[Written: 6th November 2019. Revised: 3rd September 2024]
Most companies invest in good functional IT security. Nevertheless, they are often not immune to security incidents. Why is that? As a rule, too little attention is given to the security aspect of "employees":
For the 'human’ factor to contribute to information and cyber security, training is essential.
Our experience shows that if security is to be guaranteed, not only must people using technology be informed and trained, but the surrounding system, i.e. the corporate culture, must also promote secure behavior. We refer to this as TreeSolution Security Awareness ABC:
A) Awareness
Know why information security is important
B) Behavior
Work as an employee to maintain information security
C) Culture
Internalize information security so that it becomes a natural way of working.
Creating a culture of information security is not possible through one-off information events or circulars on technical innovations. More is needed. A cybersecurity culture must be well managed for it to succeed. In this article we will show you how to go about it.
Let's start with a quick example. Imagine how you might secure a castle - high walls, a moat and the latest and greatest access control. With your technically perfect approach to security, it is impossible to find even the smallest chink in the castle defense – at least, theoretically.
And yet, three doors remain wide open :
Clearly, attackers will have no difficulty in invading and wrecking your castle. The security plan overlooked gaps that arise naturally in the daily life of any organization. A necessary part of the daily work of employees was not fully considered, creating a vulnerability. In addition, when security policies make work more difficult or unpleasant, danger spots are created by neglecting the rules concerned. Finally, gaps often arise because the real reason for a security measure is lost in a flood of training information.
This often happens when employees are not involved in the design and, above all, the day-to-day implementation of security measures. But it also happens because employees see only the restrictive impact on their work and not the benefits.
For employees and bosses alike, this often turns into a struggle or even almost a game to circumvent the security rules and, in case of doubt, to avoid shaking up established ways of working.
As you can see from the example, it is important to have a good security approach that consists not only of technical solutions, but also includes the 'human' factor.
Changing the behavior of people is a challenge. The challenge is even bigger when it is not sufficiently understood. That is why our approach to sustainable behavioral change builds on the comprehension of these issues through scientific models.
The COM-B model according to Michie et al., 2011 and the B=MAT model according to Fogg, 2009 are two scientific models for analyzing security measures in companies. They provide a basis for understanding the reasons for erroneous behavior and then selecting appropriate remedial action. We briefly described these models in our white paper "How to achieve real and sustainable behavioral change" (1).
You can bring about lasting behavioral changes in your organization if you use that understanding and build on it to select the measures that most effectively close security holes.
For the management of a security culture, we suggest the TreeSolution security culture management process to anchor behavior that is more secure. This process involves three steps that are applied one after the other in a loop.
The ongoing process, which continually starts over by building on the previous cycle, helps to internalize the correct behavior. A cycle usually lasts 1-3 years.
The Security Awareness Radar® allows you to measure the current state of information security in your company. This can be done at the beginning, if you have not yet implemented a security culture or performed security training. It can also be done if you already have a basic awareness of security. Analysis using the Security Awareness Radar® allows you to see weaknesses and problems and to tackle them purposefully. The many factors influencing the behavior of employees must be analyzed on a regular basis so that it is possible to determine the measures that are required at the departmental level and at the level of the employee. With the help of the Security Awareness Radar®, security can be anchored in the culture in your company and thus flow into the everyday thinking and actions of all employees including managers.
By repeatedly questioning, analyzing and defining measures, your security culture then constantly evolves.
After measuring and analyzing the security culture, a plan must be drawn up as to which measures should be implemented in which department and how. You also define what the right behavior must be, where you are now, and how you can achieve your goal. The strategy should focus on the pillars of awareness, behavior and culture, so that all points are considered and reinforced.
With a security strategy, you can increase the security awareness and understanding of your employees. This will allow them to better understand risks and know how to behave securely and in line with security requirements.
Effective change management strategy
For employees to learn a new behavior, it is important to ensure that the changes are learnable, executable, and acceptable. In addition, it is helpful if managers are role models for the desired behavior. For example, the McKinsey Influence Model (2) shows which key factors influence the behavior and thoughts of employees when it comes to behavioral change. The ENISA Report (3) also concludes that a secure behavior can only be achieved if the desired behavior in the daily work routine is applicable and feasible. Therefore, these points should be considered in the development of the security strategy. Employee engagement changes over time in terms of attention, acceptance and anchoring. This process should also be considered in the development of the strategy, as each step requires different training measures.
After the security strategy has been developed and defined, it must be implemented. A simple and efficient way to do this is e-learning. This makes it possible for employees to carry out the training flexibly in terms of time. In addition, there is no need to step away from the workplace. New e-learning with gamification approaches is more efficient than traditional e-learning as it increases user motivation through badges, rankings, and an approach based on play. Complete security campaigns that focus on different types of learners are also a great way to anchor information security in the organization. For example, campaigns can consist of posters, e-mails, stickers, e-learnings, brochures, etc., unified by an overall theme.
Training at different levels and on different topics also helps to achieve the various phases of change management. This is because each phase requires specific measures, so that the current phase can be accomplished, and the next phase can be brought about. Training provides the employees with background knowledge and explanations and helps them remember security-relevant behavior. Furthermore, it should help them become accustomed to secure behavior, as well as motivating them to implement it.
The transformation to a security culture needs to be constantly promoted, adapted and changed in order to achieve sustainable improvement while covering the continuing changes in social co-operation and the risks of information and communication technology. Thus, the management of a security culture is a continuous process of improvement and adaptation.
Leaders must also be trained to continue motivating their employees and applying the right information security principles each day. The participation of senior executives at all levels increases the effectiveness of information security.
To bring about long-term change, you need to anchor security in the culture of your business. Of course, you need to find technical solutions to make this possible. However, to ensure that change is implemented, your employees are the decisive starting point. Establishing your own security culture is advisable in order to plan, introduce, accomplish and review the technical and awareness solutions for employees.
(1) TreeSolution (2019): Whitepaper “How to achieve real and sustainable behavioural change” https://www.treesolution.com/downloads/how-to-achieve-a-real-and-sustainable-change-in-behavior
(2) McKinsey Quarterly (2016): The four building blocks of change. April 2016. https://www.mckinsey.com/business-functions/organization/our-insights/the-four-building-blocks--of-change
(3) ENISA Report (2018): Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity. Page 21. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity