Study Reveals an Urgent Need to Quantify Cybersecurity Culture

Studies have shown that organizations with strong cybersecurity cultures experience increased visibility into potential threats, reduced cyber incidents and greater post-attack resilience among other benefits. However, cybersecurity culture has historically been seen as an abstract concept and difficult to quantify.

To help overcome this challenge, Infosec, a cybersecurity education company helping IT and security professionals, comes up with a survey to classify cybersecurity culture and systematically measure results, allowing organizations to turn this important security variable into a data-driven element in their cybersecurity strategy.

The survey defines a strong cybersecurity culture as an organization’s collective awareness, attitudes and behaviors toward security, is based on employees willingly embracing security best practices both professionally and personally.

“Few metrics offer better insight into the effectiveness of your security awareness training program than your cybersecurity culture,” Jack Koziol, Infosec CEO and founder says. However, he believes, it is also an extremely challenging metric to quantify and track over time.

The survey leverages the latest research into security culture assessment to help our clients show the impact of training beyond measurements like phishing click rates and training completion.

The study also collects employee feedback and introduces a scalable way to analyze and measure employee attitudes and perceptions towards security practices, policies and training strategies across five cultural domains::

Confidence: how employees classify their own ability to put their cybersecurity knowledge to practical use

Responsibility: how employees perceive their role in organizational security

Engagement: how willingly employees participate in an organization’s security awareness and training program and apply available resources and support to improve security behaviors

Trust: How employees perceive the security posture and processes at their organization

Outcomes: How employees perceive the consequences of a security incident at their organization

“Traditional security awareness and training success metrics like phishing clicks are important, but the majority of our clients are driving behavior change beyond just the inbox. They are looking to shift the way employees think and feel about cybersecurity,” says Koziol.

“Interactive games can fundamentally change the way employees perceive security functions and learn how they personally contribute to keeping data secure. Cultural assessments are one way our clients can measure this perception shift over time,” he states.

According to a Forrester report authored by analysts Jinan Budge and Claire O’Malley, “Cultural change takes time and results are difficult to measure.”

One technique they recommend CISOs is “surveying the workforce to measure motivation, ability and triggers. This will allow you to quantify the strengths and weaknesses of an existing or potential SA&T [security awareness and training] program and gain insight into the current state of security culture

The study further states that, all organizations and cultures are unique. Recognizing security threats is only step one away, organizations must foster an environment of trust where employees feel comfortable and confident reporting suspicious activity to the IT or security team to stop breaches before they occur.

Also corporate cultures are often driven or reinforced by senior leadership, the study shows. By treating cybersecurity as an important element of the organization’s culture (rather than a separate initiative), leadership can add an impactful, top-down layer to their organization’s human
cybersecurity strategy.

The study also emphasizes on cybersecurity training stating it as extremely valuable. Cybersecurity training is a primary mechanism for teaching and reinforcing secure habits. By delivering engaging, role-specific training, organizations can keep cybersecurity top of mind
while continuously providing value to employees both at work and at home.

There are however challenges to overcome, as less than one-third (31%) of the respondents find their organization’s cybersecurity training only a little engaging or not engaging at all.

By failing to engage nearly one third of employees, many security awareness and training programs may not drive the education and behavior change required to keep the organization secure. Unlike traditional, long-form training, role-based training, gamified education and micro-learning are proven to increase engagement while boosting lesson retention and encouraging behavior change.

Engagement levels can vary greatly between departments and individual employees. The best way to measure engagement and satisfaction with security communications, training and awareness activities is to simply ask employees what they think. Additionally, many respondents do not see the direct connection between cybersecurity knowledge and skills learned at work and how they can be applied at home and in their day-to-day lives.

By teaching and reinforcing cybersecurity best practices as life skills, rather than work skills, IT and security teams can make training more relevant and engaging to every employee.