Improving security culture
Organisations with a successful security culture deliver security strategies and solutions that work for their employees: they meet people where they are in order to achieve the mutual goal of being more secure. They have an agreed understanding of what kind of security culture the organisation wants, and a dynamic, positive, and business-focused security team that aims to help everyone do their job. It also requires an understanding of how people behave at work and the reasons for their behaviour, as well as how to design, deliver, and assess interventions that really make a difference. To successfully change your security culture, you will need to invest in continually developing the capability of the teams responsible for doing this work.
A guide for government security teams
When developing your organisation’s security, it isn’t enough to focus on technical solutions and policies alone; you must also improve the security culture” would read better here.
All organisations have a security culture, which arises not only from the corporate ethos, policies, and infrastructure, but also from the knowledge and understanding of the employees.
Improving your organisation’s security culture is a significant undertaking. It can only be done with sustained leadership, buy-in and investment from the top of the organisation. It must be supported by specialist work from security, human resources, IT, and communications teams. This is not a one-and-done process: improvements will be iterative, and progress must be monitored throughout.
It can be difficult to describe or take an objective view of any type of culture because we exist within it, experience it differently, and often take it for granted. As it is hard to define, it is also difficult to decide how it can be changed. This paper aims to help you understand what really matters about security culture, and how to influence it for the better.
Defining security culture
This document defines security culture in the following way:
When we talk about the security culture of an organisation, we are referring to the way its members understand and behave with regards to security, as a direct consequence of the extent to which security is designed to work for people, and of the overarching organisational culture in which they work.
In an organisation with a positive, proactive security culture, people are well-supported to adopt the right security behaviours, at the right times, and for the right reasons.
Benefits of an effective security culture
Improving security culture across government is a key strategic objective to implement the security practices defined by the 007 functional standard. The Government Cyber Security Strategy and Personnel Security Strategy both identify security culture as a critical element of successful organisational security.
Also, improvements in technical defences mean that social engineering is now one of the leading causes of network compromise and other security incidents. Defending organisations by improving security culture is therefore of vital importance.
A key part of building and maintaining an effective security culture is to understand that people are the most important asset: a workforce that is actively engaged with security is a cost effective and powerful way to get the most out of your investment in technical security measures.
Specifically, embedding an effective security culture:
- minimises exposure to, and accumulation of, risk from inadvertent ‘everyday’ incidents
- increases awareness of threats and how behaviours can affect vulnerability to them, allowing people to adapt to changes in threats
- improves workforce engagement and morale, reducing the risk of disenchanted staff becoming malign insiders
- makes it harder for malign insiders to act, and increases opportunities for early identification and resolution of potential problems
- encourages increased vigilance and awareness – willingness to challenge and report concerns reduces the risk of hostile reconnaissance occurring at sites
- has demonstrable positive effects on staff performance, morale, retention, and wider organisational efficiency
The aim is to develop a culture in which everyone in the organisation understands that they are collectively responsible for security and takes the right steps to support this. There should also be a collective understanding of risk management and responsibility, and the importance of the organisation’s reputation.
Shifting the focus
Security culture efforts often focus exclusively on changing people’s visible security behaviours, which can lead to the underlying reasons for those behaviours never being addressed. Think of treating a fever only with paracetamol, meaning the burst appendix that causes the fever is overlooked.
Organisations with a successful security culture deliver security strategies and solutions that work for their employees: they meet people where they are in order to achieve the mutual goal of being more secure. They have an agreed understanding of what kind of security culture the organisation wants, and a dynamic, positive, and business-focused security team that aims to help everyone do their job. It also requires an understanding of how people behave at work and the reasons for their behaviour, as well as how to design, deliver, and assess interventions that really make a difference. To successfully change your security culture, you will need to invest in continually developing the capability of the teams responsible for doing this work.
Security is a team sport
To improve your organisation’s security culture, your security team must continuously deliver security initiatives that support the organisation’s ability to achieve its core mission. They must engage with and educate the workforce, understand what drives behaviours, and iteratively design and improve people-centred solutions.
This is a demanding set of tasks, and to perform them successfully your security team must build good working relationships with other teams across their organisation. This will require excellent communication skills and a solid understanding of your organisation’s overall mission, and how security fits into it.
This includes the human resources and information technology teams, as they have a central role in managing how people in the organisation work, as well as being accountable for some of the associated risks. HR also has knowledge of the work culture of the organisation, and any efforts to change the security culture should align with it if they are to succeed.
Likewise, your security team should build relationships with the communications and learning & development teams. Their expertise will be needed to ensure the workforce is kept informed and trained in the skills required to be more secure.
The full support of your senior leadership team is needed in order for all of this work to be successful. Only they can provide the resourcing, governance, and direction for security initiatives to succeed.
Engaging leaders
The leaders of an organisation are key shapers of its overall culture. They must therefore actively participate in work to set the vision for their desired security culture, identify the strategic shifts that will enable them to get there, and continually support and reinforce the wider organisation’s efforts in this direction. The right sort of leadership promotes treating security as a priority, and supports staff to behave securely in practice.
This applies not only to the board-level leaders, but anyone who holds a position of authority and trust from which they can influence their colleagues. They can all help improve security culture by acting as role models, demonstrating commitment, and ensuring the required policies, processes, and supporting structures are all in place.
To successfully engage with leaders your security team must understand their organisation’s business objectives, so that they can demonstrate how improved security will help deliver them. An improved security culture will reduce risk and uncertainty, while leading to improved resilience, innovation, and adaptation to change, and leaders at all levels should be made aware of this.
Specifically, to improve security culture your organisation’s leaders must:
- contribute to getting the security vision right by representing the business needs of their areas of responsibility, and participating in discussions about the style of security culture best suited to the organisation
- understand the organisation’s overall working culture, mission, and values, and how these affect people’s security behaviour (especially, the pressure to deliver)
- champion the security vision, and understand and communicate security goals to their teams
- identify policies, processes, and other material that can help people become more secure
- identify and understand differences in security expectations and behaviours between business areas and locations – these differences should be resolved where possible, or documented and communicated if not
- lead and model positive engagement between their teams and your security team, encouraging and enabling staff involvement in security initiatives
- understand and communicate relevant threats and risks to their teams, explaining everyone’s role in protecting the organisation’s critical assets
- encourage and celebrate secure behaviours when they see them
- demonstrate secure behaviours themselves, in order to lead by example
- encourage incident reporting, by ensuring that reporting processes are communicated and understood
- handle security incidents and near-misses sensitively and use them to improve team performance and engagement, avoiding harmful shame-and-blame
Understanding behaviour
It is commonly assumed that people’s security behaviours are mainly determined by their attitudes, values, and motivations; however, initiatives that focus on changing only those things often fail. This is because they ignore the other factors that drive behaviour; for example the physical environment, technology, policies and processes, fellow colleagues, and the need to do their job.
It is crucial to understand intent: people do not usually behave insecurely out of wilful ignorance or malice. Security is complicated and context-sensitive, meaning the right action is not always obvious and it’s not always easy to find help. People often don’t understand the security threats that apply to them, and why they matter. For instance, a security awareness campaign may tell people that reusing passwords is bad, but if they don’t understand why it’s bad (and don’t have good alternatives to hand), they may still be tempted to do it.
Furthermore, security is often not delivered in a user-centred way. This means people frequently experience conflicts between the demands of their role (for example, to click links or open documents they are sent) and security rules (“Do not click links or open documents from uncertain sources”). People also commonly break rules in order to help a colleague – again, effective team working is critical to do their jobs. See the section below on goal conflicts for more information.
Disengagement, low morale, and unrealistic security expectations also give people tacit permission to disregard security, instead doing things in any way that works for them. These factors can only be solved by delivering usable security to minimise these conflicts, reduce the number of ways things can go wrong, and improve employee engagement with security. This will motivate people to go the extra mile in situations where security really does depend on them.
For example, expecting people to remember dozens of long, complex passwords will only result in higher levels of password reuse, weaker passwords, and more passwords written on Post-Its. Instead, you should focus on reducing your organisation’s reliance on passwords, and help people to create and manage the passwords they still need – by providing them with a high-quality password management tool and training them to use it, and helping them protect the passwords they write down on paper.
To make things better, therefore, your security team must focus on understanding and fixing the things that prevent secure behaviour. This means analysing incidents, gathering employee feedback, and identifying areas where user needs conflict with security needs. The team must also have an up-to-date and accurate view of relevant threats, so they can understand how behaviours affect exposure to these threats.
All this information can inform the design and delivery of security initiatives to overcome these problems. This will require skills drawn from many different professions, such as user researchers, user experience and human factor experts, learning and development professionals, and technical writers/content designers. Users should ideally also be involved at every step, to ensure any solutions will work for them.
The approach taken for all such initiatives must be iterative: security is never a one-and-done exercise. Your security team should plan the work, do it, review the results, and take the lessons learned into the next cycle of work.
Resolving goal conflicts
Goal conflicts arise when someone is faced with two conflicting priorities; in this context, these are the need to do a job securely, or to do it quickly. Most people when faced with this choice will opt to work quickly, to satisfy both themselves, their managers, and their customers. This behaviour is sometimes interpreted as a moral failure, when in fact it simply reflects a basic truth about work: getting the job done will always take priority, and prioritising one goal over another doesn’t mean that people don’t still value them both.
For example, a laptop security update notification is never welcome when someone is in the middle of an important task. So it is important to give users some control over scheduling such updates, while also providing timely follow-up reminders.
In a successful security culture, goal conflicts are understood as systemic, environmental issues rather than a failure in professional ethics. Security processes should enable people to work efficiently and securely by default, so that such conflicts arise as infrequently as possible and. When they do arise, they should be handled pragmatically – with staff encouraged to give their point of view, confident that they will be treated fairly. Customer-facing security and IT staff are often well-placed to identify practical fixes to goal conflicts – such as process enhancements, policy tweaks and technology fixes – and to lead on resolving them.
Additionally, where people do need to prioritise security tasks, your security team – and your leaders – should give them the time and encouragement required, and recognise and reward their effort. This will help them find the right balance between behaving securely while meeting the objectives of their role.
Engaging with your workforce
The main goal of workforce security engagement is to improve people’s ability to behave securely, their belief that their behaviour makes a difference, and their willingness to contribute to building better security for all.
For engagement to succeed, you must:
- understand your audience
- put the audience at the centre of all that you do
- take a requirements-led approach
If you don’t do this, your initiatives are likely to fail. You won’t achieve your objectives, and will instead waste resources and possibly damage morale.
Even beginning the conversation with your workforce can help to improve your security culture: it sends a message that your security team appreciates other perspectives, and recognises the importance of these in building a system that works for everyone. Strong security cultures exist where everyone has a say in how security is done, rather than it being only imposed from above.
That said, people are busy, and may not have a lot of free time to spend filling in surveys or attending focus groups. They may think some security problems are so obvious that everyone must be aware of them, so why bother mentioning them – especially if they have already done so in the past, and it didn’t help. People will also have plenty of experience of work initiatives that promise wonders, but fizzle out over time. Sustained effort, regular feedback, respect for different points of view, and tangible improvements are often required to convince people that it’s worth spending their valuable time engaging with security.
Consider why your organisation is disengaged to begin with. Common reasons for this include:
- a lack of commitment to security by leadership, so the workforce does not see it as a priority
- communication channels are so saturated with security messaging that people start to tune it out
- security communications are one-way, so people feel their experiences aren’t important and their feedback isn’t acted on
- people are so busy they don’t have the mental bandwidth to engage with a security cultural change programme
- your security team promotes a culture that is at odds with your wider organisational culture
- security incidents are used to ‘blame and shame’ those involved, corroding individual and team morale, rather than as an opportunity to learn and improve
- security incidents and near misses don’t attract a visible response, or poor security behaviours go unchallenged
Understanding why the workforce is disengaged should inform your approach to re-engaging them. This will enable you to put together a prioritised plan of action, building on past activities.
The National Protective Security Authority’s (NPSA) Security Culture Survey tool is an evidence-based set of resources that can be used to help organisations to do this work in more detail. Specifically, it helps organisations assess their security maturity and the foundations required to support cultural initiatives, and provides recommended interventions and ways to measure improvement.
Surveys are an easy, cheap and popular way to gather data and opinions, but they have significant drawbacks: they often suffer low return rates and deliver poor-quality data, which does not provide a solid evidence base for further work. The NPSA Security Culture Survey tool, or your HR team, can help you design and deliver useful surveys in your workplace. If you do need to create your own, refer to the following resources for advice:
- Tips for maintaining quality when designing surveys at pace – Government Analysis Function
- Surveys That Work: A Practical Guide for Designing and Running Better Surveys – book by Caroline Jarrett
Other key activities to help you effectively engage with the workforce include:
- using existing data to identify issues and problems – if 75% of the calls to IT support are for password resets, consider updating your password policies in line with the NCSC’s guidance
- analysing engagement with your main comms channels – e.g. portals, chatbots and a security advice centre – to identify intervention opportunities
- involving your audience in designing, implementing and evaluating your security improvements
- discussing goal conflicts and other areas of friction in order to identify and risk-manage less secure ways of working until a better solution is available
- providing support where it is needed and asking for goodwill and compliance in return, even for issues where you cannot provide an ideal solution
- holding friendly open-door sessions for people to bring their security issues and concerns, which you may not otherwise get to know about
- spending time around your offices, talking to people about their opinions and experiences, and troubleshooting where possible
These activities can also support the creation of meaningful metrics, demonstrating that the work you are doing is making a difference to engagement, and to security overall; though do remember that activity doesn’t always equal impact – see the Measurinmg Improvement section for more information.
Creating trust and psychological safety
Successful security engagement requires trust. If you don’t know how people are cutting corners to work around security, you can’t work to fix the reasons why. You need that trust so they will share their experiences with you honestly and openly. Obviously a security team can’t promise to ignore evidence of real wrongdoing; but they should work to fair, transparent, and consistent processes, so people know what to expect and feel they are treated fairly.
Working to understand the full context of people’s security decisions or actions is a powerful way to learn from experience, build trust, and create a stronger, more effective organisation in the longer term.
You can, and should, make this commitment mutual, by also reflecting on times when your security team’s actions may themselves have caused problems in the past. Again, openly taking accountability for past mistakes and fixing things for the future helps to motivate others to do the same, and to create an environment of shared responsibility for security.
An increase in trust helps create a psychologically safe environment; one where people feel able to ask questions, share knowledge, admit mistakes, and challenge how things are done without fear of unfair blame or sanction. Psychologically safe environments demonstrate flexibility, innovation and high engagement. As well as supporting better security, these behaviours will help your organisation in general. Psychological safety must be modelled and promoted by both your security team and your organisation’s leaders if it is to gain traction.
In the context of security, it’s particularly important for leaders and security teams working to improve psychological safety to:
- encourage and celebrate the right behaviours – asking questions, seeking help, and admitting to mistakes, especially those that may have caused a security incident
- communicate carefully about security incidents, and to handle incidents correctly without shaming or blaming people for honest mistakes
- encourage people to bring their own points of view, speak up when they spot issues, proactively tackle issues within their own competence, and constructively challenge how things are done
- acknowledge their own fallibility – no one is immune from making a mistake that may have security implications
This work will help to foster a just culture, where people are more likely to take accountability for their actions, and responsibility for their own continuing learning.
Pitfalls to avoid
Security teams are often seen to be in a position of authority, and may have power to issue sanctions or even recommend dismissals for misbehaviour. Is it critical therefore that the workforce trusts them to use these powers responsibly and fairly. If this trust is damaged, then efforts to engage with and educate people will be severely impacted.
For example, phishing simulations are commonly used in government. Good simulations show how phishing is a key attack vector and actively encourage people to report phishing attempts without fear of shame or sanction, even if it is a false alarm or they have already followed a suspicious link. They also recognise that nobody can always tell good emails from bad, and encourage employees to openly discuss and learn from the campaign as a team. This encourages people to do the same when they get a real or suspected phish, improving the chances that it will be correctly identified and handled.
Unfortunately, many phishing simulations are based on the false assumption that people can spot all phishing attempts if they try hard enough, and that punishment is an effective deterrent for ‘repeat offenders’. This can result in simulations that are designed to fool as many people as possible, as if maximising failure were a good way to train them. Achieving a low click rate on a phishing simulation can also cause a false sense of security, as real phishes often look very different.
Setting people up to fail will not help them identify and report future phishing attempts. Rather, it can erode trust in and foster resentment of your security team. It may also harm workforce engagement with security, which will damage the success of other security initiatives, and is ultimately a waste of scarce resources. The NCSC explains this in more detail in their phishing guidance.
Security education and awareness (SEA)
Security education and awareness (SEA) is an approach to helping organisations improve their security culture with targeted campaigns and training materials. In government, this work is led by the Security Education and Awareness Centre (SEAC).
Training materials and awareness campaigns are a powerful way for security teams to communicate directly with the workforce, so are critical to improving security culture.
It is important to set the right goals for SEA. Focusing too hard on behaviour change is often unhelpful, as SEA cannot change security behaviours unless the wider environment also supports those changes. Therefore, your SEA goals should be to:
- increase awareness of the security strategy
- increase people’s engagement with security objectives
- build trust and communication between people and your security team
- communicate secure behaviours
- strengthen people’s belief that their behaviour makes a difference
The key factors of a successful SEA approach are to:
- communicate in proven effective ways – be positive about people’s contribution and capabilities, and focus on building confidence
- prompt action and provide information at the point of need – for example, by providing a convenient Report Phish button in email applications
- motivate people to act by giving up-to-date, accurate, relevant threat information with relatable examples, avoiding sensationalism and fear tactics (which are proven to cause harm overall)
- give clear, actionable advice and the means to follow it – tell people exactly what you want them to do/not to do
- tailor the approach to the audience, making it accessible, relevant, and relatable for them – for example, by using real-life stories from your organisation to add authenticity
- celebrate positive behaviours rather than offer financial rewards, so behaviours don’t stop when the rewards stop
- schedule training logically to show that the organisation cares about security – when someone joins, when someone moves roles, and on an annual basis as a minimum
SEA initiatives must be supported by the following in order to be successful:
- intelligent investment of time and money in quality training
- policies, processes, guidance, and other supportive content that is audience-centred, regularly updated, and shared with people when and where they need it
- feedback mechanisms and other methods to gather data to inform your campaigns, training materials, and wider security approach – and prove its effectiveness
Security champion networks are more resource-intensive than some of the other suggestions above, but can be very useful in helping to spread knowledge and understanding across the workforce in different ways, to suit different local contexts and subcultures, and to gather vital information about how security is currently understood in different areas of the business to inform your future work.
Making your SEA material and the supporting policies and procedures as clear and concise as possible will minimise false-positive incidents, saving your resources and making it easier for you to spot genuine security problems.
It can be hard to get people interested in security, especially if they are jaded by exposure to dull and unsympathetic past campaigns. But you can be creative, even on a small budget, to find better ways of drawing people in. Examples include gamifying the learning experience with exercises and competitions for token prizes; building communities with shared interests; and sharing interesting and accessible security stories. All these and more can be remarkably effective.
Measuring improvement
Changes in security culture can be hard to measure and can take a long time – perhaps years – to fully manifest. However, measurement is essential to demonstrate effectiveness and return on investment, to identify areas for improvement, and to support the planning and funding of future work.
Decide what matters to you, what you want to change, and how you will know when you’re going in the right direction. To allow for other factors that affect your organisation and the threat landscape it is better to aim for continuous improvement, taking a flexible approach while maintaining the discipline to track and demonstrate progress.
Distinguish between measuring activity (such as click rates on intranet security policies) and measuring impact (such as evidence of people following said security policies). The former is much easier, and a useful (if limited) measure if done consistently over time. Measuring impact is usually harder but much more valuable, in part because it forces you to articulate the things you really want to change and why they matter.
Examples of things you can measure to show improvements in security culture are included at the end of this document in a table for easy reference.
To keep cost and effort to a minimum you can build on existing methods of monitoring wider security improvement, especially board-level indicators of security progress and cost-effectiveness. We recommend tools such as the Cyber Assurance Framework (CAF), GovAssure, Departmental Security Health Check, and NPSA’s Security Culture Survey Tool. Whichever methods you choose, ensure you present data in ways your audience can easily understand and interpret; and remember to take an iterative approach to improvement to build success over time.
Conclusion
To meet the strategic objective of improving security culture, security must continually develop and improve, to better match how people need and want to work. This makes it easier and more natural for them to think and behave securely, to feel supported in their decisions, and to ask for help at the right times and in the right ways.
Cultural change is hard: it cannot be imposed from above by applying rules and regulations, or by any one team deciding to change how everyone else does things. It requires an understanding of how the culture arises, what things affect it, and how to intervene in ways that will lead to the required improvements. These improvements can only be delivered by a coordinated, ongoing, and iterative effort, led and supported at all levels of your organisation.
Further reading
The following are useful resources on some of the subjects we’ve covered:
NPSA’s Security Culture survey tool
Why good leaders make you feel safe: TED talk by Simon Sinek
10 Steps to Cyber Security – NCSC.GOV.UK
Awareness is only the first step | PDF
The Board Toolkit – Developing a positive cyber security culture – NCSC.GOV.UK
Sixty years of fear appeal research: Current state of the evidence
Shame in cyber security: effective behaviour modification tool or counterproductive foil?
Cygenta Security Culture Guide
Building better relationships between security and business
Examples of measuring improvement activities
The following table is arranged by areas that improvement activity can focus on (rows) and the level of resources required to measure them (columns):
Low resource | Medium resource | High resource – covers measurement and fixes | |
---|---|---|---|
Incidents and near misses | Assess how often and how quickly incidents and near misses are reported. | Assess how promptly and fully incidents and near misses are dealt with once reported, and whether reporters are happy with the response they got. | Ensure that incident investigation processes correctly analyse all relevant data and identify the systemic design and usability issue that caused the incident, so it can be fixed. |
SEA | Measure staff participation in SEA and training events. Measure spikes in page hits following comms and awareness campaigns. | Gather feedback on the effectiveness of security training and engagement activities, and use this to improve future offerings. | Identify where SEA isn’t meeting its objectives, decide how these objectives might be tackled better (for example, by delivering more useable security solutions), and make those changes happen. |
Engagement | Count the number of proactive inquiries made to the security team, how quickly they were answered, and how happy people were with the response. Measure interactions with security policies, processes, and other online documentation – page hits, dwell times, and click throughs to other security content. Count the number of leadership communications that address security topics and/or support security goals. | Run a survey to discover whether people feel willing and able to do the security tasks they are asked to do, and whether they think their actions make a difference. | Run focus groups to explore people’s perceptions of security in detail, identifying priority areas to work on. Use the findings to achieve tangible improvements in the overall security approach. |
Usable security | Assess common areas of security friction; for example password quality and variety, uptake of multi-factor authentication, promptness of user-controlled device updates, time spent on password resets. | Identify the most significant gaps between what security policies and processes say, and what people really do, and understand the reasons for these. Assess whether people feel they have enough time and support to behave securely. | Hire expert user researchers, UX pros, and technical writers to analyse and improve your security policies and processes. |