Build a Security Culture

Build a Security Culture

KAI ROER
Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 114
https://www.jstor.org/stable/j.ctt155j4dj
  • Cite this Item
  • Book Info
    Build a Security Culture
    Book Description:

    Protect your organisation by building a security-minded culture

    "With this book, Kai Roer has taken his many years of cyber experience and provided those with a vested interest in cyber security a firm basis on which to build an effective cyber security training programme."

    Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Washington, D.C.

    Human nature - easy prey for hackers?

    Human behaviour is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organisation . An effective way to address this risk is to create a culture of security. Using the psychology of group behaviour and explaining how and why people follow social and cultural norms, the author highlights the underlying cause for many successful and easily preventable attacks.

    An effective framework for behavioural security

    In this book Kai Roer presents his Security Culture Framework, and addresses the human and cultural factors in organisational security. The author uses clear, everyday examples and analogies to reveal social and cultural triggers that drive human behaviour . He explains how to manage these threats by implementing an effective framework for an organisational culture, ensuring that your organisation is set up to repel malicious intrusions and threats based on common human vulnerabilities.

    ContentsWhat is security culture?The Elements of security cultureHow does security culture relate to security awareness?Asking for help raises your chances of successThe psychology of groups and how to use it to your benefitMeasuring cultureBuilding security cultureAbout the author

    Kai Roer is a management and security consultant and trainer with extensive international experience from more than 30 countries around the world. He is a guest lecturer at several universities, and the founder of The Roer Group, a European management consulting group focusing on security culture.

    Kai has authored a number of books on leadership and cyber security , has been published extensively in print and online, has appeared on radio and television, and has featured in printed media. He is a columnist at Help Net Security and has been the Cloud Security Alliance Norway chapter president since 2012.

    Kai is a passionate public speaker who engages his audience with his entertaining style and deep knowledge of human behaviours , psychology and cyber security . He is a Fellow of the National Cybersecurity Institute and runs a blog on information security and culture (roer.com). Kai is the host of Security Culture TV, a monthly video and podcast.

    Series information

    Build a Security Culture is part of theFundamentals Series, co-published by IT Governance Publishing and Information Security Buzz.

    eISBN: 978-1-84928-717-3
    Subjects: Technology, Sociology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. ACKNOWLEDGEMENTS
    (pp. 5-6)
  3. ABOUT THE AUTHOR
    (pp. 7-7)
  4. FOREWORD
    (pp. 8-9)
    Jane LeClair

    “May you live in interesting times” is an old saying and one that is certainly applicable to cyber security today. As the unfolding events of the past few years have shown us, we are indeed living in interesting cyber times. The evolving cyber breaches of every sector, be it retail, government, education, financial or others, have been the main focus of the technology conversation this entire year. Big box retailers have been hacked, sensitive data at banks breached, and nation states stand ready to wage cyber warfare.

    We have developed computers and the Internet and attached many of the most...

  5. Table of Contents
    (pp. 10-10)
  6. INTRODUCTION
    (pp. 11-14)

    In this book, I look at organisational culture with information security glasses. In my years of working in the information security industry, I have come across a number of challenges: technical, compliance, and increasingly awareness and security behaviour. Through my travels and company activities, I have learned that a lot of security behaviour challenges are universal: preparing information security information in such a way that it resonates and makes sense for non-security people is a challenge no matter which country or organisation you work in.

    I have also learned that some organisations are better at creating the security behaviour they...

  7. CHAPTER 1: WHAT IS SECURITY CULTURE?
    (pp. 15-29)

    Humans are animals who live in groups; we flock. In any group of animals there exists a hierarchy, levels that every animal in the group follows. Each of these levels comes with rules to abide by, including understanding who is above you, who is below you and what your particular level allows you to do.

    Consider a wolf pack⁴. They show the hierarchy very clearly, with the Alpha couple on the top, giving them the right to rule as they please. Below them are sergeants, animals in the pack with more power than most and which police the group if...

  8. CHAPTER 2: THE ELEMENTS OF SECURITY CULTURE
    (pp. 30-35)

    Social behaviour, ideas and customs are to a large degree based upon rules. Some rules are written into laws, regulations and standards. Other rules, most of them in fact, are unwritten and come in the form of ethics, moral codes and our mutual ideas of what is acceptable behaviour in the different groups we belong to.

    In this chapter I refer to all rules, laws, regulations, ethics, moral codes and so on aspolicies. To make it absolutely clear: policies in this context is more than just written policies in your organisation. In this context, policies comprise the writtenand...

  9. CHAPTER 3: HOW DOES SECURITY CULTURE RELATE TO SECURITY AWARENESS?
    (pp. 36-49)

    In the previous chapter I discussed how security culture is more than people and competence; culture includes the rules, laws and regulations, as well as the technology we use. Security awareness belongs in the people and competence part of the triangle.

    Security awareness is a limited area, as well as a poorly defined one. There is no commonly agreed upon definition of security awareness, which in turn means that a common understanding of what security awareness really is, is non-existent. Almost everyone I talk to has their own idea of what security awareness is, and how to create awareness.

    The...

  10. CHAPTER 4: ASKING FOR HELP RAISES YOUR CHANCES OF SUCCESS
    (pp. 50-62)

    Humans are impressive when we consider what we can learn to stay on top of our game. History is a clear tell-tale of what may happen when bright minds bring their heads together to evolve their ideas. Consider people such as Edison, Einstein, Marie Curie and Michelangelo. Look at people such as Sun Tzu, Napoleon and Churchill.

    It is easy to think of such bright minds as people who did everything by themselves. When looking at their achievements it quickly becomes clear that they were not alone – they had help. They worked with other people. In fact, they knew how...

  11. CHAPTER 5: THE PSYCHOLOGY OF GROUPS, AND HOW TO USE IT TO YOUR BENEFIT
    (pp. 63-76)

    A key to success with building and maintaining good (security) culture is to understand that people are different, and that you need to adapt your efforts totheirneeds, backgrounds and knowledge. Successful security culture is built by security professionals who know their own strengths and include relevant personnel and competence from across their organisation.

    One of the challenges of our human mind is how we are hardwired to relate and interact with other individuals¹⁸. We are, as species, a social creature, designed to live in groups. Research in psychology strongly suggests that our grouping behaviour isbuilt inin...

  12. CHAPTER 6: MEASURING CULTURE
    (pp. 77-85)

    One thing I often hear from fellow security professionals is that it is impossible to measure awareness and culture. It is an interesting point of view, and one that is usually based upon:

    not knowing how to measure soft skills.

    previous failures to create results from awareness activities.

    It often boils down to not realising that awareness and culture are reflected in the behaviours of employees. In most organisations today, the heavy use of computer systems enables us to closely monitor any and all use. An example:

    The argument that it is very hard to measure awareness and behaviour change...

  13. CHAPTER 7: BUILDING SECURITY CULTURE
    (pp. 86-106)

    Building and maintaining security culture is like any other process you manage: continuous, planned, controlled and audited. I am sure you are familiar with the PDCA (Plan, Do, Check, Act) flow of process management from the ISO/IEC and other standards. What you may not know is that the same pattern of planning, doing, checking the results and implementing necessary changes (act) also works great when it comes to working with people.

    After many years of listening to frustrated security professionals who felt they had failed in building security awareness, I analysed what went wrong. I also wanted to see what...

  14. CHAPTER 8: TIME IS ON YOUR SIDE
    (pp. 107-109)

    You have successfully reached the end of this book on security culture. You have learned what security culture is and how it relates to security awareness. You have tapped into social sciences with a focus on psychology, so we can better understand how people interact, behave and inform their actions. This is knowledge that is important to have when bringing about cultural change. You have also read about security culture metrics and how to use the Security Culture Framework to build and maintain security culture.

    There are a few final things I need to share with you.

    Reading this book...

  15. ITG RESOURCES
    (pp. 110-115)