The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.
The book offers: - An expose of what security culture really is and how it can be measured - A careful exploration of the 7 dimensions that comprise security culture - Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model - Insights into building support within the executive team and Board of Directors for your culture management program
Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.
Table of Contents
About the Authors viii
Acknowledgments xii
Introduction xxv
Part I: Foundation 1
Chapter 1: You Are Here 3
Why All the Buzz? 4
What Is Security Culture, Anyway? 8
A Problem of Definition 9
A Problem of Overconfidence 11
Takeaways 12
Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13
A View from the Top 14
Telling the Human Side of the Story 15
What’s the Cost of Not Getting This Right? 16
Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19
Your People and Security Culture Are at the Center of Everything 20
The Implication 22
Getting It Right 24
Takeaways 25
Chapter 3: The Foundations of Transformation 27
The Core Thesis 29
The Knowledge-Intention-Behavior Gap 29
Three Realities of Security Awareness 31
Program Focus 31
Extending the Discussion 33
Introducing the Security Culture Maturity Model 33
The Security Culture Maturity Model in Brief 35
The S-Curves 36
The Value of the Security Culture Maturity Model 37
You Are Always Either Building Strength or Allowing Atrophy 37
Takeaways 38
Part II: Exploration 39
Chapter 4: Just What Is Security Culture, Anyway? 41
Lessons from Safety Culture 42
A Jumble of Terms 44
Information Security Culture 45
IT Security Culture 45
Cybersecurity Culture 46
Security Culture in the Modern Day 46
Technology Focus 47
Compliance Focus 48
Human-Reality Focus 49
Takeaways 51
Chapter 5: Critical Concepts from the Social Sciences 53
What’s the Real Goal - Awareness, Behavior, or Culture? 54
Coming to Terms with Our Irrational Nature 55
We Are Lazy 56
Why Don’t We Just Give Up? 60
Security Culture - A Part of Organizational Culture 61
Takeaways 62
Chapter 6: The Components of Security Culture 63
A Problem of Definition 64
The Academic Perspective 64
The Practitioner Perspective 65
Defining Security Culture 66
Security Culture as Dimensions 67
The Seven Dimensions of Security Culture 69
Attitudes 69
Behaviors 69
Cognition 69
Communication 70
Compliance 70
Norms 70
Responsibilities 71
The Security Culture Survey 71
Example Findings from Measuring the Seven Dimensions 72
Normalized Use of Unauthorized Services 73
Confidentiality and Insider Threats 74
Last Thought 74
Takeaways 75
Chapter 7: Interviews with Organizational Culture Experts and Academics 77
John R. Childress, PYXIS Culture Technologies Limited 78
Why Is Culture Important? 78
Why Do You Find Culture Interesting? 79
Is There a Specific Definition of Culture That You Find Useful? 79
What Actions Can Be Taken to Direct Cultural Change? 80
Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 81
How Does a Culture Evolve (or How Often?) 82
Professor John McAlaney, Bournemouth University, UK 82
Why Is Culture Important? 83
Why Do You Find Culture Interesting? 83
Is There a Specific Definition of Culture That You Find Useful? 83
What Actions Can Be Taken to Direct Cultural Change? 84
Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 85
How Does a Culture Evolve (or How Often?) 85
Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida 86
Why Is Culture Important? 86
Why Do You Find Culture Interesting? 86
Is There a Specific Definition of Culture That You Find Useful? 87
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 87
Michael Leckie, Silverback Partners, LLC 87
Why Is Culture Important? 88
Why Do You Find Culture Interesting? 89
Is There a Specific Definition of Culture That You Find Useful? 90
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 90
What Actions Can Be Taken to Direct Cultural Change? 91
Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 93
How Does a Culture Evolve (or How Often?) 93
Part III: Transformation 95
Chapter 8: Introducing the Security Culture Framework 97
The Power of Three 99
Step 1: Measure 100
Know Where You are 101
Decide Where You Want to Be 102
Find Your Gap 104
Step 2: Involve 106
Building Support 106
Different Audiences 108
Step 3: Engage 109
Rinse and Repeat 111
Benefits of Using the Security Culture Framework 111
Takeaways 112
Chapter 9: The Secrets to Measuring Security Culture 113
Connecting Awareness, Behavior, and Culture 115
How Can You Measure the Unseen? 116
Using Existing Data 116
The Right Way to Use Data 119
Methods of Measuring Culture 119
Observation 120
Experimentation 121
Interrogation (Surveys and Interviews) 121
A/B Testing 122
Multiple Metrics, Single Score 124
Trends 125
A Note Regarding Completion Rates 127
Takeaways 128
Chapter 10: How to Influence Culture 129
Resistance to Change 130
Be Proactive 131
The Complexity of Culture 133
Using the Seven Dimensions to Influence Your Security Culture 134
Attitudes 134
Behaviors 136
Cognition 138
Communication 140
Compliance 141
Norms 143
Responsibilities 144
How Do You Know Which Dimension to Target? 146
Takeaways 147
Chapter 11: Culture Sticking Points 149
Does Culture Change Have to Be Difficult? 150
Using Norms Is a Double-Edged Sword 151
Failing to Plan Is Planning to Fail 152
If You Try to Work Against Human Nature, You Will Fail 153
Not Seeing the Culture You Are Embedded In 155
Takeaways 156
Chapter 12: Planning and Maturing Your Program 157
Taking Stock of What We’ve Covered 158
View Your Culture Through Your Employees’ Eyes 159
Culture Carriers 160
Building and Modeling Maturity 161
Exploring the Data 162
Culture Maturity Indicators 162
Level 1: Basic Compliance 165
Level 2: Security Awareness Foundation 165
Level 3: Programmatic Security Awareness & Behavior 166
Level 4: Security Behavior Management 167
Level 5: Sustainable Security Culture 168
There Are Stories in the Data 170
A Seat at the Table 174
Takeaways 175
Chapter 13: Quick Tips for Gaining and Maintaining Support 177
You Are a Guide 178
Sell by Using Stories 179
Lead with Empathy, Know Your Audience 180
Set Expectations 184
Takeaways 185
Chapter 14: Interviews with Security Culture Thought Leaders 187
Alexandra Panaretos, Ernst & Young 188
Why Is Culture Important? 188
Why Do You Find Culture Interesting? 189
Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 190
Dr. Jessica Barker, Cygenta 193
Why Is Security Culture Important? 193
Why Do You Find Culture Interesting? 194
What Actions Can Be Taken to Direct Cultural Change? 194
What Is Your Most Interesting Experience with Culture? 195
Kathryn Tyrpak, Jaguar Land Rover 195
Why Is Culture Important? 195
Why Do You Find Culture Interesting? 196
Is There a Specific Definition of Culture That You Find Useful? 196
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 196
What Actions Can Be Taken to Direct Cultural Change? 197
Lauren Zink, Boeing 197
Why Is Culture Important? 198
Why Do You Find Culture Interesting? 198
Is There a Specific Definition of Culture That You Find Useful? 199
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 199
Mark Majewski, Rock Central 200
Why Is Culture Important? 200
Why Do You Find Culture Interesting? 200
Is There a Specific Definition of Culture That You Find Useful? 201
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 201
What Actions Can Be Taken to Direct Cultural Change? 201
Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 202
How Does a Culture Evolve (or How Often?) 202
Mo Amin, moamin.com 203
Why Is Culture Important? 203
Why Do You Find Culture Interesting? 203
Is There a Specific Definition of Culture That You Find Useful? 203
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 203
What Actions Can Be Taken to Direct Cultural Change? 204
Is There a Success or Horror Story You’d Like to Share
Related to Culture Change? 204
How Does a Culture Evolve (or How Often)? 205
Chapter 15: Parting Thoughts 207
Engage the Community 208
Be a Lifelong Learner 209
Be a Realistic Optimist 210
Conclusion 211
Bibliography 213
Index 217