+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

The Security Culture Playbook. An Executive Guide To Reducing Risk and Developing Your Human Defense Layer. Edition No. 1

  • Book

  • 256 Pages
  • April 2022
  • John Wiley and Sons Ltd
  • ID: 5842397
Mitigate human risk and bake security into your organization’s culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.

The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.

The book offers: - An expose of what security culture really is and how it can be measured - A careful exploration of the 7 dimensions that comprise security culture - Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model - Insights into building support within the executive team and Board of Directors for your culture management program

Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.

Table of Contents

About the Authors viii

Acknowledgments xii

Introduction xxv

Part I: Foundation 1

Chapter 1: You Are Here 3

Why All the Buzz? 4

What Is Security Culture, Anyway? 8

A Problem of Definition 9

A Problem of Overconfidence 11

Takeaways 12

Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13

A View from the Top 14

Telling the Human Side of the Story 15

What’s the Cost of Not Getting This Right? 16

Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19

Your People and Security Culture Are at the Center of Everything 20

The Implication 22

Getting It Right 24

Takeaways 25

Chapter 3: The Foundations of Transformation 27

The Core Thesis 29

The Knowledge-Intention-Behavior Gap 29

Three Realities of Security Awareness 31

Program Focus 31

Extending the Discussion 33

Introducing the Security Culture Maturity Model 33

The Security Culture Maturity Model in Brief 35

The S-Curves 36

The Value of the Security Culture Maturity Model 37

You Are Always Either Building Strength or Allowing Atrophy 37

Takeaways 38

Part II: Exploration 39

Chapter 4: Just What Is Security Culture, Anyway? 41

Lessons from Safety Culture 42

A Jumble of Terms 44

Information Security Culture 45

IT Security Culture 45

Cybersecurity Culture 46

Security Culture in the Modern Day 46

Technology Focus 47

Compliance Focus 48

Human-Reality Focus 49

Takeaways 51

Chapter 5: Critical Concepts from the Social Sciences 53

What’s the Real Goal - Awareness, Behavior, or Culture? 54

Coming to Terms with Our Irrational Nature 55

We Are Lazy 56

Why Don’t We Just Give Up? 60

Security Culture - A Part of Organizational Culture 61

Takeaways 62

Chapter 6: The Components of Security Culture 63

A Problem of Definition 64

The Academic Perspective 64

The Practitioner Perspective 65

Defining Security Culture 66

Security Culture as Dimensions 67

The Seven Dimensions of Security Culture 69

Attitudes 69

Behaviors 69

Cognition 69

Communication 70

Compliance 70

Norms 70

Responsibilities 71

The Security Culture Survey 71

Example Findings from Measuring the Seven Dimensions 72

Normalized Use of Unauthorized Services 73

Confidentiality and Insider Threats 74

Last Thought 74

Takeaways 75

Chapter 7: Interviews with Organizational Culture Experts and Academics 77

John R. Childress, PYXIS Culture Technologies Limited 78

Why Is Culture Important? 78

Why Do You Find Culture Interesting? 79

Is There a Specific Definition of Culture That You Find Useful? 79

What Actions Can Be Taken to Direct Cultural Change? 80

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 81

How Does a Culture Evolve (or How Often?) 82

Professor John McAlaney, Bournemouth University, UK 82

Why Is Culture Important? 83

Why Do You Find Culture Interesting? 83

Is There a Specific Definition of Culture That You Find Useful? 83

What Actions Can Be Taken to Direct Cultural Change? 84

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 85

How Does a Culture Evolve (or How Often?) 85

Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida 86

Why Is Culture Important? 86

Why Do You Find Culture Interesting? 86

Is There a Specific Definition of Culture That You Find Useful? 87

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 87

Michael Leckie, Silverback Partners, LLC 87

Why Is Culture Important? 88

Why Do You Find Culture Interesting? 89

Is There a Specific Definition of Culture That You Find Useful? 90

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 90

What Actions Can Be Taken to Direct Cultural Change? 91

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 93

How Does a Culture Evolve (or How Often?) 93

Part III: Transformation 95

Chapter 8: Introducing the Security Culture Framework 97

The Power of Three 99

Step 1: Measure 100

Know Where You are 101

Decide Where You Want to Be 102

Find Your Gap 104

Step 2: Involve 106

Building Support 106

Different Audiences 108

Step 3: Engage 109

Rinse and Repeat 111

Benefits of Using the Security Culture Framework 111

Takeaways 112

Chapter 9: The Secrets to Measuring Security Culture 113

Connecting Awareness, Behavior, and Culture 115

How Can You Measure the Unseen? 116

Using Existing Data 116

The Right Way to Use Data 119

Methods of Measuring Culture 119

Observation 120

Experimentation 121

Interrogation (Surveys and Interviews) 121

A/B Testing 122

Multiple Metrics, Single Score 124

Trends 125

A Note Regarding Completion Rates 127

Takeaways 128

Chapter 10: How to Influence Culture 129

Resistance to Change 130

Be Proactive 131

The Complexity of Culture 133

Using the Seven Dimensions to Influence Your Security Culture 134

Attitudes 134

Behaviors 136

Cognition 138

Communication 140

Compliance 141

Norms 143

Responsibilities 144

How Do You Know Which Dimension to Target? 146

Takeaways 147

Chapter 11: Culture Sticking Points 149

Does Culture Change Have to Be Difficult? 150

Using Norms Is a Double-Edged Sword 151

Failing to Plan Is Planning to Fail 152

If You Try to Work Against Human Nature, You Will Fail 153

Not Seeing the Culture You Are Embedded In 155

Takeaways 156

Chapter 12: Planning and Maturing Your Program 157

Taking Stock of What We’ve Covered 158

View Your Culture Through Your Employees’ Eyes 159

Culture Carriers 160

Building and Modeling Maturity 161

Exploring the Data 162

Culture Maturity Indicators 162

Level 1: Basic Compliance 165

Level 2: Security Awareness Foundation 165

Level 3: Programmatic Security Awareness & Behavior 166

Level 4: Security Behavior Management 167

Level 5: Sustainable Security Culture 168

There Are Stories in the Data 170

A Seat at the Table 174

Takeaways 175

Chapter 13: Quick Tips for Gaining and Maintaining Support 177

You Are a Guide 178

Sell by Using Stories 179

Lead with Empathy, Know Your Audience 180

Set Expectations 184

Takeaways 185

Chapter 14: Interviews with Security Culture Thought Leaders 187

Alexandra Panaretos, Ernst & Young 188

Why Is Culture Important? 188

Why Do You Find Culture Interesting? 189

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 190

Dr. Jessica Barker, Cygenta 193

Why Is Security Culture Important? 193

Why Do You Find Culture Interesting? 194

What Actions Can Be Taken to Direct Cultural Change? 194

What Is Your Most Interesting Experience with Culture? 195

Kathryn Tyrpak, Jaguar Land Rover 195

Why Is Culture Important? 195

Why Do You Find Culture Interesting? 196

Is There a Specific Definition of Culture That You Find Useful? 196

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 196

What Actions Can Be Taken to Direct Cultural Change? 197

Lauren Zink, Boeing 197

Why Is Culture Important? 198

Why Do You Find Culture Interesting? 198

Is There a Specific Definition of Culture That You Find Useful? 199

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 199

Mark Majewski, Rock Central 200

Why Is Culture Important? 200

Why Do You Find Culture Interesting? 200

Is There a Specific Definition of Culture That You Find Useful? 201

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 201

What Actions Can Be Taken to Direct Cultural Change? 201

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 202

How Does a Culture Evolve (or How Often?) 202

Mo Amin, moamin.com 203

Why Is Culture Important? 203

Why Do You Find Culture Interesting? 203

Is There a Specific Definition of Culture That You Find Useful? 203

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 203

What Actions Can Be Taken to Direct Cultural Change? 204

Is There a Success or Horror Story You’d Like to Share

Related to Culture Change? 204

How Does a Culture Evolve (or How Often)? 205

Chapter 15: Parting Thoughts 207

Engage the Community 208

Be a Lifelong Learner 209

Be a Realistic Optimist 210

Conclusion 211

Bibliography 213

Index 217

Authors

Perry Carpenter Kai Roer