People are the new perimeter and a prime target for attackers. Just consider research for the “2022 Data Breach Investigation Report” from Verizon, which found that 82% of data breaches involve the human element.
To reduce people-centric risk, most organizations have invested in end user education. Some even go beyond compliance or training and move toward building a cybersecurity culture that motivates and empowers users to keep their organizations safe. However, the concept of “cybersecurity culture” can be new or vague to many people.
In this blog post, we define what it means and discuss how organizations can use a thoughtful model to help strengthen their security awareness training programs and further drive behavior change.
What is cybersecurity culture, and why is it important?
Proofpoint defines cybersecurity culture as “the beliefs, values and attitudes that drive employee behaviors to protect and defend the organization from cyberattacks.” It is a strong factor in the development of positive security behaviors for two main reasons:
- It improves your organization’s overall security posture when employees feel responsible for helping prevent incidents. Security is everyone’s responsibility; when employees buy into that, it leads to higher vigilance and motivation to act appropriately.
- It helps reduce human risk. A strong cybersecurity culture drives behavior change and helps users build sustainable habits that extend protection to their personal lives. This means that users will already have the habits necessary to thwart attackers’ malicious intents when faced with threats after-hours, on personal devices or when they least expect them.
How to assess
At Proofpoint, we view cybersecurity culture as the overlapping contribution of three main factors:
Responsibility: Do employees feel that they and their coworkers are responsible for acting to prevent cybersecurity threats?
Importance: Do employees believe a threat could affect them personally?
- Empowerment: Do employees feel empowered to identify and report suspicious behavior?
Figure 1. The three dimensions of a security culture.
To be motivated to act (i.e., help keep the organization safe), users must believe that threats and organizational compromise are problems that could affect them personally. They must also recognize the importance of securing the organization. Additionally, they need to be empowered with the right knowledge and tools to identify threats and feel responsible for doing their part to prevent attacks from disrupting or damaging the organization.
To diagnose the likelihood that an employee has both the ability and motivation to prevent an attack against their organization, Proofpoint created a cybersecurity culture survey to evaluate each of the three dimensions outlined above. This concise survey can help security teams easily measure and quantify the current state of their organization’s security culture. It also enables them to motivate and empower people by tailoring their messaging and education.
Proofpoint followed the principles below to design the survey:
- Pragmatic: clearly interpretable results
- Short: can be completed in a reasonable amount of time
- Focused: each question only addresses a single idea
- Unambiguous: each question is straightforward and avoids jargon
- Reliable: gives the same results if tested under similar conditions
- Valid: measures what it seeks to measure
- Unbiased: minimizes response bias
When you deploy a culture assessment, make sure that it’s short and simple so that users feel compelled to respond amid competing tasks. Finally, decide on the frequency of administration early so you can decide the best way to roll out your assessment, obtain regular data points and modify your program based on the results received.
How do culture assessments help strengthen security awareness programs?
Culture assessments are necessary to take a pulse of user sentiment and plan future initiatives that resonate with users. While knowledge assessments measure what users know and simulated threats like phishes measure what users do, culture assessments provide an effective way to measure what users believe.
Knowing what users believe can go a long way toward helping cybersecurity teams determine any changes in messaging or training assignments they should make to different user groups. Remember that a strong cybersecurity culture depends on users’ investment and motivation, which directly impacts their behavior when they face threats.
Figure 2. Culture assessments fill the gap in the components of successful security programs.
How to build a more robust cybersecurity culture today
It’s essential for organizations to have multifaceted security awareness programs that account for what users know, the actions they take in the real world and what they believe. How users feel and think about the role they play in security awareness can drive impact and help reduce risk in organizations—and culture assessment can help.
For more ideas on what to consider when strengthening your security awareness culture, view this culture assessment webinar from Dr. Bob Hausmann, learning and assessment architect at Proofpoint.