Developing A Cybersecurity Culture

Security products and practices usually ignore the most fundamental element of an organization: the user. A survey by Willis Tower Watson revealed that human actions cause over 90% of security incidents. This means fortifying a cybersecurity culture is just as important as cybersecurity protection. It can be difficult for chief security officers to determine whether or not they have a strong cybersecurity culture. Since there are few tools to measure and manage cybersecurity culture today, it is nearly impossible to quantify.

Without this capability, chief security officers face difficulties in facilitating the necessary changes needed to improve their organization’s culture. The organizations that have successfully fortified a cybersecurity culture have seen a significantly decreased risk of a major data breach. With the new normal of a distributed workforce bringing a slew of new security threats aimed at employees, it's more important than ever that businesses have access to a solution that helps them build and maintain a strong cybersecurity culture.

In order to develop a cybersecurity culture, organizations must be able to:

  1. Define security culture
  2. Understand how to build a security cultural model
  3. Managing culture

What is culture?

Traditionally, culture refers to the social and behavioral norms found in human societies often related to knowledge, beliefs, arts, laws, customs, capabilities, and habits. A cultural norm serves as a guideline for behavior, which in turn serves as a template for expectations within a social group.

Defining Cybersecurity Culture

When it comes to defining cybersecurity culture, many elements of the traditional definition are applicable within the context of cybersecurity norms and corporate expectations. In other words, an organization's cybersecurity culture is the collective cybersecurity behavior of all employees.

Building a Cybersecurity Cultural Model

In order to develop an effective group or cultural cybersecurity model, organizations must leverage an individual cybersecurity behavior model. An individual behavior model is best defined by Stanford scientist and New York bestselling author, B.J. Fogg. Based on Fogg's research, the necessary components of an individual behavior model can be divided into three principal categories: motivational, ability, and nudge.

Security Culture consisting of motivational elements, ability elements and nudge elements.

Motivation, ability, and nudge, can all be controlled by an organization to help employees change their behavior. The diagrams below help to explain the various factors that influence the cybersecurity behavior of an individual employee, and how the collective cybersecurity behavior of all employees can fortify an organization's cybersecurity culture.

  1. Motivational Elements:

    According to B.J. Fogg of Stanford University, the three primary human motivational elements are pleasure/pain, hope/fear, and acceptance/rejection. In an organizational setting, however, executive communications and their actions set the ground rules. This contributes to the development of a like-minded community founded on core corporate values. Defining security policies is a critical step in establishing the desired behavior's expectation.

  2. Ability Elements:

    Giving employees the right awareness and tools to help them perform their day-to-day tasks with ease is fundamental to forming an empowered cybersecurity culture. Awareness education, development of skills to deal with adversaries, and security protection technologies with the right policies all help employees to protect the company from threats.

  3. Nudge Elements:

    Even if you have the motivation, ability, and skills we all still require constant reminders to apply our knowledge at the right moment until the habits are formed. Communication from management, and their actions, not only helps to motivate but also plays a vital role in reminding employees of the corporate values and guidelines.

Employee Cybersecurity Behavior Model

Employee Cybersecurity Behavior Model


Organizational Security Culture = A Collection of Individual Employee Behavior

Organizational Security Culture

Managing Culture

It’s not enough for an organization to just understand the key components it takes to build a strong cybersecurity culture. They must take an active role in managing their cybersecurity culture by establishing clear expectations for employee behavior. This process begins with defining the organization's cybersecurity goals, followed by conducting a behavioral design to facilitate behavior change, and finally, measuring employee behavior in relation to those objectives. The diagram below illustrates this process.

Managing culture

The following is a case study of how to take the necessary steps to influence employee behavior in order to strengthen your cybersecurity culture:

Organization X is looking to improve the use of two-factor authentication for cloud-based applications, without mandating via a security policy.

With their goal set, to see people voluntarily using 2FA, they can begin conducting a behavior design. To do this, they must start asking a few questions on each of the three-axis (ability, motivation, nudge). For example:

  1. Is it easy for the employee to do this task?
  2. Do they know how to do it?
  3. What motivates them to do this?
  4. Do they want to be part of the “Secure-first” Initiative?
  5. Do they know most of the people are enabling it, and only a few are left behind?
  6. Do they know the consequences of a breach without this?
  7. How can I notify the people who have not activated 2FA?
  8. How can I give the right information when they need it?
  9. What can I learn from people having difficulties so I can help them better?

These questions can help the organization recognize the required strategies to facilitate the behavior changes they wish to see. In some cases, they might find that it is better to control people’s ability to make a mistake by controlling the security policy.

Mandating 2FA via a security policy is an option in the given 2FA example; however, mandating is not always a viable option. As shown in the diagram, repeat these exercises for each of the goals, and you can create your own visual and clearly see your cultural cluster.

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Schedule a Demo