytravelsandcompanyactivities,Ihavelearnedthatalotofsecuritybehaviourchallengesareuniversal:preparinginformationsecurityinformationinsuchawaythatitresonatesandmakessensefornon-securitypeopleisachallengenomatterwhichcountryororganisationyouworkin.

I have also learned that someorganisations arebetter at creating the securitybehaviourtheywant.Lookingatwhattheydodifferently,Ifoundthattheyapproachtheworkwithsecurityawarenessasaprocess.Theyalsorespectthatsecuritycompetenceisexactlythat–acompetencethatmustbelearned,notjustsomethingyoutell.

From more than two decades of professional training and consulting in more than 30differentcountries,Ihavealsocometolearnthatifwewantpeopletolearn,weneedtofacilitate learning together with them. Lecturing alone is not creating results. Readingalonemakesforverylittlechange.ThesayingoftheAssociationforTalentDevelopment(ATD1)that“Tellingain’tTraining”isverytrue.IttookmesometimetorealisethatItoohadtolearnhowtotrainpeopleproperly,arealisationthattookmeonarollercoasteroflearning, exploration and self-development, leading me to develop my training andcommunicationskillsacrossbothlanguagebarriersandculturalbarriers.

Themost important thing I learned in theseyearswas tobehumble.Humbleaboutmyownperspectives–ImaythinkIamright,andImayhavealltheexperiencetotellmeIamright,butimplantmeinTunisiaorJapanandmostofmyperspectivesandexperiencein treating and communicatingwithpeople no longer hold. I learned this thehardway,leadingmetorealisethattherearemorewaysofdoingthingsthanIfirstaccountedfor,and that others may achieve great success by choosing a different path than the one Ichose.

Thesameistruewithorganisationalculture.Therearemanywaysofbuilding,changingand maintaining organisational culture. It is one of those areas where scientists andpractitionersstillargueabouttherightapproach2.Myexperienceisthattherightapproachdependsoneachcase.Everyorganisation isuniqueandcomeswith itsowncultureandsubcultures.Somearegreat,somereallypoor.Allofthemimpactthebehaviour,ideasandthoughtsoftheemployees.Thequestionbecomes:howdowetakecontrolofthatculture?

As luck has it, there are processes andmethods to apply when youwant to build andmanageculture.Insteadoftryingtocomeupwitheverythingyourself,youcanlearnfromframeworksliketheSecurityCultureFramework3.Usinga frameworkgivesyouaclearpath with checkpoints and actions that ensure your efforts are moving in the right

direction.This isnot to say thatchangingculture iseasy,nor fast: itmay requiremanysmallstepsiteratedovertime.Usingastructuredapproachhelpsyoutodotherightthingsattherighttime,makingsuccessmorelikely.

Thebookconsistsofeightchapters,eachlookingatadifferentaspectofsecurityculture.Chapteroneintroducestheconceptofsecurityculture,providesadefinitionandsetsthestage.Inchaptertwo,Ilookatthethreebuildingbricksofculture:technology,policyandpeople.Ialsobindthethreetogetherandshowhowtheyimpactoneanother.

In chapter three, I lookat howsecurity culture relates to security awareness, and Iwillshowhowawarenessisonlyoneoftheelementsthatisrequiredtochangebehaviourandculture. Next, in chapter four, I explain why we as security professionals are not thepeoplewhoshouldbuildculture–atleastnotalone–andwhoyoushouldinvolveinyourorganisation.Inchapterfive,Ipointtosocialpsychologyandresearchonhowweinteractwith other people.Youwill also learn how you can use the knowledge of how groupsimpactourlivestoincreaseyourchancesofimprovingsecurityculture.

Inchaptersix, Imake thecaseforwhyweneed tomeasureoursecuritycultureefforts,and point to someways to do just that. Finally, in chapter 7, I introduce the SecurityCultureFramework,andwalkyouthroughhowitisbuilt.Thischapteralsoincludessometemplatesyoucanuseinyourownsecuritycultureprogrammes.

Depending on your perspective, Imay provide new insights and ideas on how to buildsecurity culture. I hope I can inspire you to take a structured approach to building andmaintaininggoodsecurityculture.Evenifyoudochooseastructuredapproach,youwillexperiencethatittakestimetogettheresultsyouwant.Smallsteps,iteratedovertime,isthekey.Knowingwhereyouare,andwhereyouwanttobe,isvital,andoneofthekeyelementsinastructuredapproach.

1FormerlytheAmericanSocietyforTrainingandDevelopment(ASTD).2AquicksearchthroughacademicpapersviaGooglewillamplydemonstratethevarietyofapproacheswithinacademiaalone,while a similar review of the titles available onAmazon reveals a similar breadth among practitioners. For acomprehensive reviewof the topic (andmanyother topics!), readBernardBass’TheBassHandbookofLeadership:Theory,Research,andManagerialApplications.3TheSecurityCultureFrameworkdescribesa structuredapproach todevelopinganeffectiveandconsistent securityculturewithinanorganisation.Readmoreaboutithere:https://scf.roer.com.

CHAPTER1:WHATISSECURITYCULTURE?

An introduction to the topic, with an introduction to the definition of culture(basedonsociology)andhowitrelatestosecurity.

Humansareanimalswholiveingroups;weflock.Inanygroupofanimalsthereexistsahierarchy,levelsthateveryanimalinthegroupfollows.Eachoftheselevelscomeswithrulestoabideby,includingunderstandingwhoisaboveyou,whoisbelowyouandwhatyourparticularlevelallowsyoutodo.

Considerawolfpack4.Theyshowthehierarchyveryclearly,withtheAlphacoupleonthetop,givingthemtherighttoruleastheyplease.Belowthemaresergeants,animalsinthepack with more power than most and which police the group if necessary. Below thesergeantsarenormalmembers,workersifyoulike,andbelowtheseagainareoneorafewoflesserrights–theoneortwowolvesthatareconstantlybeingpickedon.Everyanimalinthepackhastherighttofood,shelter,safetyandprotection–aslongastheyabidebytherulesandaccepttheirlevel.Awolfonthelowerlevelswillquicklyandeffectivelybecontrolledbytheotherwolvesifheorshedarestostepoutofline.

Even the poorest wolf in the pack is entitled to the pack’s protection against externalthreat.Theyarealsoentitledtoloveandcare,eveniftheyareexpectedtogivemorethantheyreceive.

Thewolves in the pack accept the hierarchy, rules and domestic violence because theyreceiveprotectionfromexternalthreat,theygettoeatandtheymayevenenjoythesenseof belonging. It makes sense for the wolves to stick together, even if the price anindividualwolfpaysisacertainlossofpersonalfreedom.

We see similar tendencies andmechanismsplay out in human society.The first rule oflivinginasocietyistoaccepttherules.Todothat,wealsoneedtounderstandtherules,howtheyareconstitutedandhowtheyareplayingout.

Consider thewolf pack again. Let us imagine a newwolf is in the pack (it could be apuppybecomingan adult, or adoption, or anything else).Thisnewwolf is entering thepack at the second-to-lowest level, so he is accepted as a worker, someone with littlestatus. However, this particular wolf cannot understand the rules at play, and imagineshimselfastheleaderofthepack.Atfirst,theotherwolvesjustmockhimabit,toremindhim of his place. Then, when he clearly does not get themessage, they becomemoreviolent, with the Alphas and their sergeants leading the punishment. The violencecontinuesuntil thewolf rollsoveronhisbackand surrenders.Hegets themessage, heunderstandsthatthereissomeoneelseabovehiminthechainofcommand,andthatifhewantstosurviveandbeapartofthepack,hemustaccepthisrole,hisplace.

Justlikethewolf,weneedabasicunderstandingofauthorityifwewanttosucceedinlife.

Thankfully,luckiswithus.Accordingtosomescientists,thehumanbrainishardwiredtounderstandthepowerstructureofthepeopleinaroom5,andtoautomaticallyidentifywithour own level. This particular science is based on babies, too young to communicate

verbally,whostillrecognisethepowerlevelsandauthoritiesinaroom.

Whydoesthismattertous?Thiskindofresearchsuggeststhattheneedforpolicies,rulesandlawsispartofthebasicfunctioningofthehumanmind.Itsuggeststhatalthoughthewaywecurrentlyorganiseoursocietiescanbeconsideredsocialconstructs,wehumans(social animals) come pre-programmed with the ability to form, abide by and live ingroupsbasedondifferentlevelsandauthorities.

It basically tells us that our ability to live together in small and large groups is abiologically developed ability. We are meant to form groups and find ways of livingtogether.

Thisisanimportantbackdroptounderstandingwhatcultureis.AccordingtotheOxfordEnglishDictionary,cultureis:

“Theideas,customsandsocialbehavioursofaparticularpeopleorgroup.”6

Partof thebehaviourswesee inculturecanbe tracedbacktobasichumanbiologyasIshowedearlier.It isgoodtoknowthatcultureissuchabaseneedinus,asitshowstheimportanceofliving,workingandfunctioningtogether.

Mostofculturemaynotbesobasic,anditiscertainlynottracedtobiologyalone.Mostcultureislearned7.Oneofmyfavouriteexamplesishowpeoplewalk.“Howcanthewaypeoplewalkbeculture?”youmayask.

Thatisafairquestion,consideringthatweallwalkthesameway.Weallputonefootinfrontoftheother.Sofar,Iagree.

Whatisdifferentishowweputonefootinfrontoftheother.

Inthewesternworld,whereIgrewupandlivedmostofmylife,wewearshoes.Mostlycomfortableshoes,enablingustothumpourheelsontothegroundwithoutbeinghurt(atleast not right away).We also wear high heels, which is not exactly a natural way ofwalking,evenifwalkingonyourtoe-ballsandmid-footisconsideredthenaturalwayofwalking.

Unconvinced?Comewithme toAfrica, then.Here,manypeoplewalk barefoot,whichmeanstheywalkdifferentlyfromyou.GotoKenya,wheresometribesrunbecausetheyconsider walking a waste of their time. Am I getting there? Not yet? Well, my lastexampleisfromAsia.

In Japan, traditional shoes are made of a plank, with two wooden pieces underneath.Walkingwiththeseshoesdictatesaparticularwalkingstyle–insteadofliftingyourfeet,youslidethemalongtheground,sortof.

Stillnotfollowingme?Wearhighheelsoneday,andIpromiseyouwillgettheidea.Howwewalkislearnedbehaviour.Abehaviourdictatedbytheculturewelivein.YourabilitytorecognisewhatImeanbymyclaimaboutwalking,iscultural:itisalearnedbehaviour.It dependsmostly on your exposure to different cultures, different people and differentplaces.

Thedefinitionofcultureisthesame:ideas,customsandsocialbehaviourofaparticularpeopleorgroup

As we have seen in the preceding example, ideas, customs and social behaviour arecollectionsofmanythings–fromhowwewalk,tohowwespeak,tohowwethinkandinteract. Insteadof thinkingaboutcultureacrossborders, letus lookcloser towherewework.Consideryourworkplace.Culture isnotone thingonly; it is theaccumulationofmany groups of people: the sales department, the accounting department, the ITdepartment,thedevelopers,thebuilders,testersandsoon.Eachofthesedepartmentshasitsownmoreorlessdistinctculture–ideas,customsandsocialbehavioursthatbelongtothat particular department. Together, these subcultures form the company culture. Andsomeof thesedepartmentsarealsosubdivided intoothersubcultures:smokers, thehighachievers,theslackers,thecoffeedrinkers,theproblemsolversandsoon(Iamsureyoucanthinkofothersmorefittingtoyourorganisation).

You,asanindividual,areamemberofmanydifferentgroups,andmoreorlessabidebyeach group’s cultural rules. In your workplace, you may be working as a mid-levelmanager,drinkingcoffee,placedintheITdivisionandbeahighachiever.Eachofthesegroupscomeswithaculturalattachment.

Outside your workspace, you also belong to different groups, each with differentcharacteristics:yourfamily,yourextendedfamily,perhapsyouareaparent,youmaybeplaying sports (each team/group you belong to has different subcultures), you are acommunitymemberandsoon.

Each of the groups you belong to follows the same basic principles. They consist ofPeople: themembers;Policies: the rules thisparticulargroup follow, sometimeswrittenandalways theunwrittenones;andTechnology: the tools,methodsandmodelsusedbythisgroup.Youcanreadmoreaboutthesethreeelements,andhowtheycometogethertoformandchangeculture,inChapterTwo.

Now that we have a quick introduction to culture, let us examine it from a securityperspective.

AccordingtotheOxforddictionary,securitycanbedefinedas:

“Thestateofbeingfreefromdangerorthreat.”

Usingthisdefinitionhelpsusunderstandwhatweassecurityprofessionalsdo:ourjobisto create an environment where our colleagues can work in a state of being free fromdangerandthreat;theycandowhattheyaresupposedto,knowingthattheywillbetakengoodcareof,thatexternalthreatsanddangersarebeingkeptoutside.

Intheimageofthewolfpack,thisbecomesveryclear:asamemberofthepack,eachofthewolvesareentitledtofood,toprotectionfromexternalthreatandtoknowtheirplace.Theygetsecuritybylivinginthepack.Thesamestrategyisusedbyanumberofdifferentcreatures,andhasprovedverysuccessful.

Onewayofbeingfreefromdangeristoknowthesocialstructure,andyourownplacein

it.Understandingwhereyouareintheorganisation,andwhatisexpectedofyouiscrucialto properly functioning in a group. This is one of the reasons it is important tocommunicateclearly,andtoexpressthesecuritybehaviouryouwantinyourorganisationinawaythatemployeescanrelateto.

Sincecultureandsocialbehaviourissoengravedinusbynature,itmakesperfectsensetounderstandhow to use nature’s own strategies to enhance security in our organisations.EnterSecurityCulture.

Think of security culture as one subculture of your organisation’s culture. The securityculture is thepartofyourorganisation’sculture that focuseson security, tohelppeopleintothestateofbeingfreefromthreatordanger,andyoucanapplythesametechniquesused by organisational theorists, transformational theory, sociology and psychology tounderstandandenhanceyourorganisation’ssecurityculture.

Usingthetwoprecedingdefinitions,wecandefinesecuritycultureas

“Theideas,customsandsocialbehavioursofaparticularpeopleorgroupthathelpsthembefreefromthreatanddanger.”

Securitycultureistheideas,customsandsocialbehaviourthatyourorganisation,anditssubgroups,have,useandactupontocreateastateofbeingfreefromthreatanddanger.

The way your organisation treats passwords is part of security culture. How youremployeesdetectandactuponastrangerinthebuildingispartofsecurityculture.Howyoudefinepolicies,implementthemandtrainemployeesinsecuritybehaviourallimpactyoursecurityculture.

In fact, all the social behaviours in your organisation impact your security culture.Security culture also impacts all social behaviour in your organisation: it becomes aquestionofwhoisinchargeofthesocialbehaviour,YouortheCulture.

SometimesIhearthatchangingcultureisimpossible,oratleastveryhardtodo.Aswithsecurity awareness, who some find very hard to teach successfully, cultural change ispossible.Itis,infact,agiven.Cultureis,accordingtosociology,plastic8.Itadaptstoitsmembers.

Think of it like this: without a group of people, there would be no culture. Culturedemands at least two people. These two people, together, form the ideas, customs andsocial behaviour of this particular group, by their actions and activities. The culture islikely highly influenced by the larger culture that formed the twomembers in the firstplace–includinglanguage,socialbeliefandsoon.Evenso,thegroupwillformadistinctsubculture,withitsownrules,ideasandcustoms.

Then,sometimelater,thegroupwelcomesathirdmember.Thisnewmemberbringsherownideas,customsandsocialbehaviours.Letussaythatthegroup’sinitialmembersmetatapubanddrankbeeronceaweek.Thenewmembermeetsthemtoo,butstartsdrinkingwineinstead.Justbydrinkingwineinsteadofbeer,thecultureofthegrouphaschanged:itcannolongersay“wedrinkonlybeer.”Wemayevenimaginethatsixmonthslater,the

whole groupmoved from the pub to a restaurant and they are all drinkingwinewhileenjoyingfinedining.Thegroupisthesamethreemembers,buttheculturehaschangedalot!

This example shows how quickly, and easily, culture can change if themajority of themembers,ortheoneswiththerightauthority,setouttodoso.Italsoshowsthatculturecanchangeregardlessoforiginalintent.Inthisparticulargroup,astrangercreatedenoughimpacttochangethewholegroupculture.

Anotherexampleisthecoffee-machineexamplewheresomeonebeginsworkingatanewemployer.Thenewemployeeisacoffeedrinker,andquicklyfiguresoutwherethecoffeemachine is. As soon as she knowswhere it is, she only takes a few days to adapt herbehaviourtothecoffeecultureatthelocation,nomatterhowtheydotheircoffee-machineritual.

This example shows how quickly we as individuals adopt a new culture when we arecorrectlyincentivised9.

Theimpactofindividualsinagroupisveryimportant.Thinkofagroupofpeople,sayateam atwork. This group has no strong culture, and are a loosely knit team of peopleworkingtogether.Withoutastrongculture,agrouplikethisismorevulnerabletooutsidepressure,andtouncontrolledculturalchange.

Intothisgroupcomesanewteammember.Thispersonisverynegative.Heseesproblemseverywhere,andisaspecialist inkillingenthusiasm.Suggestinganideatothisguyisasure-fireway to be shot down, publicly humiliated and buried under a pile of sarcasticrocks. And no, it does not matter who approaches him with suggestions, ideas andopportunities:he immediatelysays things like,“No, it’snevergonnahappen”or“I sawthis before, it failed.” On particularly bad days, he may even say “Are you stupid, orwhat?”

What happens to a groupwhen such a person is introduced? It depends on the group’sculture. A group with a strong culture is more likely to change the newcomer intoconformingwiththeculture(orforcehimout),whereasagroupwithnostrongcultureismorelikelyformedbythenewmember.Inthiscase,sincethegrouphasnostrongculture,they quickly become a gang of grumps. Their production rate deteriorates, and theirproblemsolvingisreplacedwithproblemfocus:insteadoffindingsolutions,theyonlyseeproblems.Thegroupadoptsthenewcomer’sattitude.

In this example, a productive and functioning teamwas destroyed by just one person.Imagine the cost for the organisation that this cultural change has. Then consider thepersonalandinterpersonalcostsinvolvedinthisculturalchange:peopleinthegrouparenolongerhappytogotowork,andtheymayevenchangetheirsocialbehaviourtowardstheirfriendsandfamilies!

Thatisthekindofimpactculturehasonpeople,andtheimpactpeoplehaveonculture.SinceIchoose tobeapositiveforcewhereverIgo,Iwillendthischapteronapositivenote.

Considerthesamegroupasbefore,ateamofpeopleworkingtogether.Thereisnostrongcultureinthegroup,andtheirsocialbehaviours,asbefore,areneutralandflexible.Thistime, the team member we introduce is a positive person, one who sees opportunitieswhere others see problems, and onewho helps people succeed instead of killing everyidea.

Sincethecultureinthegroupisneutral,ournewgroupmembercaneasilychangeit,justlikewesawwiththenegativeexamplebefore.Justlikethenegativeinfluencer,positivityis contagious too. At first, one or two of the other team members will enforce theirpositivetraits,andaftersometime,thepositivityspreadsthroughoutthewholeteam.

Otherteamsintheorganisationwillnoticetoo,andmaywanttojointheteam–afterall,whodoesnotwanttobeapartofasuccess?

These examples show us how culture can be a vulnerability to your organisation too.Whenitcomestochangingculture,goingfromaneutral,weakcultureiseasy.Tochangea strong culture may not be so simple. Understanding the cultural impact on yourorganisation, and to your security programme, is vital if you want to create a humanstrongholdtofenceoffexternalthreat.

In the next chapter we will look at the building blocks of human culture:People/Competence,PoliciesandTechnology.

CaseStudy:IntroducingJohn,chiefinformationsecurityofficerAcaseforCulture

John is a chief information securityofficer (CISO) in a largebank.He is, asmostCISOs are, a verybusyman, juggling strategic planningwith tactic reporting, andtrying to make his team of three do every task they need to, while also securingbudgetstoimprovesecurityaroundthebank.

For a long time, John has tried to train the employees on awareness. To ensurecompliance,herunssecurityawarenesstrainingforallnewhires,apartofthebank’semployee on-boarding programme. He also has at least one awareness trainingcampaignrunningthroughoutthebankeveryyear.Inhisreportstothedirectors,hestates that 95%ofnewhireshave successfully completed theon-boarding trainingprogramme,andhealsoreportsan87%openrateanda64%completionrateoftheannualawarenessprogramme.

John is not confident that his reports are meaningful, and he is not sure if thenumbersareshowingthebank’sactualawarenesslevel.Infact,Johnisuncertainifhis ongoing efforts are creating any results at all, as successful phishing attemptshave risenduring thepast12months, anda steadilygrowingnumberofpasswordresetrequestsisaconcern.Inaddition,hehasahardtimemotivatinganyofhisteammemberstodoanyawarenessworkatall,evenwhenhegivesthemdirectorders.

Inarecentboardmeeting,wherehepresentedhisnumbersonawareness,Jillian,one

ofthedirectors,askedhimifthenumbersmeantthatthebankwasinasecurestate,andshealsowantedtoknowhowtheirbankcomparestootherbanksintheindustry.

PuzzledbyJillian’squestions,hesaidhewasconfidentinhisnumbers,andthatasfarasheknewtheyweredoingok.Onlyafterthemeetingdidherealisethathedidnotreallyknow.Hedecidedtolookintothematter.

Overthenextmonth,Johnspenthistimeresearching.Whathefoundwasalarming.Themorehelookedathisnumbers,themoreherealisedtheywerevanitymetrics–atermcoinedbyEricRiesinhisbookTheLeanStartup,abookJohnwastoldbyoneof his friends to read.Vanitymetrics are numbers that looks good, and seeminglyprovide value, but in reality do not provide any answers. John realised that hisreportsforthepastfewyearsdidnotgivehimorhisbankanyrealmeasurementoftheirprogress,northerealityoftheirsecuritycultureandbehaviours.

Healsorealisedtherewereveryfewbenchmarksonsecurityawareness,andthathehadnocluewhetherornothisbankwasasgoodastheothers.

Aspartofhisresearch,JohnalsostumbledupontheSecurityCultureFramework.Heapproachedme,andtogetherwecreatedathree-yearplantochangetheapproachofhissecurityawarenessefforts:wecreatedaplantobuildsecurityculture.WedevisedaplanforJohntocreateametricthatallowedhimtounderstandhislandscape.Wealsodefined a seriesofgoals,whichhedescribed in away that ensuredhewouldknowwhenhehit,orbyhowfarhemissed,histargets.

Another challenge that surfaced in our talkswas the lack of strategic cooperationbetweenthesecurityteamandtherestoftheorganisation.Johnandhisteamwoulddotheirconfigurations,implementpolicies,putoutfiresandsoon,andmostoftheircommunicationswithotherdepartmentswereperceivedbytheorganisationasbeingnegative.ManysawJohnandhisteamasnaysayers.Usingtheorganisationmodule,Johnlearnedtoadaptafewstrategiccommunicationtools,andtobuildrapportwithpeople and managers around the bank. I also urged him to build a deep andmeaningfulrelationshipwithHumanResources.

Finally,Johnneededawaytohandlehisteam’snegativitytowardsawarenesswork.Whenasked,ateammemberwouldreluctantlyacceptanawareness-relatedtask,butitwasveryclearthatnoneoftheteammembersfoundthatkindofworkinteresting.Johnhadtotacklethischallenge,andquickly!

ThroughoutthisbookwewillfollowJohnasheendeavourstobuildsecurityculture,bydiggingintoeachoftheprecedingcases.

4ItshouldbenotedthatthetraditionalviewofawolfpackasledbyanAlphaandhismateisagrandsimplification,and many biologists prefer to refer to ‘breeder wolves’ (note the plural) as the centre of the pack. This does notunderminemypointhere,however,as thebroaderstructureof thepackasaunitoffering itsmembersprotectionandbelonginginexchangeforacceptanceoftherulesandhierarchyisundoubted.5 In the study “Big and Mighty: Preverbal Infants Mentally Represent Social Dominance” (L. Thomsen, W.E.Frankenhuis,M.Ingold-SmithandS.Carey),itwasfoundthatbabiesexpectlargerindividualstowininaconflict.Fora

babytomakethatprediction,theymusthavesomecomprehensionthatindividualshavegoals,andthatthesegoalscanconflictwithotherindividuals’goals.Furthermore,theymustunderstandthattheseconflictshavewinnersandlosers.6Thereareanumberofdifferentdefinitionsofculture,includingsecurityculture.IhavechosentheonesIuseinthisbookbasedon thepremise that theydescribewhat Idiscuss in layman’s terms,whichmakes itaccessible forpeopleoutsideofacademia.7Thisisalsodebated–behavioriststakethisstand,whilenaturalistsbelievebehavior(andthusculture)tobeinherited,more similarly to genetic inheritance. The truth is likely somewhere between those extremes. Richerson and Boyddescribethenaturalists’position:“Culturalvariantsaremorelikegenesthanareordinarylearnedvariants.Likegenes,theyareinheritedandtransmittedinapotentiallyendlesschain,whilevariantsacquiredbyindividuallearningarelostwith the death of the learner.” (“Cultural Inheritence and Evolutionary Ecology”,Evolutionary Ecology andHumanBehaviour,1992.)8Theothercharacteristicsofculturearegenerallygiven in the followingstatements:culture is learnedandacquired;culture is shared and transmitted; culture is social; culture is ideational; culture gratifies human needs; culture tendstowardsintegration;andcultureiscumulative.(E.Palispis,IntroductiontoSociologyandAnthropology,2007.)9Accordingtomotivationaltheory,therearetwobroadformsofincentive:intrinsicandextrinsic.Anintrinsicincentiveisderivedinternally–theindividualismotivatedtoperformbecausetheyenjoytheworkorthechallenge,forinstance.Anextrinsicmotivation isappliedfromwithout– theemployeroffersacashbonus if theemployeecompletesa taskquickly, for instance. Itshouldbenoted that therearenegativeformsofboth typesof incentive,suchas the threatofbeingfired,etc.

CHAPTER2:THEELEMENTSOFSECURITYCULTURE

Wewill look at the elements that togethermake security culture: technology,policies/rules and people/competence, and how they work together to formculture.

Socialbehaviour,ideasandcustomsaretoalargedegreebaseduponrules.Somerulesarewritten into laws, regulations and standards. Other rules, most of them in fact, areunwrittenandcome in the formof ethics,moral codesandourmutual ideasofwhat isacceptablebehaviourinthedifferentgroupswebelongto.

In this chapter I refer to all rules, laws, regulations, ethics, moral codes and so on aspolicies. To make it absolutely clear: policies in this context is more than just writtenpoliciesinyourorganisation.Inthiscontext,policiescomprisethewrittenandunwrittenrulesthatregulateourideas,customsandsocialbehaviours.

Technology is also a wide area. From the Mars Rover, to your phone and car, to theglassessomepeopleusetohelpsee–thesearealltechnology.Inthiscontext,Iwillusethewordtechnologytodescribeanytool–madeornot–thatweuseinadeterminedway.Arockyouusetocrackopenacoconutisconsideredtechnologybythisdefinition.Aclubourforefathersusedtogohunting,toprotectthemselvesortolookcoolisatool.Thebowandarrowisatool.

Evidently, technology is a wide area, one that goes back to the origins of man.Interestingly,manisnottheonlyonewhousestoolstoameans.Somebirdsusesticks,atleastone typeofoctopususes tools toget foodanddifferentkindsofapesuserocks tocrackopennuts.

Technologyisnotonlyabouttangiblethingslikecomputers,cars,hammersandsoon,butalso models: mental models (patterns and schemas in our mind) as well as patterns,standardsandmodelsusedastemplatesandstartingpoints.

The third part of the triangle is people. It is people who use the technology, and it ispeoplewhoformandinformthepolicies.Thesocietyyouarebroughtup indeterminesyourpoliciesandyouruseoftools.AsdescribedinChapter1,socialbehaviourislearnedbehaviour.Wecan thinkof cultureascompetence, the knowledge and understanding ofhow to function properly in a social group. This competence includes how to usetechnology,andatleastthebasicrulesofengagementinoursociety.

These three elements – People, Policies and Technology – give us perspectives to theworld.Themoreweunderstandtheirformationandtheircontinuedinteraction,theeasieritistounderstandhowwecanusethemtobuildandmaintainsecurityculture.

Each of these elements directly impacts the other two. No matter where the changehappens,theothertwoelementsarechangedtoo.

Imagine Thor. He lived in long-forgotten times, back when phones and cars and evenhorsebackridingwereunheardof.Thorlearnedfromhismotherthathecouldusearocktocrackopennuts.Oneday,Thorsawasmalldeernearbyandthrewarockatit.Itwasaluckyhit, and thedeer fell to theground, to theamazementofThor’s tribe.Soonafter,everymemberofthetribestartedexperimentingwiththrowingrocks,sticksandsoonatanimals.

Thor took a known technology, the rock, and repurposed it to do something new. Inmodern languagewe call this innovation. Back then, theywere just happy to eat freshmeat.

Thisexampleshowsushowpeoplecanusetechnology,andthroughtheiruse,createnewopportunities.ItissimilartowhatAppledidwiththeiPod:MP3playersalreadyletyoustore your whole collection of CDs on the device, but what did not exist was acommercially viable ecosystem for the sale and distribution of electronicmusic – fromartiststoconsumerinoneeasystep.

Anotherexampleisthedevelopmentoffirewallsfromitsinitialstartasaportmaster,intohighlyadvancedfilteringdevicescapableoflookingformaliciouscontentduringtransit.

LetusgobacktoThor.

Astheuseofthrowingrocksgrew,anothertribalmemberthrewalargerockatafellowtribemember,killinghim.Therockhadchangedfromnutcracker,toahuntingtool,andfinallyamurderweapon.

Atthispoint,thetribehadtoconsidertheuseoftherock.Somefolksadvocatedtheneedtoonlyaccepttherockasanutcracker,whereasthehuntersarguedstronglythattheneedforfreshmeatmeanttheyshouldbeallowedtocontinueusingtherocktoo.Aftermanytalks,discussionanddebate,thetribefinallyagreedthatrocks,andanysimilartools,wereonlyallowedtobeusedasintended,inthiscasecrushingnutsandhuntingfood,butnottokillpeople.

Everyonerejoicedandthepartylastedformanydays.

For the tribe, and for mankind, this was one of the first formal policies adopted. Thepolicywascreatedbasedonhowpeopleusedthetechnology:thepolicywasinitiatedbytechnology. Throughout history we see the same scenario: a technological innovationenablesbothpositive(huntingforfood)andnegative(killingtribemembers)possibilities.Aswelearnof theconsequences,weadaptoursocialbehaviour,customsandideasandformpolicies.Somearewritten,andsomearenot.

YoucanofcoursesubstituteThor’srockwithanyothertooleverusedbymankind.Thepoint remains the same: the use of tools is regulated by our ideas, customs and socialbehaviours,whicharestronglyinformedbypolicies.

Justastechnologycreatespolicies,policiescancreatetechnology.Bycreatingstandardsand regulatory laws, our lawmakers not only can change how we use a particulartechnology but also require us to come up with new technology. One example is theenvironmental regulations in California, demanding a steep reduction in car emissions.

SimilaractsareenforcedintheEUtoo.Whentheseregulationsweremadeintolaw,low-emissioncarenginetechnologywasnotavailable,andtheglobalcarindustrywasforcedinto creating new technology.Anumber of innovationsweremade in a relatively shortperiodoftime–fromhybridelectriccarstofueladditives.

Similarexamplesapplytootherindustries.Anti-pollutionregulationshavebeenenforcedinmostofEuropeandNorthAmerica,providingalargenumberofinnovations10.

The general consensus in thewesternworld that the death toll from traffic accidents isway too high, has resulted in new policies about speed, safety and driving behaviour.Theseinturnhaveledtoanumberofsecurity-relatedinnovations:streetlights,physicallyseparateddriving lanes,airbags,electronicmonitoringandalerts,anddistancemeters tonamebutafew.Withoutpolicies,manyoftheseinnovationsmaynothavebeenaround.

Insecurity,wealsoseehowpoliciesspurinnovation.PrivacyregulationsinEurope,andincreasinglyaroundtheworld,createnewtechnology:assessment tools toseehow“oursystem”comparestotheregulation,forget-metoolstoallowpeopletobeforgottenbythesystem, information security management systems to monitor and control ourimplementationofprivacycontrols,andsoon.

JustlikeThor’stribematewhoforcedapolicychange,technologyandouruseofitforceschanges in our policies. The changes in the policies then change the way people usetechnology,anditalsomaychangethetechnologyitselfaswehavejustseen.

Sincecultureisdefinedastheideas,customsandsocialbehavioursofaparticularpeopleorgroup,wenowunderstandthatoursurroundingsareimportantfactorstoconsiderwhenwewant toworkwith securityculture.Althoughchangingonlyonepartof the trianglewillchangeculture,itmakessensetoanalysejusthow thatchangewillimpacttheothertwo. Italsomakessense tosetout touseall threeelements:when implementinganewpolicy,makesureyouteachthepeopleinyourorganisationtounderstandthechangeandthereasonforit,andusetechnologytohelpenforcethechange.

InthenextchapterItakeacloserlookatsecurityawareness,andhowitrelatestosecurityculture.

10Sincetheintroductionofmodernanti-pollutionregulations,forinstance,we’veseenanastonishingincreaseingreentechnologies,includingmoreefficientsolarcells,wholewindfarms,morepowerfulelectricandhybridcars,andsoon.Eventraditionallynon-greentechnologieslikecarengineshaveimprovedefficiencyinordertocompeteasa‘greeneralternative’.

CHAPTER3:HOWDOESSECURITYCULTURERELATETOSECURITYAWARENESS?

In this chapter,we lookathowsecurityculturecomprises securityawareness,andhowsecurityculturesucceedswhereawarenessaloneisdoomed.

In the previous chapter I discussed how security culture is more than people andcompetence;cultureincludestherules,lawsandregulations,aswellasthetechnologyweuse.Securityawarenessbelongsinthepeopleandcompetencepartofthetriangle.

Security awareness is a limited area, as well as a poorly defined one. There is nocommonly agreed upon definition of security awareness, which in turn means that acommon understanding of what security awareness really is, is non-existent. Almosteveryone I talk to has their own idea ofwhat security awareness is, and how to createawareness.

The range of ideas for building security awareness goes from using baseball bats toenforce a certain behaviour on one side, via running boring, generic and non-yieldingsecurityawarenesstrainings,tonotdoinganythingatall.Whatisevenworseisthefactthatveryfewoftheseeffortsarebeingmeasured;theyareatbestmeasuredbyanecdotalproof: “I did this, and it did/did not work.” Metrics are simply being waved off as“impossibletomeasureawareness”.

Because measuring your progress is important when working with culture, Chapter 6looksdeeperintothetopic.

Forthesakeofclarity,Iwillusethefollowingdefinitionofawarenessinthisbook:

“Knowledgeorperceptionofasituationorfact.”

(Oxforddictionary)

Whatdoesitmeantohaveknowledgeorperceptionofasituationorfact?Itboilsdowntotwothings:therightcompetence,andtheabilitytoapplysaidcompetenceinaparticularsituation.

So far, sogood.Buildingcompetencecanbedone;wesee thatall arounduswherewelearnnew skills and information almost daily.Thehumanmind is an amazingmachinewhenitcomestocollecting,analysingandusingnewinformationandskills.Themoreweknow,theeasieritisforourbraintodoevenmore,whichistrulyamazing11.

The flipside is that if you learn the wrong skills, outdated information and erroneousmentalpatterns,yourbrainstilldoesagreatjobbutjustturnsoutthewronganswersandresponses.

Letusquicklyvisitthebrainandhowitworks.Takealookaroundyou.Chancesarethatthereisacupofcoffee,teaorotherbeveragenearby.Forthesakeofsimplicity,Iwillcallitacupofcoffee.

Takealookatthecup.Thelightthatreflectsontheobjectiscaughtbylight-receptorsinyoureyes.Thereceptorspickupthewavelengthsofthelight,anddifferentreceptorspickupdifferentwavelengths.Thereceptorstriggereventsthataresentdownnervepathsintoyourbrain.Thelighthasbeentransformedintochemicalsignals.

Whenthedifferentchemicalsreachyourbrain,yourbrainrecreatesanimageoftheobject(thatcupofcoffee)usingoneoftwomethods12:

–Slow:Youhaveneverseenanythinglikeacupofcoffeebefore,andyourbraindoesnotknowwhatitsees.Yourbrainslowsdownandstarts tocreateamental image,apattern–whatwecallamentalpattern–oftheobjectanditssignificance.Sincethisisa new observation, your brain may or may not register important properties of theobject,suchasithasblackcontent,itishot,itcarriesliquid,thereisonlyoneopening,thehandleistheretoholdthecup,theliquidisdrinkable,theliquidisadrugandsoon.Tomakeyourbrainunderstand all of thesedetails, itmust be taught.Youmustteachitthesignificanceoftheproperties,andhelpiteliminatethenon-importantoneslike thecolourof thecup, thesizeof the tableand the formof the room.Thisslowprocessing and learning that takes place in your brain requires a large amount ofenergy(viewedfromyourbrain’sperspective),andsoitprefersaquicker,fasterandlessexpensivewayofprocessinginformation.

–Fast:Mostofthetime,yourbraininterpretsinformationusingafastmethod.Inthisscenario,theobjectthatyourbrainreceivesofthecoffeecupismatchedtoanalreadyexistingmental pattern inyourbrain.Yourbrain recognises theobject as a cup andautomagicallyinterpretsthatcuptomeanhot,blackliquidthathelpsyou(yourbrain)to be sharper and quicker. This processing takes very little energy (again, from theperspective of your brain), and is lightning fast (compared to the slow functionbefore).Nowonderyourbrainprefersthisone!

Now thatwehave taken avery shallowcrash-course inhuman sensing, perception andinformationhandling,itistimetolookathowthisfunctioningalsoworksagainstus.

Growingup inEurope, Ihavea thingfor ice-cream.Duringsummerholidays, I love tocooldownwithacone,oronspecialoccasionsasofticefreshfromthecounter.AsofticeinEuropeisusuallywhite, tastesofvanillaandyoucanhaveitdippedintoavarietyofpowders,coloursandliquids.Personally,Ipreferatoppingofchocolatepowder.Iobserveothers who have rainbow sprinkles, some have strawberry sprinkles and others againchooseliquidchocolatethatturnsintoahardshellontheirsoftice.

Imagineahotsummerday.Thesunisburning,andyouarewalkingthroughacitycentreas a tourist. You see a shop promoting soft ice, and you watch happy, smiling peoplelickingtheirsofticesastheypassyouonthestreet.“Theperfectdayforasoftice,”youthink,andheadtothecounter.

Suddenlyyoudiscovertherearethreechoicesofsoftice.Youcanhavethewhitesoftice.Youcanhavethebrownsoft ice.Oryoucanchoosethegreensoft ice.Let thedroolingbegin!

Beforeyouchoose,keeptheimageinyourmindandtellme:whattastedothedifferent

colouredsofticehave?Thewhiteoneisvanilla,right?

Abrown-colouredsoftice-cream.Whattasteisthat?Chocolate?Orsweetbeans?

What taste does the green one have? Pistachio nuts (either chemical or real)? Or is itgreen-teataste?

Writeyouransweronapieceofpaper.Youranswerdependsonalotofthings,alllearned!

Firstly,yourmentalimageofasoftice-creamwasstoredinyourbrain,andwasbroughtout justby thinkingabout it.Alongwith the image,youmayalsohavefelt thesummerheat, youmay have recalled the smells and taste from that memory, and possibly youheardthenoisesandsoundsthatyouexperiencedwhenyouhadthatsoftice.Thisisyourbrain going on fastmode. It has learnedwhat soft ice is and the surroundings that gotogetherwithit.Everytimeyouthinkofsoftice,itbringsthesememoriesout.

Thisprocessingisreallygood,becauseyoucanrecall,recogniseandactuponaparticularsituation: summer, vacation, soft ice. Properly trained, this could be you recognising aphishingscam,aTrojanorathreateningsituation.

Secondly, yourmental imageof the soft ice representswhatwecan call acquired taste.Your answers to the question of colours and the taste each colour must represent aredependentonyourculture.If,likeme,youareawesternerwhogrewupandspentmostofyourtimeinEurope,AustraliaorNorthAmerica,youhavelearnedthatwhenitcomestosweets,andice-creaminparticular,whiteislikelytomeanvanilla,browntobechocolateandgreentobepistachionutflavour.

Now recall the scenario of me in front of that counter, having the choice of vanilla,chocolate or pistachio. Of those, I would choose chocolate first, pistachio second andvanillathird.SowhatdoIorder?

Thisiswherecontextmatters.AmIabouttoorderasofticeinEurope?Australia?OrinNorthAmerica?Or am I somewhere else?And if I am somewhere else, do the rules Iknow,thementalpatternsIhavelearned,stillapply?

Infact,IaminKyotoinJapan.Ihadaone-dayexcursiontothisfantasticcityduringmyfirstvisittoJapansomeyearsago.SinceIhadbeeninJapanforafewdaysalready,Ihadpickedupontheirdifferentideaofsweets.SomeIloved,andsomeIfoundveryhardtounderstand.So,beforeIordered,Iaskedwhatkindofflavours theyhad,andwasgiventheanswer:plain(vanilla),sweetbeansandgreentea.

I probably did look surprised, because Iwas really expecting the answer to be vanilla,chocolate and pistachio. I expected these particular answers due to one of thecharacteristicsofmentalpatterns:theygetstrongereverytimeweusethem.SoeverytimeI have seen brown ice creamwith the taste of chocolate, that particularmental patterngrewstrongerinmyminduntilthepatternbecamesostrongthatanythingthatnolongerfittedintothepatternsurelymusthavebeenwrong,impossible,orboth.

ThisissometimesreferredtoastheExpertBias13.Expertsareexperts in theirparticularfieldbecausetheyhavehadtheopportunitytonarrowtheirareaoffocus,andworkmainlyin that fieldso long that theirmentalpatternsarestrongandefficient.The flipside they

(andthosearoundexperts)mayexperienceistheexpert’slackofabilitytoseethingsfromotherperspectives–theirmentalpatternsaresostrongthattheycannolongerreviewtheirposition.

Similar mechanisms apply to people who are not given the opportunity to have theircurrentmentalpatternschallenged.Ifyougrowupinaparticularculture,andyouarenotexposed toother cultures, it becomesveryhard foryou tounderstand thatotherpeoplemaybehavedifferentlyfromyou,andthattheirbehaviourmaynotbemalintentorevenwrong.

ThereIwasinKyoto,bythistimeknowingthatbrownissweetbeansandnotchocolate.Mybrain,cravingforthechocolateflavour,quicklyconvincedmethatsweetbeanflavourcannotbethatbadandisprobablyalmostasgoodaschocolate.Iorderedabrownsoft-iceconewithouttoppings.

Still expectingchocolate,mybrainalmost shutdownwhenmy tastebudssent the tastefrommymouthtomybrain.IcouldnotbelievewhatIhad.Itriedseveraltimes,andeachtimethesamehappened:mybrainexpectedadifferent taste,andthedifferencewastoogreattoconceive.Allmybraincoulddowastellmethatthisdidnotfitthepattern,thiswasnotright,thiswaswrong!

I experienced a strong case of cognitive dissonance, a psychological phenomenon thathappens when your brain expects something particular to happen, and something elsehappensinstead.Itislikeyourbrainjustsays,“Thiscannotbe.Idon’tbelievethis.”Andthenitjustdeniesanyofthenovelty.

Cognitive dissonance14 is important in awareness too. If your security awarenessprogrammes are not properly aligned to your organisation’s particular needs, they aremore likely to create similar responses in your participants that I had in Kyoto.Moreimportantly, I understood the context, and I knew about these effects. Even then, I fellvictimtothismentalprocess.Wealldo,moreoftenthanweliketoadmit.

Partofourjobassecurityofficersistohelpourcolleaguesunderstandriskandteachthemappropriateresponses.Todothat,weneedtounderstandhowourhumanmindfunctions,sothatwecanadaptourtrainingefforts tobuildknowledgeandperceptiontodealwithsecurityissuesinthecorrectmanner.

Understandingourbrain’sshortcutsandmishapsshouldalsohelpyoutounderstandthatitisnotyouremployeeswhoarestupid,itisaquestionofhowwecommunicatewiththemthatmatters.

The main difference between security awareness and security culture is that culture ismore than just awareness. If you recall from Chapter Two, security culture is acombinationofpeople,policyandtechnology.Awarenessisonlyaboutpeople,andonlyasubsetofthepeople:itisknowledgeonly.Thisdoesnotmeanwedonotneedawareness.Awareness,orcompetenceasIprefertocallit,isvitalforpeopletohavetodotherightthing.Thekey is to consider competenceasonewayofbuildingculture,not anend initself.

Security awareness in itself only helps peopleknowabout, or be aware of, the securityissueyouare training in.Knowing something is not the sameas changing abehaviour,which is usually what we want to do when we train people about phishing attempts,passwordsecurityorclean-deskpolicies.Knowingaboutanissueisonlyoneofthestepstowards changing that behaviour. Using the Social learning theory15, we discover thatthereisafour-stepcognitiveprocesspeopleusetolearn:

1.Attention

2.Retention

3.Reproduction

4.Motivation.

Eachofthesestepsisimportant,andawarenessisoftenmostlyaboutthefirsttwo.

Whatdoesthismeaninpractice?Letustakeacloserlookateachofthefourelements:

AttentionAttention is about the learner paying attention to the activity to learn. The onewho islearningmustbepresent,payattentionandtakeaninterestinwhatisgoingon.Asinlifeingeneral,therearethingsthatimpactthisstep:thelearnerhimself,aswellasthetrainingandcontent.

To enhance attention, we can provide relevance to the learner by explaining why thistrainingbehaviourisimportant.Wecanalsoprovideanenvironmentwherethebehaviourwewantisalreadymodelled,andshowthismodelledbehaviour.

Security awareness programmes that stop at this level are recognised by measuringattendanceonly;theyreportonthenumberofpeopletakingaparticularcourse.

RetentionRetentionisaboutthelearner’sabilitytoretaininformation.Again,thelearner’sabilitiesareatplay,andwecanhelp themretain theknowledgebycreatinganenvironment thatenableseasylearning,adaptingthecontenttothelevelofknowledgeofthelearneraswellasrepeatingasnecessary.

Withsecuritycultureinmind,wecanadaptourprogrammesandtheircontenttotheneedsof the learner by analysing the audience beforewe develop the actual training content.Peoplearedifferent,andmayneeddifferentapproachestolearnbest.

Security awareness programmes that stop at this level are recognised by measuringattendance, and repeating the same training programme at some intervals, like a yearlyphishingtrainingprogramme.

ReproductionReproductionisaboutshowingthatthebehaviourislearned.Inthisstage,thelearnerwillreproducethelearnedbehaviourandshowthattheyknowwhattodoandhowtodoit.

Manyawareness programmes stop at this level.Theyuse skill tests, questionnaires andother quality-assessment tools during and right after the training programme, showingsome level of reproduction. An example is a phishing training programme where youmeasurehowmanylearnersclickonalinkduringthetrainingandnotafter.

MotivationThefinalstep,thetargettoreachfor,istomotivatethelearnertoreproducethebehaviourconsistently outside of the learning situation. The learner is taking into account bothformalandinformalinformationtodecidewhetherornottoreproduceabehaviour.Bothtechnologyandpoliciesplayimportantrolestomotivatethelearner.If,forexample,youwant people to discover and report phishing emails, andyour reporting system requiresthem to file a three-page form, theirmotivationwill be lower. Theymay verywell beawareoftheproblemandknowhowtohandleit,yetthetechnologytodosoistoomuchofaburdenforthemtocommittothebehaviour.

Security awareness programmes at this levelmeasure behaviour on a number of levels.Theymay look at attendance of training courses, but will use that number only as anindicatorthatthereisactivity.Theywillimplementteststomeasureactualcompetence,orthe ability to reproduce. They also implement other metrics to measure the impact ofbehaviourontheirsystemsusinglogsanddataanalysis.

Organisationsthatimplementprogrammesatthisleveluseastructuralapproachthathelpsthemfocusonimprovingtheirsecurityculture.Theymaystillcallwhattheydosecurityawareness trainings, when in practice they are running successful security cultureprogrammes,buildingandmaintainingthekindofsecurityculturetheywant.

Lookingatthedefinitionofcultureagain–theideas,customsandbehaviourofasocietyorgroup–itbecomesclearthathavingknowledgeorperceptionofasituationorafactisnotenoughifwewanttochangeculture.Whatweneedtodoistoidentifytheideas,thecustomsandthebehaviourthatresideinourorganisationtoday,andconsiderwhatideas,customsandbehaviourswewantinourorganisation.Bridgingthatgapiswhatoureffortsshouldbeallabout.

BynowyoumaybewonderingifIexpectyoutodoallofthisbyyourself.Idon’t.Norshouldanybodyelse.Changingcultureisataskdonebyanumberofpeople,andyourjobistobepartofthatforce.InthenextchapterIwillgiveyousomepointersastowhomtoallywith.

BuildingbridgesBuildingBridges

John, theCISOof a large,multinational bank, learned that his colleagues in otherparts of the organisation viewed hiswork and team as a nuisance, a distraction totheir ownwork and a hassle thatwas forced upon them. “They just don’t get it,”complainedJohn,“I’mheretosecurethebusinesssothatwecanavoidbreachesand

downtime,andalltheygivemearecomplaintsandnegativity.”Johnisnotaloneinfacing this challenge. The challenge is to demonstrate a clear business value thatresonateswiththerestoftheorganisation,evenifplansmustbechangedalongtheway.

The first step in this direction is to understand the business, and how business ingeneral functions.Aspartof thatunderstanding,Johnrealised thatsecuritysecuresthebusinessandreducesrisk.Thepurposeofsecurityisnottoremoveallrisk,norisit a question of getting in theway of business. “I understood that there cannot besecuritywithout business,” he toldme, “but it verywellmay be businesswithoutsecurity!”Afterthisrevelation,Johntouredthedifferentdepartmentsandlocations,discussing security issueswith departmentmanagers, countrymanagers andmanymore.His focuswasnotonselling security,but to learnabout thechallengeseachdepartmentfaced,and to learnhowhecouldchangethecommunicationwithin thebank.Hesetouttobuildbridgesinsteadofburningthem.

Johnalsolearnedthathecouldusehelptobuildhissecurityculturemessageandtospread it throughout the bank.He reachedout to theHRdepartment and involvedtheminhissecuritycultureprogramme.TheHRdepartmentareakeyresourcewhenworkingwith culture in anyorganisation, and they are also the specialistswhen itcomes to trainingprogrammes.Next, he asked the bank’smarketingdepartment iftheywouldhelpcraftamessageand theneededcollateral toempowerhissecurityculture campaigns.At first, hewasmore than a little sceptical to involve creativepeoplewhohadnounderstandingofsecurity.Usingargumentslike“theyaretrainedincommunication”,and“byworkingwithyou,theywilllearnsecurity”,Iconvincedhimtotryitononecampaignatfirst.

Byreachingoutandbuildingbridges,Johnsetupacoresecuritycultureteamwithmembers from his own team, from HR and frommarketing. He also invited keypeople from around the bank to be on an advisory board,whowere asked to testcampaign ideas, comment on materials and give feedback to enhance the overallperformanceofthesecuritycultureprogramme.

11ThepsychologistsGigerenzer,KahnemanandPinker(amongothers)havedevelopedavarietyofmodelsthatreflecthowhumansmakedecisions,learnnewthings,andsoon.Forinstance,KahnemanreceivedtheNobelPrizeforhisworkon Prospect Theory, which describes how humans make decisions where the probabilities of certain outcomes areknown.Using heuristic processes, humans combine disparate data in order to refine their decisions, evenwhere theindividual is unaware or oblivious to the fact that they have this information. (Kahneman and Tversky, “ProspectTheory:AnAnalysisofDecisionUnderRisk”,1979.)12ThisexampleisderivedfromKahneman’sThinkingFastandSlow.13Thisisalsocalledthe‘CurseofKnowledge’,andextendsbeyondexpertiseandintothedifficultiesofreasoningwithsomeone else’s beliefs. In the words of Birch and Bloom, “adults’ own knowledge of an event’s outcome cancompromisetheirabilitytoreasonaboutanotherperson’sbeliefsaboutthatevent.”(SusanBirchandPaulBloom,“TheCurseofKnowledgeinReasoningAboutFalseBeliefs”,2007.)14Cognitivedissonancecanbedescribedasthestateofhavinginconsistentthoughts,beliefsorattitudes.Ingeneral,itisamechanismbywhichapersonrationalisesconflictingexperiencesorknowledge,withouthavingtoacceptthattheseare,infact,atodds.(LeonFestinger,Atheoryofcognitivedissonance,1957.)

15BanduraandWalters,1963

CHAPTER4:ASKINGFORHELPRAISESYOURCHANCESOFSUCCESS

In this chapter I will discuss who to involve, and why, when working withsecurityculture–HR,marketing,managementandsoon.

Humansareimpressivewhenweconsiderwhatwecanlearntostayontopofourgame.History is a clear tell-tale of what may happen when bright minds bring their headstogethertoevolvetheirideas.ConsiderpeoplesuchasEdison,Einstein,MarieCurieandMichelangelo.LookatpeoplesuchasSunTzu,NapoleonandChurchill.

Itiseasytothinkofsuchbrightmindsaspeoplewhodideverythingbythemselves.Whenlookingattheirachievementsitquicklybecomesclearthattheywerenotalone–theyhadhelp.Theyworkedwithotherpeople.Infact,theyknewhowtoinvolvetherightkindofpeople,attherighttime,tocreatetheimpacttheyneeded.

Theyowetheirsuccesstootherpeople.

Whenanalysingsecuritycultureprogrammesthatcreatesuccess,itquicklybecomesclearthat such programmes are not one-man shows. Successful security culture is built byinvolvingcompetencefromaroundtheorganisationtoleveragethecompetenceavailable.Sometimes it also makes sense to look outside the organisation for inspiration,competenceandhelp.

Askingforhelpmayfeellikefailure.Especiallyifyouareconsideredthesubjectmatterexpert,theoneotherpeoplecometoforanswers.Beingtheexpertmaymeanbeingusedtohavingalltheanswersandthatbeingrightisexpected.Whatdoyoudothen,whenthelandscapechangesandyourexperiencenolongerseemstoapply?

You learn to ask for help. Instead of being the know-all, you become the hub whoconnects the different kinds of knowledge needed in a modern-day security cultureprogramme.You focuson finding thepeoplewhohave, or can comeupwith, the rightanswers.Andyoubringthesepeopletogetherinaprojecttobuildthecultureyouwanttocreate.

Successtodayislikesuccessyesterday:aresultofthecombinedeffortsofoneorseveralteams.Buildingasuccessfulteammeansunderstandinghowtoaskforhelp,andwhomtoaskitfrom.

Building security culture requires a lotmore than just information security competence.Technologyandpolicies areapartof securityculture, just likepeopleandcompetence.Yoursecuritycultureteamneedstoreflectalltheareasofsecurityculture,notonlythoseareasyouareconfidentwith.

Security culture is a subculture of the organisational culture, your company culture.Assuch,securitycultureshouldbedesignedandbuilttogetherwiththoseintheorganisationwhodealwith organisational culture. Inmost organisations the responsibility of culturelieswithHR.HRinturnreceivesinstructionsanddirectionfrommanagementthroughthe

companyemploymentpolicies, thecompanymissionandvision, aswell as the existingcompanyculture.

HR knows culture. Setting out to create a new security culture in your organisationrequires the involvement ofHR, and preferably youwant them to actively support andworkwith you. Your goal is to haveHR embrace the security culture programme andimplementitasapartoftheexistingcompanycultureprogrammes.

Manyorganisations alreadyhaveHR involved in security.Many employeeon-boardingprogrammes come with “Read and Sign” security policies, mandatory IT securitytrainings, anddistributionof keys and credentials.Organisations alsohaveoff-boardingprogrammestoensurethehandingoffofemployeekeys,credentialsandsoon.

SecurityawarenesstrainingsmayalsobeincludedinHR-controlledtrainings.AwarenesstrainingsunderHRareoftenmotivatedbycompliancemore thanconformity, andoftensuchtrainingeffortsaredelegatedtothesecuritydepartment.

And here is the challenge: unless the security department has dedicated resourceswhothemselvesarededicatedtoawarenessandculture,thetrainingeffortsdeliveredmissthetarget. Developing and delivering trainings itself is a specialist field, one sometimesreferredtoasInstructionalDesign.

The Association of Training and Development (ATD) has great experience in creatingtrainersandtrainingsforworkforcedevelopment,andtheyprovidetheirmemberswithaspecialcertification in instructionaldesign.Youcan thinkof itas the training industry’sCertifiedInformationSystemsSecurityProfessional(CISSP).There isareasonfor that:developingtrainingprogrammesforadults,programmesthatyieldthekindofresultsyouwant,isaskillandcompetencethatrequirestrainingandpractice.Justlikeworkingwithsecurity is a demanding sector that has its own requirements, creating and deliveringtrainingsisaspecialistfield.

Working closely with HR will provide you with important insights to how culture iscurrently built and maintained. Piggybacking on the activities with smart messages toenhancesecuritymaybeasuccessfulstrategy.OnlybyworkingwithHRcanyoudothat.

HR may also run and manage the security culture programme themselves, freeing upprecioustimeandresourcesfromthesecurityteam.Keepinmindyourgoal:tobuildandmaintainsecurityculture.There isnothing in thatgoal thatdoesnot letHRmanage thesecuritycultureprogrammeitself!

Inadditiontocompetencewithinareassuchastraining,securityandculture,asuccessfulsecuritycultureprogrammemustalsobecommunicatedinawaythatresonateswiththeaudience.Oursecuritymessagesmustbepresentedusingwords,imagesandanecdotes16thatmake sense to thoseweare trying to teach.Mostof the time, theyarenot subject-matter experts on security – they do other things like sales, accounting, production,strategyandmanagement.Ifwearetomakethemunderstand,weneedtoadjustthewaywecommunicatewiththem.

Wemustlearnhowtocommunicate.Or,wecanaskforhelpfromthosewhoknowhowto

communicate.

Many organisations have a marketing or communication department. The names varydepending on sector and industry, but what you are looking for are those people whocreateinformationthatexplainswhatyourorganisationdoes,wherethevalueliesandwhyothersshouldcare.Ifyourorganisationdoesnothaveaseparatedepartmentthatdoesthis,findtheteamthatdoes.Orlookoutsidetheorganisation.Manycompaniesprefertobuyexternalmarketingservices.

Thekindofhelpyouarelookingforfromthisresourceisdividedintotwoparts:

1.Audienceanalysis

2.Messagecrafting.

Any great presenter adapts their presentation style, words and content to the audience.Theyunderstandthatdifferentpeoplehavedifferentneeds,focusandinterests,andmakegreat efforts forming their message to make it stick with that particular audience. Tounderstand their audience, theywill ask the organiserwho the target audience is,whatlevel of skills they have, as well as other relevant information like sector, industry,language,age,sexandsoon17.

For an inexperienced organiser and speaker, these questions may seem strange andirrelevant,butithelpsthespeakertoadjusttheircontentanddeliverytoensureasmanyparticipantsaspossibletakehometheirmessage.Andthatiswhatisimportant:hithomewithasmanyaspossible.

Analysing your target audience for your security culture programme follows the sameprinciple: the more you understand your audience, the easier it is to ensure theyunderstand your message. Target audience analysis is also something that marketingdepartments and advertising companies do for a living. To make the most out of themarketingbudgets,themarketissegmentedintousergroupswithsimilartraits,whoarethen documented and analysed according to their demographics. Depending on theproducts and/or services sold, psychographics may also be applied. When buildingsecurity culture, you want to consider both demographics and psychographics whenanalysingyouraudience.

Segmentation,ortheartofdividingyourmarketintosubgroups,inyoursecuritycultureprogramme can be done by using departments as segments. You may also choose tosegmentusingotherborders:countries,companies,teams,locations,languageandsoon.Eachorganisationisdifferent,andmayneedadifferentapproach.

Whenyouhavesegmentedyourorganisation,selectedwhichsegment toworkwithandanalysedit,itistimetocraftyourmessage.

Thesecondareawhereyourmarketingdepartmentmayhelpinbuildingandmaintainingsecurityculture,iscraftingthemessageyouwanttosend.Theirexpertiseandcreativityisa great asset in any programme that needs to communicate a clearmessage.By askingthemtojoinyoursecuritycultureworkgroup,youcanbringtheirskill-setstoyourtable,helpingyoucreatecontentthatmakessense.

Remember thatyouare thesubject-matterexpertonsecurity,and theyarebrought inasexperts on communication.This implies that youneed to trust their ideas and instincts,eveniftheirideasmaybeoutsideofyourcomfortzone.Youarenotthetargetaudience,someoneelseis.

With all that said, awordof caution.Beingcreative andcommunicators, themarketingdepartment does not know much about security, especially in the beginning of yoursecuritycultureprogramme.Youarethesecurityexpert,andassuchyoumustensurethemessage conveyed is correct and aligned with the security culture goals. Creativity isgreat,aslongasitmovestheprogrammeintherightdirection.

Workingwithcreativepeoplemayintroduceconflicts.Theeasiestwaytoinvolvecreativepeopleisbyhavingaclearlydefinedscope.Narrowitdownearlyon,andhelpthemstaywithinthedefinedboundariesofyourscope.Yourjobisnottosay“NO!”,butrathertoaskthemnicely,“Sohowdoyouseethisideabringingusclosertoourgoal?”

Ifyouexperienceasituationwherethecommunicationpeoplehaveoneideaandyouhaveadifferentone,youmayconsidertestingwhatworks.SetupanA/Btestwithbothideas,usingasubsetofyourtargetsegmentasatestinggroup.Youmayhavetoresorttoone-on-onetestingandinterviews,unlessyoursegmentislargeenoughtocreateatrueblindtest.

Testingcampaignsbeforeyourollthemouttoalargerpartoftheorganisationcanbedoneusingthe12-weekcampaignoftheSecurityCultureFramework.Useonecampaigntotestthecontent,andthefollowing12-weekperiodtorunthecontentthatgavethebestresultstothelargeraudience.

I have also had the not so pleasant task of working with someone creative who neveracceptedmyboundaries.Inmeetingsshewouldbefinewithmyobjections,whereaslaterIwould receive longemailsexplainingwhyIwaswrongandshewas right.Shewouldalsodisregardmychangerequests.Itbecameobviousthatthiscouldnotcontinue,andshewasquicklyreplaced.Unfortunately,thereisnoeasywaytotellwhentoreplacesomeoneonyourteam;it isacall thatmustbemadeonacase-by-casebasis.Askyourself if thepersonisreallythatannoying,orifitisyouwhoiscreatingthesituation.

Knowingwhentoaskforhelpisaskillweallcandevelop.Knowingwhomtoaskmaybeabittougher.Andknowinghowtoaskcanbetrickytoo!

Table1

What Where

Training

Culture

Recruiting

On-boarding

Off-boarding

Employeedata

Organisationaloverview

HR

Communication

Design

Audienceanalysis

Marketing

PR

Craftingmessages

Analysingresults

A/Btesting

Marketing/communicationdept

Finance

Sponsor/ambassador

Visibility

Anchoring

Policysign-off

Reporting

Strategicplanning

C-levelmanagement

Howtoaskforhelpisdependentonwhatyouneedandwhomyouask.Askingyourchiefexecutiveofficertosupportyoursecuritycultureprogrammeisdifferentfromaskingyourcolleaguetopatchaserver.

Toenhanceyour chance to receive the answeryouwant, it is helpful tounderstand theotherperson’sperspectiveandfocus.Themoreyoucanhelpthemconnecttheirowndots,theeasieritwillbeforthemtounderstandyourquestion,yourneedsandthereforetheirinterest in helping you. Think of it as audience analysis, where you look at what isimportanttothispersonandtheirrole.Askyourselfquestionslike:

•whatarethemajorchallengesthisrole/personfaces?

•howwillmyidea/challenge/programmebereceived?

•howcanIadaptmyidea/challenge/programmetohelptherole/person?

•howismyidea/challenge/programmefittinginwiththeirmajorchallenge?

Sometimes it also proves valuable to consider how the other personperceives you as aperson:wearemorelikelytohelppeoplewelikeandconnectwellwith.

Thenextchapterisdedicatedtothepsychologyofhowweareinfluencedbyotherpeople.Usethatchaptertobetterunderstandothertacticsyoucanapplytobuildthesupportyourequiretobuildandmaintainsecuritycultureinyourorganisation.

BuildingyourteamJohn, the CISO of a large, multinational bank, had a team of cyber securityprofessionalstohelphimtackleincidentsandruntheirsecurityoperations.Histeamwas highly skilled, from networking engineering to intrusion detection systemtuning,fromsecuritydataanalyticstoincidentresponse.Andtheyallseemedtolovetheirwork.Exceptwhen the taskof securityawareness landedon their table. Johnthought ithad turned intoagamewithinhis team toavoidanyworkwithsecurity

awareness.Heunderstoodthathisteam’slackofinterestinawarenesscouldbeduetoanumberofthings:

•Awarenessisnotconsideredsexyenough(i.e.nottechnical).

•Ateammembernothavingenoughknowledgeofawareness.

• Awarenessworkseems toneverbesuccessful, turninganyoneworkingwith itintoafailure.

•Alackoffundingtobuythecoolesttrainingsorcontentavailable.

Mostofthesethingscanbehandledeasilyenough–assoonastheyarerecognised.Let’stakeeachpointbyitself:

•Notconsideredsexyisacommonexcusewereceivefromtechnicalstaff.Thereare several ways to deal with this issue, including hiring a security culturemanager,asisincreasinglybeingdoneintheNordiccountries(Norway,Swedenand Denmark), who will build, implement and manage a security cultureprogramme. Another option is to use technical tools such as the SocialEngineeringToolkit, a toolmost techieswill relate toand like.Communicatingthe importance andvalue of security cultureworkwill also helpmotivate yourteamtotakeiton.

•Ateamnothavingenoughknowledgeofawarenessisanotherchallengewesee.Ofcourse, ifyoudonothaveenoughknowledgeofa topic, it ishard torealisejusthowcoolitis,right?Totacklethischallenge,trainingyourteaminsecuritycultureisvital.TheaforementionedSecurityEngineeringToolkit isanexcellentwaytoraiseknowledgeandbuildinterest.Otherwaystoshowhowcriticalandexcitingawarenessworkcanbe,istojoinordesignaSocialEngineeringCapturetheFlag(CTF)eventwithyourteam.Also,createanenvironmentwhereitiseasytoplanandexecutesecuritycultureactivities.

•Theargumentaboutsecurityawarenessneverbeingsuccessfuliseasilycombatedwith good metrics, and an understanding of human behaviours. Use Metricsmoduletodesignandbuildgoalsandmetricsthatmatters.

•Alackoffundingisachallengeinallwork–notjustsecurity.Togetthefundingyouwant,youwillhavetofightotherdepartmentsandprojectsthatmaybemorebusiness aligned and better at communicating direct and indirect value. Again,metricsmatter.Andwhenitcomestosecuringbudgets,communicatingbusinessvalueiscritical.Donotexpectahugefundfromdayone.Whatismorecommonisthatyoumustdemonstrateresultsandvalueovertime.Again,Metricsmoduleis your friend. Also, a thinking out of the box, low-cost, use-what-we-havementalitywilltakeyoualongwaywhenfundingislow.

Johnhadvery little funding,andcouldnothirea full-timesecuritycultureofficer.Instead,he askedhis team for twovolunteers to spend40%of their timeover thenext three months on security awareness. He offered training in the SocialEngineering Toolkit, as well as in the Security Culture Framework, and the three

wouldevaluatetheprogressafter thethreemonths.Johnwashopingthathewouldmotivatethetwomemberswhovolunteeredtotakeonthesecuritycultureworkafterthe initial three-month trial, yet he had not anticipated just what he would get inreturn.

ThenewCultureCrew,as theyquicklybecameknown, fell in lovewith theSocialEngineeringToolkitanduseditimmediately.TheysetupaCapture-the-Flageventofthesecurityteam,aneventthatbecamesosuccessfulpeoplefromoutsideofsecuritywanted to join andaskedwhen thenext eventwould takeplace.When the reviewmeeting with John and CultureCrew took place at the end of the three-monthevaluationperiod,Johnwassurprisedtohearthatbothteammemberswouldliketogo on; they even presented an 18-month plan on how to build security culturecompany-wide. They explained that the Security Culture Framework offeredtemplatestheyhadusedtodevelopcampaignstheycouldimplementeasilyandwithlittleextraeffort,andtheyhadalltheresourcestheyneededtostart.

Afterareviewandsomeminoradjustments,JohnsignedoffCultureCrew’splantoget their security culture going, knowing that the heart of security operations, histeam,hadchangedtheirmindcompletelyaboutsecurityawarenesswork.

16Whileanecdotesaresneeredatbymoreanalyticalpeople,theyprovideanexcellentmethodofcommunicatingwithabroadaudience.StevenDenningpresentsanexcellentdiscussionofanecdotesaspartofhisargumentforstorytellinginbusinessleadership(“TellingTales”,HarvardBusinessReview,2004).17Audience analysisdiffers subtlybetweendisciplines, but ingeneral recommends a fewkey featuresbe examined:demographics(whotheaudienceis–age,gender,culture,andsoon),attitudes(disposition,beliefs,values),knowledge(whatdoestheaudienceknowaboutthetopic)andenvironment(howistheinformationbeingpresented,whereistheaudiencewhentheyreceivetheinformation,andsoon).Dependingonyourparticularcircumstances,thesewillbemoreorlessinvolved,andwillenableyoutotailoryourcommunicationtotheaudience.

CHAPTER5:THEPSYCHOLOGYOFGROUPS,ANDHOWTOUSEITTOYOURBENEFIT

Inthischapter,wetakealookatoneoftheimportantpsychologicalmechanismsofhumans:groupsandsocial interaction.Learnhowtouse in-groups tobuildtrust.

Akey to successwithbuildingandmaintaininggood (security)culture is tounderstandthat people are different, and that you need to adapt your efforts to their needs,backgroundsandknowledge.Successfulsecuritycultureisbuiltbysecurityprofessionalswhoknowtheirownstrengthsandincluderelevantpersonnelandcompetencefromacrosstheirorganisation.

Oneofthechallengesofourhumanmindishowwearehardwiredtorelateandinteractwithotherindividuals18.Weare,asspecies,asocialcreature,designedtoliveingroups.Research inpsychology strongly suggests thatourgroupingbehaviour isbuilt in in ourbasic functions.We,humans, cannot survive alone;we relyonourgroup to feedus, toteachusandtosupportus.Youcanobservethisneedeasilyinbabiesandsmallchildren:theywouldnotsurvivewithoutparentsorothergrown-upstofeedandcareforthem.

Whatisinterestingfromaperspectiveofbuildingandmaintainingsecuritycultureisthataswegrowup,we relyasmuch,perhapsevenmore,ongroups.Thesegroupscome indifferentshapesandsizes,andforminter-grouprelationships.Allhumanbeingsbelongtoanumberofgroups,fromyourfamily,extendedfamily,totheschoolyouattended,tothesports team you support, to the workplace and so on. The groups we belong to, are amemberof,arereferredtoasin-groupsinpsychology.19

There are an even larger number of groups thatwedonot belong to.Examples can bedifferent families than your own, people in a different workplace, supporters of sportsteams you do not support, political groups, as well as cities and countries around theworld.Groupswedonotbelongtoarereferredtoasout-groupsinpsychology20.

Basedonin-andout-groups,wecanlookathowweinteractinsideourgroups,andhowwetreatpeoplenotfromourowngroups21.

Think about your workplace. There are a number of people working there. Theorganisation where you work is an in-group for everyone who works there. All yourcolleagues,acrosstheorganisation,sharethesamein-group.Thelargeryourorganisation,themorecomplexitbecomes,andthemorelikelyitisthatsmallergroupsofpeopleform:workgroups, teams, departments, locations and soon.Eachmemberof these subgroupsshare thecommonin-groupof theorganisation,and theycreatenewin-groupsbasedonthenewsubgroup.

Touseanexample:youandyourteam,andeveryoneelseinyourorganisation,formonein-group:theemployer.Youandyourteamarealsomembersofasubgroupofthatgroup:yourdepartment.Everyoneinsideyourdepartmentsharesthisin-groupwithyou,andno-oneelseinyourorganisationdoes.Yourdepartmentbecomesanin-group,andeveryother

departmentbecomesanout-group.Andforalltheotherdepartmentsinyourorganisation,yourdepartmentisanout-group:youarenotwiththem,youareanoutsider,possiblyevenanenemy.

Youcancontinuetocreatesubgroupsinsidethedepartment,andyouwillseethateveryteam,projectandgroupofpeopleformandtakepartinanumberofdifferentin-groups.And,consequently,areconsideredamemberofnumerousout-groups.

Forming groups is a very good strategy to create greater results than can be achievedalone,astrategyseeninmanyothercreatures.Tomakegroupseffective,eachindividualis required togiveupsomeof itsownpowerandresources to themutualbenefitof thegroup. We pay a membership due by accepting to obey certain rules, to follow thecommandsandsoon.Inreturnwearesupportedbytheothers,aswellasbeingdefendedfromoutsidethreat.Thisissometimesreferredtoasasocialcontract22.

Thisoutsidethreatisimportant.Anyout-groupisconsideredapotentialthreat,nomatterhowweakweconsiderthegrouptobe.Also,nomatterhowweakouraffiliationiswithour in-group, our mind is biased when meeting and dealing with people who are notmembers of our in-group. It’s almost likewe automatically jump into the trenches andstartfiringatanythingtheysayordo.

Understandinghowstrongoursocialbondingiswhenitcomestoourability toconnectwithothers,willhelpustochangeourbehaviourswhenwemeetwithandtrytoengagepeople in our out-groups. It also helps us understand why some groups of people aredifficult toconnectandbondwith.As thesecurityprofessional, it ispartofyour job tointeract with all the different groups in your organisation. Realising that some of thedifficultiesyouencounterwithotherpeoplemaybeduetohowthehumanmindiswired,andnotaboutyoupersonally,mayhelpyoudoabetterjob.

Withthebackdropof in-groupsandout-groups,youarenowreadytofigureouthowtohandlethechallengescreatedbythesesocialbonds.Knowingthateachdepartmentformsanin-group,effectivelyenforcingahostilitytowardsanyonenotinthatdepartment,willhelpyoucomeupwithastrategyofusingsocialcontractsandgroupmembershiptobuildsecurityculture.

Knowing about in-groups, and the biases we have, points towards a solution: makeyourselfandthemmembersofthesamegroup,turningonthein-groupbiasforallofyou.The good news is that you already share one such in-group: your employer, theorganisation you all work for. So, the first step towards building security culture is tocreate a strong company culture: a common ground for all the employees, an “us”mentality.Successfulenterpriseshaveusedthisknowledgefordecades.ThinkofbrandslikeCoca-Cola,IBMandGoogle.Theyallshareoneimportant thing: theyhaveformedandcultivatedacompany-wideidentity,forminganin-groupofalltheemployees.

On the start-up scene you see the same strategy applied: by building a strong brandawareness,first internally, laterexternally, theemployeesfeelastrongconnectiontothebusiness.Thisconnectioncreatesasenseofpurposethatenablesthecompanytobuildastronginternalculture,anin-groupthat isusedtotackleanychallengeandstrugglethat

comestheirway.

Organisational culture is very often the responsibility of HR. Just like any otherdepartment,HRitselfformsasubgroup,anin-groupsharingallthepropertiesofgroups.You, the security professional, are most likely not part of their in-group. As you justlearned, that means you are more likely to be met with suspicion and hostility whenapproaching them.Remember that this isnotadeliberateattitude, it isabiasallhumanbeingssuccumbto.

In organisations without a strong corporate identity, there is a likelihood ofcompartmentalisation: departments, and possibly teams, have formed their ownstrongin-groupcultures,trumpingthatoftheorganisation.Insuchorganisations,allthein-groupbiasesarebeingenforced,creatingacultureofsuspicion,hostilityandchange-resistance23.

WorkingwithHRiskey tosuccessfullybuildingandmaintainingsecurityculture.Yourultimate goal should be to incorporate security culture as a part of the organisationalculture:youwantsecurityculturetobeanaturalpartofthecultureinyourorganisation.

Ifyoudonot alreadyhaveagood relationshipwithHR, this is the time to start.Usingwhatyoujustreadaboutgroups,startbondingwithHR.Therearetwomainstrategiestoapply:

1.Createastrongcompanyculture,whereeverybodypullsinthesamedirection.

2.Buildanewsubgroup,whereyouincludepeoplefromtherelevantgroupsyouwanttointeractwith.

Most of the time, you will find it easier to start with building a new subgroup, andleveragethattobuildorganisation-widechange.

Therearemanytacticsyoucanusetocreatenewsubgroups:youcanappearatthecoffeemachineusedbythegroupyouwanttoinfluence,forminganewinformalgroup;youcanestablish a newproject involving people from the department(s) youwant to influence,formingaformalgroup;youcancombinethesetacticsinmixed-levelinteractions.

The Security Culture Framework impacts culture on several levels through the way itleveragesin-groupbiases.Thinkofthecoreteamasacross-departmentgroupthatformsanewin-groupwithagroupmissiontochangethecultureoftheorganisation.Astheworkprogresses,thiscross-departmentprojectbuildsnewsubgroupsthatcreatechangeinhowthings are done, effectively impacting the organisational culture. Each training that iscompleted by employees form new subgroups comprising the new competence andexpectedbehaviouryourcoreteamsetouttocreate.

Overtime,withrepeatedmessagesacrossanumberofchannels,anewcultureisforming,replacingtheexistingculture24.

Tryingtochangeculturewithoutunderstandingtheforceofgroupbiasisverytough.You

can use the power of groups to build support across departments, and to learn aboutparticularchallengesothergroupsfaceintheirday-to-dayjobs.

Fortunately, we are not supposed to do everything ourselves. We are social creatures,whichenablesustoreachouttoothersforhelp.Thepowerofgroupsisprofound.

As the Organisation module of the Security Culture Framework states, your coreworkgroup should include resources from HR and marketing in addition to security.Already,youhaveanewgroupthatbridgesthegapbetweenthreedifferentdepartments.Thisgroupalsomakesiteasierforyoutosucceedinyourjob,asitwilllikelyintroduceyoutoothersecuritychallengesthesedepartmentsface.

If your resources allow for it, you can also include other people in your core group.Anotherwaytousethegroupbiastobuildyoursuccessistosetupspecifictaskforces.

Imagineadepartmentthatisespeciallychallengingwithhowtheytreatyouandsecurity.They have formed a strong, negative opinion towards the services you provide, and dotheirbesttofigureouthowtoavoidyourinvolvementintheirsystemsandpolicies.

Youhavetriedtoreasonwiththem,andyouhavetriedtoapplytheorganisational-widepolicies.Thisdepartmentisnotpayingattention,andinsteadtheyaredoingwhattheycantosabotageyoursecurityefforts.Youarequicklyrunningoutofoptions.

This is a common situation. Often our gut response is aggression – and so is theirs.Aggressioncreatesstaleboundaries,wherethetrenchesformanddialoguestops.Insteadofworkingtowardsacommongood,wefindeachotherfighting.

It is hard to change this response,which is amanifestation of group bias, yet it is ourresponsibility to solve these fights for the good of the organisation. Again, the beststrategy to apply relies on forming new in-groups. Groups you can use to establishcommunication,throughwhichyoucanformanunderstandingoftheirsideofthestory.Groupsyoushouldusetobuildtrust.

Youmayhavetotakeitslow,andaccepttheirrejection:iftheconflicthasevolvedintothetrenches, building trust and communication may be time consuming25. Your first stepsshouldbetoestablishacommonground,whereyouinvitetheotherpartytodiscusstheirperspective.Donotobject, andavoid judgement.Let them talk.Make them talk.Makethemcommittoonethingonly:agreetomeetagain!

Whatyoujustdidwastoformanewgroup.Agroupyouareamemberof.Agroupwherebothparties participate andwhereyou are all together.Use this group to forma stronggroupidentity,anidentityyoucanleveragelaterintheprocess.

Understandinggroupbias,andhowweallsuccumbtoit,willmakeyoubetteratbuildingandmaintainingsecurityculture.Yourultimategoalistobuildacompany-widesecurityculture.Asyouhave seen in this chapter, someof thatworkmust bedone through theactive use of groups and projects.Build trust and relationships on all levels throughoutyourorganisation.Askforhelp,ideasandfeedback.Mostpeoplewillgladlytalktoyouandshare insights.And thosebondsyoumakewalkingand talkingarenewgroups: in-groupsthatgiveyouthepowertocreatebettercultureandeasierchange.

Peoplewholikeyou,consideryouaspartofoneormoreof their in-groups.Thegroupbiastellsusthatmembersofourgroupsaremorelikelytohelpus.Reachouttothem!

Inthenextchapter,youwilllearnaboutmeasuringcultureandhowyoucanseebehaviourinyourownsystems.

Thestoryofnon-functioningawarenessJohn,theCISOofalarge,multinationalbankinEurope,hadamountingfeelingthathe had forgotten something. He looked through his pockets, found his keys, hissmartphone,afewcoinsandhisaccesscard.Everythingwaspresent.Hesat inhisofficetoreadthethreatreportshereceivedfromthecomputeremergencyresponseteameverymorning,andeverythingseemedfine.JohnaskedhiscolleaguePeterforanupdateon theprogressof thepushoutof the latestpatch for theonlinebankingsecuritysystem.

ThephonerangasPeterenteredJohn’sofficetoupdatehisboss.Therewasablinkofpanic in John’seyesashe suddenly rememberedwhathehad forgotten: a salesmeetingwith theawareness trainingprovider theyhadused thepast twoyears.Hepickedupthephone,listenedandsaid,“Yes,thanks,Iwillberightdown.”

Petersmiled,shookhisheadandsaid,“John,youreallyshouldtakesometimeoff!Youcoulduseit!”

Johnsmiledbackandreplied,“Right,youknowwhatthisjobislike.Whenwasthelasttimeyoutooksometimeoff?”beforeherushedoutofhisoffice.

Afewminuteslater,hehadinstalledhimselfandSheila,thesalespersonhelovedforher easy answers and great service, in one of the meeting rooms with windowsoverlookingthecityfarbelow.Sheilaaskedifhehadhadthetimetoconsiderwhatkindofawareness focus thebankneeded thisyear,andwasnotsurprisedwhenheadmittedthathehadnotlookedintothatyet.Shepulledoutaglossybrochure,andtoldhimallabout their latestoffering. Johndidnotnoticeanythingnewsince lastyear,exceptapossiblechangein thecolours.Orperhaps itwas thesameones.Hecouldnottell.

Laterthatday,Johnwasbackathisdeskwonderingifhehadmadetherightchoicewhenhe just reordered the same trainingprogramme fromSheila thathehadusedthepast threeyears.AccordingtoSheila, thereweresomeadditions to the trainingprogramme to reflect the recent password breaches and the new spear phishingattacks. When asked how he could measure the success of the programme, histrainingvendorofferedanumberofmetrics:

•Totalnumberoftrainingsdistributed.

•Totalnumberoftrainingsopened.

• Total numberof successfully completed trainings (here, Johnwondered if thiswasjustarecordofeveryonewhohadclickedthroughtheslides).

Johnhadthemetricsfromearlieryears,andSheilasaidtheylookedok.WhatnaggedJohnwas that evenwith trainings everyyear, thenumberofbreacheswereon therise.Hissecuritymetricsshowedatrendtowardsmorepeopleclickingonphishinglinks, and an increasing number ofmalware being detected in the bank’s systems.Were the metrics the training company provided simply wrong? Did they showsomething else?What do the presentmetrics really tellme, John pondered. Aftersomereflection,Johnrealisedheneededhelp.

The challenge John had is one we see withmany security awareness programs –vanity metrics, a coin termed by Eric Ries in his book The Lean Startup. Vanitymetrics are numbers, reports and statistics that seemingly provide value, but oncloserinspectiondon’tgiveusanyinformationthatwecanusetoanalyseourscope.Vanitymetricsarejustnicenumbers,withlittleornomeaning.Inotherwords, thenumbers Johngot fromhis training suppliergavenomeaningby themselves; theydid not give him any information about the change in behaviour that the trainingswere supposed togive.To solve this challenge, Johnhad to comeupwithmetricsthatwouldgivehimrealinformationthatwasrelevantandontarget.

WedevisedaplanwhereJohnfirsthadtodefineasetoftargetbehaviourshewantedintheemployees.Next,wehadtotranslatethosebehavioursintosomethinghecouldmeasureonhiscomputersystemsandnetworks.Finally,hehadtosetupabaselinemetric,using themeasuresdefined, sohecouldcompare the resultsofhissecurityawarenessprogram.

Byfollowingthisplan,Johndecidedthathewantedtofocusononebehaviouronly,awisechoiceifresourcesarelimitedoryouaresettingouttodosomethingnew.Thebehaviourhechosewasphishingdetectionandavoidance.Later,healsoaddedwhathe called “SafeRescue” to his behaviours, amechanism in employees that if theyhadbeenbreached,theywouldpromptlyturntotheinformationandcommunicationstechnologysupportwiththeircomputer,tohaveitassessedandcleaned.HenamedthisparticularbehaviourSafeRescuebecauseherealisedhowimportant itwasforemployeestofeelsafeandsecureinthehandlingofasuccessfulphishingattack.

NowthatJohnknewwhatbehaviourhewantedtochange,hecouldlookathowtomeasure that particular behaviour. Using his team and their technical knowledge,they identified existing systems and logs they could use to collect the number ofincomingphishingattempts.Achallengetheyfacedwashowtomeasuresuccessfulphishingattacks.Theydecidedtousethenumberofcompromisedsystems,andthat10% of compromised computers were due to successful phishing. That definitionallowed them to measure the change in compromised systems, and use thefluctuationasanindicatorofsuccessfulphishing.

Johnandhisteamcametotheunderstandingthatmostcompromisedsystemswerenotreportedbytheuser,andmadethehypothesisthatpeoplewereafraidofreportingasuccessfulphishingattack–peoplewerenotwillingtoacceptandreportthattheyhad clicked on a malicious link, or opened a bad attachment. This is when JohnaddedSafeRescuetohisbehaviourtarget.Herealisedthatheneededtwothings:a

metric of actually compromised systems from phishing, and users who were notafraid of reporting a compromised system. The former would help him betterunderstandhismetricsandprovidebetter reports tomanagement.The latterwouldcreateaculturewherecompromisedcomputerswerequicklyreportedandmanaged,effectivelyincreasingtheoverallsecurityofthebank.Healsorealisedthatuserswhoapproached supportwith their compromised systemswould create ametric that hecouldusetolearnoftrendsinphishingaswellasmeasureusers’behaviour.

With the target behaviours defined, John could use themetrics he had devised tocreateabaseline.Andthatiswhathedid.

18Groupformationhaslongbeenstudiedinpsychologyandresearchersgenerallyrecognisetwoin-builtpressuresthatprovide the impulse to form groups: social cohesion (interpersonal attraction drawing people together) and socialidentity(mutualidentificationofsomesocialclass,suchasculture,employment,hobbies,andsoon).19Tajfel,Billig,BundyandFlament,“Socialcategorizationandintergroupbehaviour”,1971.20Ibid.21TheinfamousStanfordPrisonExperimentclearlydemonstrateshowgroupscanbeformedrapidlyandcoercedintoapplyingsignificantpressureagainstout-groups.22Socialcontracttheoryextendsacrossanumberofdisciplines,includingpsychology,philosophy,politicalscienceandsociology,anddescribesanimplicitagreementwithinagroupthatdeterminestherightsandresponsibilitiesofthegroupanditsmembers.NotablewritersonthetopicincludeThomasHobbes,JohnLockeandJean-JacquesRousseau.23 Neville Symington identifies this form of conflict as a type of narcissism, describing “organizations so riven bynarcissisticcurrentsthat[…]littlecreativeworkwasdone”.(Symington,Narcissism:ANewTheory,1993.)24Insociology,thisconstantshiftingofculturesandthemovementofideasandtraitsbetweenculturesinevitablyresultsin thedevelopment of new,distinct cultures. It doesnot describe theoriginof a culture, in the sense that no culturesprings up fully-formed – all cultures are adaptations of earlier cultures, and all cultureswill inevitably change andbecomesomethingelse.(WendyGriswold,CulturesandSocietiesinaChangingWorld,1994.)25Thereareanumberofvalidapproachesandstrategies fordealingwithconflicts; foramorenuancedanddetailedoverview, conflictmanagement theory offers awide range of options applicable to almost any field or industry.TheInternationalJournalofConflictManagementprovidesawealthof informationandanalysisofconflictmanagement,andispublishedquarterly.

CHAPTER6:MEASURINGCULTURE

In thischapter Iwill lookata fewways tomeasureculture,andhowyoucantakeexistingdatatouseasabaseline.

OnethingIoftenhearfromfellowsecurityprofessionalsisthatitisimpossibletomeasureawareness and culture. It is an interesting point of view, and one that is usually basedupon:

•notknowinghowtomeasuresoftskills.

•previousfailurestocreateresultsfromawarenessactivities.

It often boils down to not realising that awareness and culture are reflected in thebehavioursofemployees.Inmostorganisationstoday,theheavyuseofcomputersystemsenablesustocloselymonitoranyandalluse.Anexample:

Bob,asalespersonwhohasbeeninyourorganisationfortwoyearsinMarch,usesacombination of a laptop, a pad and his smartphone to interact with the computersystems.He readshis emails,heusescustomer relationshipmanagement software,he registers his expenses and so on. All of these systems are set up to log everyinteractionwithusers,John’sincluded.Thepurposeoftheloggingistoensurehigh-qualityservice,backtrackactivitiestoseeiftherewassomethingaparticularuserdidtocauseproblems, and receiveearlywarningsonpotentiallydisastrouschanges inthecomputersystems.

Every time Bob uses the systems, his data is being recorded: timestamped,geolocated, device used, system used and so on. These logs show Bob’s currentbehaviours,includinghishabitofeatinghislunchatacafédowntheroad.Ofcourse,youdonotknowthatheiseatinghislunchthere,whatyouknowisthathisdevice,usinghiscredentials,isbeingusedalmostdailytoconnectfromthatlocation.

What you see is how Bob is using the computer systems. That is what socialscientists call behaviour. Bob is interacting with his surroundings, and you areloggingthatinteraction.Youaremeasuringhisbehaviour.

Bob’semployerhasabringyourowndevice(BYOD)policy,statingthatconnectiontothecomputersystemsmustonlyoccurusingavirtualprivatenetwork,andtheuseof public Wi-Fi is not allowed. When on the road, Bob should only rely on hismobileInternetconnection.

Whenyouexaminetheconnectionlogsforthesalesteam,youdiscoverthatmostofJohn’s colleagues fail to follow the policy. Instead of using theirmobile network,theyprefertoconnectfromWi-Finetworksontheroad.

Using the current log data, you now have a baseline behaviour. You know yourcurrentsituation,the“asis”.

Thebaselinemeasurementisimportantwhendesigningchange:knowingwhereyou

aremakesitpossibletonavigatetothelocationyouneedtobe.Ifyouknowwhereyouwanttobe,thatis.

InJohn’sorganisation,thegoalstateisdescribedinthepolicydocument:

Every worker outside our premises should connect using VPN, and only throughmobilenetworksorpreviouslyacceptednetworks.

Inthiscase,definingyourgoalisquiteeasy:youneedemployeestoconnecttothecomputer systemswithVPN, and frompre-defined networks only.You also knowthatBobandhiscolleaguesarefarfromthisgoal;theirbehaviourisnotaccordingtoyourgoal.

The baselinemeasurement shows a clear gap fromyour defined goal. That gap iswhat you will bridge with your security culture programme. Using the SecurityCulture Framework, you are now ready to take a closer look at Bob and hiscolleagues,analysingtheirbehaviour, theircurrentsecurityunderstandingandtheirpreferred communication style.Next, you choose activities thatwill resonatewithBob,helpinghimunderstandwhyheneedstofollowthecompanypolicy.

PartofyouranalysisshouldbetointerviewBob,possiblyevengoingoutontheroadwithhimforaday,soyoucanbetterunderstandthesituationfromhisperspective.Hemighttellyouthatthemobilenetworkissoslowthatitmakesitimpossibletodohisjob.MaybeheisunawareofhisphoneautomaticallyconnectingtoopenWi-Finetworks,ThereareanumberofpossibleexplanationsforBob’scurrentbehaviour,andunderstandinghissidewillprovideyouwithabetterideaofhowtochangeit.

After creating your baseline and analysing Bob’s current behaviour, you create asecurityculturecampaign,usingtheSecurityCultureFramework,withaselectionofdifferentactivities,alldirectlyrelatedtoBobandhisteam’sneeds.Yourprogrammeconsists of a six-week nano-learning programmewith two five-minute video clipseachweek.Youalsojointwosalesmeetings,oneatthestartoftheprogrammeandonetowardstheend,whereyouuseaPineappledevicetodemonstratewhataman-in-the-middleattackmaylooklike,surprisingeveryoneattendingatjusthoweasyitis to intercept traffic.Youalsodistributeakeyringwith the text“LockMyDoor”.Before you start the programme, you run a short five-question survey whereemployees are asked about their general security knowledge. You rerun the samesurvey a week after your programme finishes, giving you another source ofinformationthatyoucancorrelatewithyourlogs.

Afteryoursecurityculturecampaignhascometoanend,you takeanother lookatyourlogswhereyoudiscoverasteadychangeinhowthesalesdepartmentconnecttothemain systems.Mostof the sales forcenowconnectusingVPNand themobilenetworkswhileontheroad.

YoualsonoticethatBobnolongerseemstohavehislunchatthatdiner.Lookingatthegeolocationdatayour logscollect,younoticehe isconnectingfromoneof thesubsidiaries, where he gets access to a high-speed Internet connection withoutbreakingthecompanypolicy.

Comparing the results from your two runs of the survey, you also notice a clearchangeinthesecurityknowledgeandunderstandingofthesalesteam.Theyshowacleartrendtowardsunderstandingwhythepoliciesareinplace,andthateventhoughthe policies demand a behaviour that to the salespeople seems counterproductive(getting in theway of theirwork), they now realise that if they fail to follow thepolicies,theyeffectivelyputtheworkplaceindanger.

Theargumentthatitisveryhardtomeasureawarenessandbehaviourchangeisflawed26.Justlikeanythingelse,itcomesdowntoyourcurrentknowledgeandskill-set.Ifyouhaveneverlearnedhowtolookforbehaviourdatainyoursystems,youarenottoblame.Ihopethatreadingthischapterhasspawnedafewideasas tohowyoucanuseyourowndatasourcestolookforbehaviouraldata.

Usingyour currentdata sources is agreatway to lookathowbehaviour translates intopatternsinyourlogs.Thereisusuallynoneedtobuyanothersystemorsoftwaretocreatemore data when you want to measure awareness and behaviour change. Mostorganisations I work with have more than enough data points and logs are readilyavailable. Sometimes you need to turn on a logging feature in the system.Most of thetime,however,thechallengeistoselectjusttherightdatatousefromtheabundanceofavailabledata.

Anotherchallengethatsometimesarisesistheneedtodoproperanalysisonthedata.Noteverysecurityprofessional isalsoaskilleddataanalyst.Mostsecurityprofessionalsarenot social scientists. We, the security professionals, tend to come from a hard-sciencebackground,whereonlywhatweseedirectlyisconsideredanacceptabletruth.

When it comes to understanding people, behaviour, awareness and culture, we need tolearnfromthesocialscientists.Thereareanumberofscientifictoolsandmethodsusedbypsychologists, sociologists and anthropologists around the world. These include bothquantitativedata(thinkofyourlogs)andqualitativedata(thinkofanawarenesssurveyormaturitymodel). Arguments still rage about which one of thesemethods is best whenunderstandingpeople:thecurrentconsensusisthatweneedbothmethodstocreateamorecompleteunderstandingofhowwebehaveandhowchangecanbecontrolled.

The understanding that wemay need both quantitative and qualitative data to create awider understandingof behaviour and change is important to notice in security culture.Yourlogstellsomuch(orsolittle),andsurveysarebiasedbyboththequestionsandtheirwording,asmuchasbythecontextandunderstandingoftheparticipants.Understandingthatbothquantitativedataandqualitativedatacanleadyoufarawayfromyourpathwillhelpyoulookforwaystoassurethequalityofthedata,anditsvaliditytotherealworld,asquicklyandearlyaspossible.Correlatingquantitativedatawithqualitativedatamayhelpyoudiscoverdiscrepanciesandproblemswithyourhypothesis.

Wheredoyoulookfordata?

Youcanuseanumberofdifferentsourcesforinformationonbehaviour–eitherdirectlyor indirectly. Your budgets may impose limits (as they should), and somay your own

interestandskill-set.Adataanalystisagreatassettoanysecurityteam,andcanidentifyrelevantdatasourcesaswellascreatingthenecessaryanalysis.

InthebookData-DrivenSecurity,JayJacobsandBobRudiswalkthereaderthroughhowto set up and run your own security analytics using R and Python. In their dashboardchapter,theyincludeanexampleofaCISOdashboardonsecurityawarenessbasedontheSANSawarenessmaturitysurvey.Istronglysuggestreadingthatbook,evenifyouarenotadataanalyst.Theirclearexplanationsbasedonrealsecurityissuesmakeitveryeasytorelatetothetopic,makingitfuntolearn!

Mostcomputersystemstodaycomewithimmenseloggingopportunities,givingyouvastamountsofdatatoanalyseyouremployees’behavioursonyoursystems.Often,allittakesisknowingwheretolook,andturningtheloggingon.

Surveys can provide a lot of information. There are also a number of challenges withsurveys, including the fact that it takes some communication skills to create qualitysurveys27thatyieldtheresultsyouneed,andnotonlywhatyouwant.Myopinionisthatsmaller surveys are better than larger ones when it comes to security awareness.Mostpeople in your organisation are not as passionate about security as you are, somakingthem answer a long survey is usually harder than having them answer three or fourquestions.

Analternativetosurveysareinterviews.Interviewsrequiremoreresources(theytaketimeandareone-on-one)thansurveys.Theupsidewithinterviewsisthatyoucanpickupotherinformationfromtheparticipant,andyoumaydiscoverinformationotherwisekeptfromyou.

Interviewscanbeconductedinanumberofdifferentways,dependingonyourpurpose.Youcandothecoffee-machineinterviewwithagreatnumberofpeople,whereyouwillaskacoupleofquestionsinaninformalwaytorandompeopleyoumeet.Thismayhelpyoudiscoverissuesyouarenotcurrentlyawareof,andmaybeconductedoversometime.Thesekindsofinterviewsarecheap(youconductthemwhenyoufetchyourcoffee),andarebestappliedtocollectinginformaldata(i.e.whatyoulearnmaynotbeveryusefulforin-depthanalysis)thatyoucanuseforcarefulcorrelationwithotherdatasources.

You may also do formal types of interviews, where you will have a defined set ofquestions,andwhereyouselecttheparticipantsbasedonwhatyouaresettingouttolearn.You may interview department managers to discover discrepancies in culture betweendepartments,oryoumay interviewallmembersofa teamto learn the team’scombinedunderstandingofsecurity.

In addition to internal data sources, you may look for information outside yourorganisation.Somecountriesandindustriescollectsecurity informationandcreate trendanalysis reports that may be used to discover how your organisation compares to theindustry.Youmayalsousebreachreportdataavailablefordownload,andcompareitwithyourownsystemsandbreaches.

Taketheopportunitytojumpintoyourownlogsandsystems.Letthequestion“HowcanIseebehaviourofmyusersinthisparticularlog?”guideyouthroughyourquest.Youmay

endupbecominganothergreatdataanalyst,oryoumaydecide thatyouneed someoneelsetodothisjob.Nomatterwhatyoudecide,Iguaranteeyouthatyouwillfindwaystotrackbehaviour.Thenaskyourselfthenextquestion:“WhatotherlogscanIcombinethiswith,andwhatwillIthenlearn?”

Awordofwarning:youmayfindyourselfdiggingdeeperanddeeper,andforgettingaboutwhy you are looking for a particular dataset. There is somuch to be discovered in thelogs!

InthenextchapterIintroducetheSecurityCultureFramework,andpresentonewaytosetupasecuritycultureprogrammethatyieldsresults.

26There are anumberofmethods, techniques andprinciplesonmeasuringbehaviour and change available to socialscientists.TheUK’sGovernmentSocialResearchofficepublishedareportdescribingmodelsformeasuringbehaviorchangeinareportentitled“ReferenceReport:Anoverviewofbehaviourchangemodelsandtheiruses”(2008).27 Surveys are a commonmethod of conducting research, but need to be carefully composed if they are to providemeaningful results. Ideally,astatisticianwillbeavailable toensure that resultscanbeappropriatelyderivedfromtheresponses,but this is largelyuselessunless thecorrectquestionsarebeingasked.Most introductory textsonresearchmethodsshouldhavegoodadviceoncomposingeffectivesurveys.

CHAPTER7:BUILDINGSECURITYCULTURE

In thischapterwe takea lookat theSecurityCultureFramework,andexplainhow a methodology helps organisations develop and maintain good securityculture.

Building and maintaining security culture is like any other process you manage:continuous,planned, controlled andaudited. I amsureyouare familiarwith thePDCA(Plan, Do, Check, Act) flow of process management from the ISO/IEC and otherstandards.Whatyoumaynotknowisthatthesamepatternofplanning,doing,checkingtheresultsandimplementingnecessarychanges(act)alsoworksgreatwhenitcomestoworkingwithpeople.

Aftermanyyearsoflisteningtofrustratedsecurityprofessionalswhofelttheyhadfailedin building security awareness, I analysedwhatwentwrong. I alsowanted to seewhatsuccessfullyimplementedprogrammeshadincommon.Inmytravelsaroundtheworld,Ispokewith a large number of security people in a wide variety of organisations of allsizes.Twothingsquicklybecameapparent:

1.Therearemoresuccessfulprogrammesthanwerealise.

2.Thefailurescouldbeeasilymendedbychangingtheapproach.

The first finding is important because it gives us hope, and proof, that building andmaintainingsecuritycultureispossible,andmaynotrequirethatmuchfromus.

Thesecondfindingisimportantbecauseitpointsusintherightdirection:bychangingthewaywedesignandimplementsecurityawarenessprogrammes,wetoocanbesuccessful.

Next,Ilookedatwhatwasbeingdone.Again,Ifoundfundamentaldifferences:

• Successful programmes were designed and implemented in the organisation usingresources fromHR,marketing and communication in addition to the securityofficer(SO).Theyleveragedthedifferentcompetencesinthedifferentfieldsofspecialitytosetupprogrammes that actuallyworked.Theyalsohad long-termperspectives,withclearlydefinedgoals,milestonesandmetrics.Andfinally, theyrantheirprogrammesasprojectswithinaprocess–followingthePDCAcycle.

•Failedprogrammescameintwobroadcategories:thosewheretheSOdideverythinghimself,andthosewhoonlyfocusoncheckboxcompliance.

These findingsmade it easy topinpoint themistakes to avoid, and thebestpractices toshare, and I could create the first iteration of the SecurityCulture Framework togetherwithLarsHaugandMoAmin.

The Security Culture Framework is free and open. You can find it atsecuritycultureframework.com,andaswithallfreeandopenapproaches,itgetsbetterthemorepeoplejointhediscussion,sharingexperiencesandworkingonevolvingtheframeworkitself.

TheSecurityCultureFrameworkconsistsoffourparts,makingafullyrepeatableprocess.Ittargetslargeorganisations,anditsopenandflexiblestructuremakesiteasytoadjusttoanyorganisationandsize.Itisdesignedtohelpyouorganiseyourworkwithbuildingandmaintainingsecurityculture,andwillnotreplaceanyofyourexistingtools,suppliersormaterials;youwillstillneedthose.

Theframeworkwascreatedtohelpsetupandrunyoursecuritycultureprogramme–itisnotaprogrammeinitself.

Theframeworkconsistsoffourparts:

1.Metrics

2.Organisation

3.Topics

4.Planner.

Eachofthepartsaretiedtotheother,andtheyoperatetogethertoformatemplateofasecuritycultureprogramme.Dependingonwhereyourorganisationistoday,thestartingpoint is usually one of two: the Metrics, where you would define goals, or theOrganisation,whereyouwouldsetupyourteam.Forthesakeofsimplicity,Irunthrougheachoftheparts,andthenwalkyouthroughoneiterationoftheprogramme,startingbysettingupateam.

Asecuritycultureprogrammeisthecombinedactivitiesyoudotobuildandmaintainsecuritycultureinyourorganisation.

MetricsTheMetricspartof the frameworkhelpsyouunderstandwhatyouaresettingout todowithyoursecuritycultureprogramme.

Inthispartoftheprogrammeyouwilldefineyourgoals–long-termandshort-term.Youmayhavedifferentkindsofgoals– fromspecific resultsgoals like“By theendof thisyear,wewillhavereducedthenumberofsuccessfulphishingattacksby50%”,tolearninggoalslike“Bytheendofthisprogramme,theparticipantwilldemonstratehowtodiscoverandavoidaphishingattempt.”

AquestionthatIgetfromtimetotimeis“WhydoIneedtosetgoals?”Thequickansweristhatagoalhelpsyouunderstandwhereyouaresupposedtogo.

Considering the twokindsofgoals justmentioned,bothfocusonphishing,whichhelpsyou determine what kind of activities you should implement in your programme. Theresult goal is telling youwhat youwant to achieve in themetrics on your systems andreports:a50%reductionofsuccessfulphishingattempts.Aresultgoalusedcorrectlywillhelp you understand where you will find supporting data to document your progresstowardsyourgoal.

In thisexample, theremaybeanumberofdifferentsources inyourcurrentsystemthat

mayprovidethemetricsyouneed.

Another pointer that a result goal gives you is to understand your current situation. Toreducethenumberofsuccessfulphishingattemptsby50%,youneedtoknowhowmanyattemptsarecurrentlybeingsuccessful.Youusethegoaltohelpyouunderstandwheretofindmetricsthatyoucanusebothtounderstandyourcurrentstatusandthestatusofyourfuture.

Youmayusethisbasictemplatetodefineresultgoals:

By………………………………….(time/date)

we will have ……………………….…………..(reduced/eliminated/increased/created)

the…………………………….(task/area/topic)by…………….(#/%/days).

IntheISO/IEC27000series,thecurrentstateisdefinedas“asis”,andthefuturestateisdefined as “to be”. Since you are setting out to change the current state of yourorganisation,youneedaclearunderstandingofbothstates.TheMetricsmodule isyourremindertodojustthat.

Theotherkindofgoal,thelearninggoal,isdesignedtohelpyouconsiderwhatyouwant,or sometimes need, your participants to learn. The learning goal should be created tosupportyourresultgoal,andisdefinedbyaskingyourselfwhatparticipantsneedtoknow,doorunderstandtomovefromtheircurrentstateintothestateofyourgoal.

Youcanusethefollowingbasictemplatetodefinelearninggoals:

Bytheendofthis…………………………………(training/course/programme)

the participant will …………………………………(demonstrate/know/show/understand)

……………………………………………………(topic/areaofknowledge/skill).

UsingSMARTgoalsWhen defining results goals for your security culture programme, I advise creating so-calledSMARTgoals:

•Specific

•Measurable

•Achievable

•Realistic

•Timed.

SMARTgoalsuseamodelthathelpsyoucreategoalsthataremorelikelytosucceed.The

modelforcesyoutobeasspecificasyoucan,addingnecessarydetailandfocustoyourgoal.Bybeingmeasurable,aSMARTgoalhelpsyouknowwhenyouhavereached thegoal.Achievable is a test to see if it is possible to dowhat you set out to dowith thecurrentresourcesavailable.Realisticisaqualitycontroltoremindyouthatwesetouttodosomethingforreal;thisisnotadreamoravision.Finally,aSMARTgoalshouldhaveaclearlydefineddeadline,sothatyouhavesomethingtohelpyouplantowards,aswellasaperiodintimewhereyoucansay“Wedidit!”

Oneofthechallengesmanysecurityofficersshareistheneedformorefundingfortheirawareness programmes.Having clearly defined goals, backed by numbers that relate tothebusiness,isagreathelptocommunicatesuchneeds.TheMetricspartoftheSecurityCultureFrameworkhelpsyoubetterunderstandhowtomeasureyourprogress,aswellasdocumentyourresultsandneeds.Italsohelpsyoupinpointyourareaoffocus,whichinturnmakesiteasiertoimplementtherightkindofactivitiesinyourprogramme.

TheOrganisationpartAsjustmentioned,oneofthechallengesfacedbyfailedawarenessprogrammeswastheidea that “I have to do it all by myself.” This was in contrast to the successfulprogrammes, which generally involved a larger team with a broad understanding ofculture,training,communicationandsecurity.

TheOrganisationpartoftheSecurityCultureFrameworkhelpsyouunderstandwhatkindofresourcesyouneedinthecoresecuritycultureworkgroup,aswellaswhoelseshouldbeinvolved.

Ataminimum,yourcoreworkgroupshouldhavethefollowingcompetenciesonboard:

•Security

•Communication

•Cultureandtraining.

This often translates to someone from the security office, someone frommarketing/communication and someone fromHR.With the core competencies inplace,youcanstartplanningyourprogramme.

In largerorganisationsyoumaywantasteeringcommitteewhosponsorandgovern theprogramme,andactastheliaisonbetweentheprogrammeandtop-levelmanagement.Insmallerorganisations,youmayreportdirectlytotheCEO,chiefinformationofficer(CIO)orCISO.

Dependingonyour chosengoals, youmayalso includeother people in theworkgroup.Competenciesthatoftencomeinhandyinclude:

•trainingdesign/instructionaldesign

•graphicdesign

•copywriting/editing

•dataanalytics.

Some organisations have these resources internally, and others choose to buy externalservices.

Onepointtomakeisthatthecoreworkgrouprequiressecuritycompetence,butthatdoesnotmeanthattheSOmustalsobethegroupmanager.Oneveryefficientwaytohandletheworkgroupistouseaprojectmanager,orattheveryleastaprojectadministratortotake the administration, meeting planning and so on off the shoulders of the SO.RememberthattheSO’sprimaryroleintheworkgroupistoprovidesecuritycompetenceandguidance,whichisnotthesameasmanagingthegroupitself!

AnotherimportantaspectoftheOrganisationistheaudienceanalysissection.Peoplearedifferent,withdifferentinterestandareasoffocus.Departmentsaredifferent–theycomewithdifferent tasks,someofwhichattractpeoplewithspecialcompetenceanddifferentpersonality types. Organisations with different locations, including multinationals, mayexperiencethateachlocationhasitsownparticularsubculture.

When you design, plan and implement your security culture programme you mustunderstand the differences and similarities of these groups, so you can adapt youractivities,goalsandexpectationstoeachofthetargetaudiences.

A target audience is the name thatwe borrow frommarketing professionals, set to thegroup of peoplewe aim our security culture activities at.Unlikewhat some awarenesstraining companiesmay tell you, there is no such thing as “OneSizeFitsAll”when itcomes to training and communication. To reach your defined goals, you also need tounderstandwhatyouraudienceislike,soyoucanadapttotheirneeds.

Using thephishingexample frombefore: insteadof runningagenericphishing trainingcampaign towardsall theemployees inyourorganisation,youmayanalysewhoare themostlikelytargetsandwhoarethemostvulnerabletargets,andcomeupwithalistoftop-level managers, key business developers, key engineers and a few others whom youconsiderthelikeliertargetsforspearphishingattacks.Basedonyourlist,youcreatetwosubgroups:BusinessFocusandEngineeringFocus.Nowyouhave twoseparategroups,withdifferentcharacteristics.

TheBusinessgroupconsistsofthetop-level(andpossiblykeymid-level)managersplusthebusinessdevelopers,whereas theEngineeringgroupconsistsofaselectionofpatentlawyers,keyengineersanddevelopers,plusperhapstheirassistants.

Atthispoint,itshouldbecomeclearthatalthoughbothgroupsareconsideredtargetsforspearphishingattacksandneed training, thegroupsalsodiffer in their interests,areaoffocus,knowledgeandunderstanding.

Yourconclusionshouldbetocreatetwodifferentcampaigns,bothwiththesameoverallgoalofreducingthetotalnumberofsuccessfulphishingattacksby50%,andthecontentandtheactivitiesofthetwocampaignsshouldbedifferenttobestcommunicatewiththepeopleinthegroups.

FortheBusinessgroup,youmayfocusyourexamplephishingattemptsonrelevant(and

current)projectsandbusinessdevelopmentfocus.Youmaywritethecollateral inwordsthat resonatewith theirareaof focus.For theEngineeringgroup,youwilldo thesame,focusingonexamplesandwordstheycanrelatedirectlyto.

Youwillreachyourgoalsfasterandeasierifyouhelpyourtargetaudiencetoquickandpainlesslearning.Themoreyouknowaboutyourtargetaudience,theeasieritwillbeforyoutoadaptthemessageandcontenttotheirparticularneeds.

Knowing the area of focus and interest of all different target audiences may not befeasible. One strategy I see implemented with great success is to involve the targetdepartment or audience in the security cultureworkgroup for the particular goal. In theprecedingexample,youcouldinvitesomeonefromtheBusinesstargetgrouptoadviseonwhat may or may not work in that group, and you could invite someone from theEngineering group to do the same for that target audience. By inviting your targetaudienceintotheplanningofactivities,youarealsolikelytolearnaboutissuesyoudidnot know about, as well as building relations and bridges to people around yourorganisationwhomaybecomeyoursponsorsandadvocates.

TopicsSofar,usingtheSecurityCultureFramework,wehavedefinedoneorseveralcleargoals,we understand how to measure them, we have set up a workgroup to organise theprogrammeandweknowthatweneedtoadaptouractivitiestothepeoplewearetraining.

ThenextpartoftheSecurityCultureFrameworkisTopics.Buildingonyourdefinedgoalandyourunderstandingofthetargetaudience,theTopicsaretheretohelpyouchoosethekindofactivitiesthatensureasuccessfulsecuritycultureprogramme.

Therearenolimitstothekindofactivitiesthatcanbeusedinbuildingandmaintainingculture,andthisiswherethemarketingdepartmentmayexcelincreatingcontent.

Marketingdepartmentsareusuallywellversedincommunicatingamessageinawaythatthetargetaudiencecanrelatetoinapositiveway.Letthemgocrazywiththeircreativity.Just a fair bit of warning: marketing people usually know how to build greatcommunication campaigns, but they may not understand security. You need to be incontroloftheoverallmessage,andremindyourcreativeallieswhatthegoalis.Onetipistoaskthefollowingquestion:“Howexactlyisthisactivitytakingusclosertothegoal?”Ifyouarehappywiththeiranswer,gowithit.Ifnot,youmaywanttofollowupwith“Whatcanwechangetoalignittoourgoal?”

To help you get going with what can be used as activities, consider this list as astartingpoint:

•e-learning

•Nano-learning

•Classroomtraining

•Lunch&learn

•Breakfastsessions

•Demonstrations(liveandrecorded)

•KnowledgePills

•GoogleHangouts

•Questionandanswersessions

•FAQ

•Gamification(doneproperly!)

•Posters

•Stickers

•Giveaways.

OneofthechallengesSOsfaceistoexplaincomplexandabstractsecurityissuesinawaythatpeoplewithouttheexpertisecanunderstand.Considerspearphishingasanexample.Howwouldyou explain that to someonewhodoesn’t knowwhat it is?What exampleswouldyouuse?Whichwords,taxonomyandcontextwouldyouuse?

Mostofuswillfocusontheterminologyweknowanduseeveryday,withoutregardtotheotherperson’slevelofknowledge.

Thesameistruefortheotherareasofexpertiseintheworld:mostpeoplewillusewords,concepts and context they can relate to, and they will think that you understand thatwithoutevenasking.Yourchallengeisthatyouaretheonewhomustadapttotheirneeds:atnopointcanyouassumethatapersonwhodoesnotworkinsecuritywillunderstandwhatyouare talkingabout.Hidingbehind the terminologyofyour industryonlyworksagainstyoubyalienatingyouraudience.

Tohelpothersunderstandyourmessage,youcanchange thewordinganduseconceptsandterminologytheyrelatetoandunderstand.Youmayalsotrytoconveythemessageinanentirelydifferentway,asMoAmin28putsit:

“Awarenessdemonstratedisawarenessachieved.”

For the preceding phishing example, youmay set up a demonstration using equipmentfromyour lab, and show in detailwhat is goingonduring an attack. Just remember toavoidthetechnicaltermsandinsteadfocusonwhatishappeningfromabusinesspointofview: a person clicks on the link and is taken to a hosted server that installsmalware.Malware scans a computer for filesof aparticular type/name/date, and sends them toadifferentserver.

Thisscenarioisnotverycomplicatedtosetupusingalab,anddemonstratingtheresultscanbedoneeasilytoo:demonstratethatfilesofparticularnames/typesareactuallymovedfromthecomputertotheserverwithoutthepersonusingthelaptopknowing.

Justonewordofwarning:makesureyoucontrolthefullenvironment,andletthepersonwhoisbeingtaughtusealabcomputer,nottheirown.

Thiskindofdemonstrationdoesnot requirea large investment, and it canbedone inaboardmeeting,inthehallwayoutsidethelunchroom,inacoffeeareaoralsovirtually.

Similar demonstrations can show general malware, password strength, social mediascrapingandsomuchmore.Allittakesisabitofplanning.

Activitiesgobettertogether.Combineaselectionofthreeormoreactivitiestohavethemsupportandstrengthenthemessageyouarecreating.Inourphishingexample,youmayconsiderpresentingaseriesofshortvideolessons,an“Alertme”phonenumbertocallifthey suspect phishing, and perhaps a selection of stickers in addition to the phishingdemonstrations.

Itisimportanttorememberthattheactivitiesyouchooseshouldbefocusedontheneedsof the audience. Using your audience analysis in the Organisation module, you candeterminethelevelofknowledgeandinterestofyourtargetaudience.Usethatanalysistopick the kind of activities that will help your audience to understand and grow theircompetence.

The activities are closely tied to your goals, as defined in the Topics module, too.Activities should be designed and implemented to help you reach your goals. Onequestionyoucanusetoassesshowyourchosenactivitywillhelpyoureachyourgoal,is:

“Howwillthisactivityhelpmereachmygoal?”

Describingyouranswerisimportanttocontrolyourdirection.Italsomakessensetonoteyouranswerforlaterreference.Thetemplatesavailableatsecuritycultureframework.comwillhelpyou toselectyouractivities,and toensureyourselectionwill infacthelpyoureachyourgoals.

PlannerThe fourth part of the Security Culture Framework is the Planner. The Planner is aselectionofdifferentways toplanandexecuteyour security cultureprogramme,wherethreeelementsarevital:

1.Whentorunactivities.

2.Whentodomeasurements(metrics).

3.Whentoreviseandassessyourprogress.

ThePlannerisnotanotherplanningtoollikeMicrosoftProject.Instead,itisadescriptionof what actions a security culture programme should consist of, and at what interval.Templatesaredownloadableatsecuritycultureframework.com.

OneexampleofasecurityculturecampaignistheSecurityCultureFramework12-weekcampaign.The12-weekcampaign isone full iterationof a security cultureprogramme,

runoverthecourseof12weeks.Thecampaignisdividedintothreeparts,followingthePlannermodule:

Four weeks of metrics, followed by six weeks of activities, and then two weeks ofmeasuringprogress,analysingresultsandrevisingfutureactions.

A12-weekcampaignmaylooklikethis:

Week Action Comment

1 Setupteam Getthecoresecuritycultureteam

1 Definemaingoal Setonemaingoaltoworktowards

1 Definesubgoals Ifdesirable,definesubgoals

2 Createbaseline(s) Usingthegoalmetrics,collectdataforbaseline(asis)

2 Analyse Usebaselinedataanddefinedgoalstatetocreategapanalysis

2 Selectactivities Brainstormaselectionofactivitiestoclosethegap

3–4 Sourceactivities Create,developorbuytheprecedingactivitieschosen

3 Planactivities Planwhentoexecuteeachactivity

5–10 Runactivities Activitiesdonothavetoberunatthesametime!

11 Rerunbaselinemetric Dothesamemeasureasinweek2,collectingnewdata

11 Analyse Usegapanalysis:baselinevs.newmetric=progress;newmetricvs.goal=newgap

12 Revise Consideryourresults.Considerwhatyouwoulddodifferently.Reviseaccordingly

Anote on the 12-week programme: this is a generic example,which youmay have tochangeforyourownneeds.Someorganisationsneedmoretimetorunoneiteration,andthis is especially true in larger companies. You may have to adjust it to a six-monthiteration, or even a 12-month cycle depending on your needs, your resources and thecurrentculture.

The 12-week programme was designed as a bite-sized chunk. By creating a small,standardisedapproach,itbecomeseasytosetupandrunsecurityculturecampaigns.Thisapproach also helps you to keep your goals tangible, and to do small and efficientactivities to build andmaintain culture. Instead of a “Do it all” approach, the SecurityCulture Framework encourages you to take the small steps, each step building on theprevious one, and steering you towards your overall goal of building and maintainingsecurityculture.

SettingupyourorganisationtousetheSecurityCultureFrameworkWiththebasicknowledgeoftheSecurityCultureFramework,youarenowreadytosetup

yourorganisationtouseittobuildandmaintainsecurityculture.Youmayusethesestepstostart.

• Setupyourcoresecuritycultureworkgroup.UsingtheOrganisationModule,setupyourcoreteamwithoneresourcefromthesecurityoffice,onefromHRandonefrommarketingorcommunications.Ifyoudonothavethoseresourcesinternally,youmayuseexternalresources.

In addition to your core team, you should create support for your security cultureprogrammebygettingyourCEOtosponsorit.Onewaytogettop-tiersponsorshipistosetupasteeringcommitteewhereyouinvolvethekeyplayers,andgettheirsupport.

• Definegoalsandscope.Definingalong-termgoalisagoodideaearlyon,asitwillhelpyousteeryouractivitiesinonedirection.Along-termgoalmaybedefinedusingtheSMARTmethodmentionedearlier,oritmaybedescribedasavision.Thepurposeof a long-term, overarching goal is to remind you of the direction you are directingyour organisation towards, and to help you prioritise and select milestones andsubgoals. Use this long-term goal to define your scope, resource requirements andlong-termstrategy.

•Whenyouhavedefinedalong-termgoal,itistimetobreakitintobite-sizedchunks,or 12-week campaigns. Start with your first campaign, and decide on one or a fewgoalsyouwanttoachieve.

• Define your target audience.Considering your goal,whowill benefitmost in yourorganisation?Aretheresomedepartments,locationsorgroupsthatstandoutasmorebeneficial?

• Analyseyour target audience.Whoare they?Howdo theyprefer tocommunicate?What is their security knowledge? Use the template available atsecuritycultureframework.com as well as the experience your marketing departmenthaveinanalysingcustomersegments.

•Createbaseline(as-is)measurement.Usingyourgoalasaguidinglight,decidehowtomeasure your success, and create a baselinemeasurement to document your currentstatus.Doagapanalysis todeterminethedifferencebetweenyourbaselineandyourgoal.

•Identifyactivities.Usingyourgapanalysis,yourdefinedgoal(s)andyouranalysisofyour target audience, you are ready to choose activities. Remember that learningactivities come in a wide range – from classroom and e-learning sessions, togiveaways, posters and demos. Be creative, and allow yourself to try out differentactivitiestoseewhichgivesthebestresultsinanygivensettingandgroup.Aslongasyouareconfidentthatyouractivityissupportingyourgoal,youshouldbefine.

• Sourceactivities.Nowthatyouknowwhatkindsofactivitiesyouwant touse, it istimetoeithercreate them,buythemordownload them.Therearemanysuppliersofsecurity trainings around, and approaching themwith specific requirements of whatyouarelookingforisagreatwaytohelpthemsupplyyouwithexactlywhatyouneed.

Ifyouhavein-houseexpertise,youmayproducethecontentinternally.Ifyoudonothaveabudget,considerallthefreesourcesofcontentavailable.Foragrowinglistofsuppliers,checkoutthesecuritycultureframework.comcommunity.

•Planandrunactivities.Inyourplanner,addthedifferentactivities,theirstart,durationand end times, and any comments you find relevant. Then run the activities as youplannedandwatchasyourorganisationlearns.

•Measureresults.Aftertheactivitiesaresuccessfullyran,itistimetodoyoursecondmeasurement. Using the same data source and method as you used to create yourbaseline metrics, collect the new status. If your activities were implementedsuccessfully,youshouldnoticedifferencesbetweenthebaselineandthenewmetric.Ifyoudon’t,thereisnoneedtopanic:thereareanumberofreasonswhyyourdatadidnotchange:

theydonotshowwhatyoutrytomeasure

thechangedbehaviouryouwanttoseetakeslongertoshow

notenoughdataisavailable.

•Analyseresults.Usingthebaselinedata,yournewdataandyourdefinedgoals,analyseanyprogressyoumade,andtrytounderstandwhyyougettheresultsyouget.

•Revise.Whileanalysingyourresults,makenotesofyourfindings.Considerwhatyoucouldhavedonedifferentlywhenitcomestoactivities,goals,timeframesandbudgets,andputtheminyourreport.Foryournextcampaign,useyournewfoundknowledgetoimproveonwhatyoudid.

The first time you set up the SecurityCulture Framework in your organisation, itmayrequiremore timeand resources.This is normal. Identifying thekey resources for yourcore teammay take some time,which you do not have to repeat every time you run acampaign–theteamgenerallystaysthesame.

Itisalsonormalthatdoingsomethingnewtakesmorefocusthanwhenyoudosomethingyouarefamiliarwith.ThesameistruewiththeSecurityCultureFramework.Asyourunafew campaigns, you start to get hold of the process, and soon youwill notice how theframework is saving you and your organisation time and resources when building andmaintainingsecurityculture.

Ifyoudofindyourselfinasqueezeandneedhelpfiguringouthowtomoveforward,thecommunityisonlyabrowseraway.YouwillfindbothcertifiedSecurityCultureCoaches,certified Security Culture Practitioners and a growing number of users of the SecurityCulture Framework at securitycultureframework.com. And I did mention it is free andopen,right?

28 Mo Amin is a Certified Security Culture Coach and dedicates himself to building better security culture:www.moamin.com.

CHAPTER8:TIMEISONYOURSIDE

Youhavesuccessfullyreachedtheendofthisbookonsecurityculture.Youhavelearnedwhat security culture is and how it relates to security awareness.You have tapped intosocial sciences with a focus on psychology, so we can better understand how peopleinteract, behave and inform their actions. This is knowledge that is important to havewhenbringing about cultural change.Youhave also read about security culturemetricsandhowtousetheSecurityCultureFrameworktobuildandmaintainsecurityculture.

ThereareafewfinalthingsIneedtosharewithyou.

Readingthisbookdoesnotmakeyouanexpertonthistopic.Evenwritingthisbook,Idonotconsidermyself theoneknow-it-all– therearesomanydifferentaspectsofculture,peopleandbehavioursthatwestilldonotunderstand.ThatisoneofthereasonsIambackattheUniversityofOslowhereIamreadingpsychology.Iwanttohelptheindustrybybuildingabodyofknowledgeonsecurityculture.IamdedicatingmytimeandresourcesbecauseIbelieveitisimportantforusasanindustrytounderstandpeopleforreal,ifwewanttobringaboutchange.

However, reading this book shows that you, just like me, are interested in this topic.Hopefullythatmeansyouwillbringaboutpositivechangeinyourorganisationnowandlater.Ialsohopeyoufinditinterestingtolearnmoreaboutculture,diversity,learningandcommunication.Thereisanabundanceoftopicsrelatedtosecuritythatisnotdirectlytodowithmalware,firewallsandpentesting.Thesetopicsarenotatallnew.Sincethedawnofhumanexistencewehavebuilt securityculture intooursocieties. Iseenoend to theneedforunderstandinghowwecanbecomeevenbetteratthis.

Changing culture takes time. Sometimes it works, other times it doesn’t. Scientistsdisagreeabout thereasonsandthemethods.Thereareanunknownnumberofunknownfactorsthatmayormaynotapplytoyoursuccess.Onethingisforsure,though:ifyouarenotinchargeofthecultureyourself,culturewillbeinchargeofyou.Setyourgoals,andworktowardsthem.Smallstepsdoesit.

Myexperienceshowsthatastructuredapproachismorelikelytoyieldsuccessthananyofthe happy-go-lucky approaches I’ve seen. A programme that brings about change alsoplays with all elements of culture: technology, policies and people. Sometimes theysucceedrightaway,andothertimestheyneedanumberoftries.

What I see in the programmes we run is that time is an important asset. Have a longperspective.Andbylong,Imean3-5years’time.Longerifpossible.Createavision,orbiggoalsforthatperiod,andbreakitdownintosmallertargetsyoucanuseasmilestones.Have at least one yearly target, andwork to reach that one.Adjust your course as youlearnmore.Andneversettledown!

Buildingandmaintainingcultureisnotsomethingyoudoonceandthenyou’redone.It’sanongoing,never-endingprocess.Eitheryouareinchargeofit,oritcontrolsyou.Thinkofcultureasaconstantfeedbackloopcreatingamutualchange-cycle.Youarepartoftheculture, part of that feedback loop, feeding it with your own behaviours, ideas and

customs.Themoreofyouwhojoinforcesandfeeditwithcommonbehaviour,themoretheculturewillimpacttheotherstoo.Useittoyourbenefits!

I welcome your insights, ideas and thoughts on the Security Culture Frameworkcommunityatsecuritycultureframework.com.Letus joinforcesandbuildbettersecurityculture!

ITGRESOURCES

ITGovernanceLtd sources, createsanddeliversproductsandservices tomeet the real-world, evolving IT governance needs of today’s organisations, directors, managers andpractitioners.

The ITG website (www.itgovernance.co.uk) is the international one-stop-shop forcorporate and IT governance information, advice, guidance, books, tools, training andconsultancy.

PublishingServicesITGovernancePublishing(ITGP)istheworld’sleadingIT-GRCpublishingimprintthatiswhollyownedbyITGovernanceLtd.

WithbooksandtoolscoveringallITgovernance,riskandcomplianceframeworks,wearethepublisherofchoiceforauthorsanddistributorsalike,producinguniqueandpracticalpublicationsofthehighestquality,inthelatestformatsavailable,whichreaderswillfindinvaluable.

www.itgovernancepublishing.co.ukisthewebsitededicatedtoITGP.OthertitlespublishedbyITGPthatmaybeofinterestinclude:

•CyberWar,CyberTerror,CyberCrime

www.itgovernance.co.uk/shop/p-511-cyberwar-cyberterror-cybercrime-and-cyberactivism-second-edition.aspx

•GovernanceandInternalControlsforCuttingEdgeIT

www.itgovernance.co.uk/shop/p-1288-governance-and-internal-controls-for-cutting-edge-it.aspx.

•TheCaseforISO27001:2013

www.itgovernance.co.uk/shop/p-1158-the-case-for-iso-27001-2013-second-edition.aspx

We also offer a range of off-the-shelf toolkits that give comprehensive, customisabledocuments to help users create the specific documentation they need to properlyimplement amanagement system or standard.Written by experienced practitioners andbasedonthelatestbestpractice,ITGPtoolkitscansavemonthsofworkfororganisationsworkingtowardscompliancewithagivenstandard.

Toseethefullrangeoftoolkitsavailablepleasesee:

www.itgovernance.co.uk/shop/c-129-toolkits.aspx.

Books and tools published by ITGovernance Publishing (ITGP) are available from allbusinessbooksellersandthefollowingwebsites:

•www.itgovernance.eu

•www.itgovernanceusa.com

•www.itgovernance.in

•www.itgovernancesa.co.za

•www.itgovernance.asia

TrainingServicesStaff training is an essential component of the information security triad of people,processes and technology, and of building a security culture in an organisation. ITGovernance’s ISO27001 Learning Pathway provides information security courses fromFoundationtoAdvancedlevel,withqualificationsawardedbyIBITGQ.

TheISO27001LearningPathwaycomprisesthefollowingcourses:

•Foundationlevel

ISO27001CertifiedISMSFoundationcourse

ISO27001CertifiedInternalAuditorcourse

InformationSecurityFoundationbasedonISO27002course.

•Advancedlevel

ISO27001CertifiedISMSLeadImplementerMasterclass

ISO27001CertifiedISMSLeadAuditorcourse

ISO27005CertifiedISMSRiskManagementcourse

ISO27001:2013ISMSCertifiedTransitioncourse.

ManycoursesareavailableinLiveOnlineaswellasclassroomformats,sodelegatescanlearnandachieveessentialcareerprogressionfromthecomfortof theirownhomesandoffices.

Delegatespassing theexamsassociatedwithout ISO27001LearningPathwaywillgainqualificationsfromIBITGQ,includingCISF,CISIA,CISLI,CISLA,CISRMandCIS2013UP).

IT Governance is an acknowledged leader in the world of ISO27001 and informationsecurity management training. Our practical, hands-on approach is delivered byexperienced practitioners, who focus on improving your knowledge, developing yourskills,andawardingrelevant, industry-recognisedcertifications.Ourfullyintegratedandstructured learningpaths accommodatedelegateswithvarious levelsofknowledge, andourcoursescanbedeliveredinavarietyofformatstosuitalldelegates.

Formore information about ITGovernance’s ISO 27001 learning pathway, please see:www.itgovernance.co.uk/iso27001-information-security-training.aspx.

For information on any of our many other courses, including PCI DSS compliance,business continuity, IT governance, service management and professional certification

courses,pleasesee:www.itgovernance.co.uk/training.aspx.

ProfessionalServicesandConsultancyISO27001, the international standard for information securitymanagement, sets out therequirementsofaninformationsecuritymanagementsystem(ISMS),aholisticapproachtoinformationsecuritythatencompassespeople,process,andtechnology.Onlybyusingthisapproach to information securitycanorganisationshope to instil anenterprise-widecultureofsecurity.

Implementing, maintaining and continually improving an ISMS can, however, be adaunting task. Fortunately, ITGovernance’s consultants offer a comprehensive range offlexible,practicalsupportpackagestohelporganisationsofanysize,sectororlocationtoimplementanISMSandachievecertificationtoISO27001.

We have already helpedmore than 150 organisations to implement an ISMS, andwithproject support provided by our consultants, you can implement ISO27001 in yourorganisation.

AtITGovernanceweunderstandthatinformationsecurityisabusinessissue,notjustanIT one. Our consultancy services assist organisations in properly managing theirinformationtechnologystrategiesandachievingstrategicgoals.ThebenefitsofchoosinganITGovernanceConsultancyServiceare:

•Wespeakbusiness,nottechnology:wearetechnologyliteratebusinessconsultants.

•Wearevendorneutral,technologyindependentandframeworkagnostic,andtailorourconsultancytoyourorganisation.

•Ourtransparentpricingenablesyoutocontrolyourcosts.

•Wehaveovertenyears’consultancyexperience.

•Wehaveaproventrackrecord,workingwithorganisationsworldwide.

•Wehelpyouincreaseinternalbuy-intoyourprojectbyusingyourresources.

•Wefocusontransferringknowledgeandskilltothepeoplewithinyourorganisation.

For more information on our ISO27001 consultancy service, please see:www.itgovernance.co.uk/iso27001_consultancy.aspx.

For general information about our other consultancy services, including for ISO20000,ISO22301, Cyber Essentials, the PCI DSS, Data Protection and more, please see:www.itgovernance.co.uk/consulting.aspx.

NewsletterITgovernanceisoneofthehottesttopicsinbusinesstoday,notleastbecauseitisalsothefastestmoving.

You can stay up to datewith the latest developments across thewhole spectrum of ITgovernancesubjectmatter,including;riskmanagement,informationsecurity,ITILandIT

servicemanagement,projectgovernance,complianceandsomuchmore,bysubscribingtoITG’scorepublicationsandtopicalertemails.

Simplyvisitoursubscriptioncentreandselectyourpreferences:

www.itgovernance.co.uk/newsletter.aspx.