Users’ acceptance of norms reduces risky behaviors and positively contributes to an organization’s security culture, finds a new report.
In their study Indepth insights into the human factor: The 2017 Security Culture Report, authors Kai Roer of CLTe and Dr. Gregor Petric of the University of Ljubljana analyzed data collected from more than 10,000 employees working 38 organizations across five countries in Norway and Sweden that use the CLTe Toolkit. This solution collects metrics on seven dimensions or a company’s security culture: quality of communication, compliance, knowledge, secure behavior, positive attitudes, norms, and responsibilities.
For their research, Roer and Dr. Petric compared security cultures across Norway and Sweden’s borders. Here’s what they found:
“Our data show some interesting differences between Norway and Sweden. In Norway, there seems to be a greater frequency of risky behaviours than in Sweden. This is interesting considering that our data also shows that there is a higher level of openness and dialogue about security risks in Norway. One possible explanation is that openness and dialogue result in better understanding and recognition of risk and risky behaviors, thereby resulting in greater self-awareness and more reporting. This explanation can be backed by organizations who implement incident report systems, seeing a large increase in reported incidents in the early stages of the implementation.”
Meanwhile, the authors observed a weak correlation between formal training, knowledge, and behaviors. The authors interpret these findings as evidence that people adhere to company-based and national norms in information security. As such, they suggest that organizations embrace a risk-based security culture that incorporates group rules rather than just awareness training.
The researchers also found some gender-based differences in how employees approach risk. Their report reveals that women are more likely to interfere with a co-worker who demonstrates risky behaviors and are more accepting of security controls. As opposed to women, men report a higher accountability for their actions, the study found.
Roer feels organizations need to be cognizant of these differences when designing their security cultures:
“Putting these factors together, we believe that a security culture program that aims to improve security culture, should aim for gender balance. We also see a strong correlation between adherence to norms, and secure behaviour. No such correlation is found between awareness and behavior, leading us to conclude that security awareness training programs are all in desperate need of modernisation. Move away from boring trainings, apply peer pressure and group dynamics instead.”
The report also examines how industry, age, length of an employee’s career shapes the degree to which employees buy into a security culture. For insight into these factors, download the study here.