The Impact of Security Culture

The Impact of Security Culture

As the Barbados Information Systems Security Association (ISSA) chapter celebrates the 20th edition of Cybersecurity Awareness Month, we would like to acknowledge our international organization (ISSA)®.

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. Its core purpose is to promote a secure digital world.

We want this month to focus on the impact of security culture on cybersecurity awareness, particularly within the Corporate enterprise.

If we accept that “Culture eats strategy for breakfast” (Peter Drucker), then embracing Security Culture is a sure route to increased organizational success and sustainable competitive advantage.

Security Culture changes how users internally process decisions before acting on an email, file, or any other object in the virtual or real world. Before any task execution, there is a persistent thoughtfulness on how their action impacts themselves and the enterprise.

We have a long way to go to reach this level, and the research below shows that no one has reached an Excellent or Good Security Culture at this time.

(Excerpts from ‘Security Culture Report 2022 by KnowBe4 Research’ report)

A review of ‘Security Culture Report 2022 by KnowBe4 Research’ report by KnowBe4, which can be downloaded from https://www.knowbe4.com/organizational-cyber-security-culture-research-report, offers the following definition for security culture as “The ideas, customs and social behaviours that influence an organization’s security”.

And further elaborates, “This definition makes it clear that Security Culture is a combination of thought processes and knowledge, the habits that employees have adapted and the behaviours that are demonstrated when in the workplace. By workplace, we mean any such place where employees perform their work”.

The report measures Security Culture across seven dimensions:

  1. Attitudes: The feelings and beliefs that employees have toward the security protocols and issues
  2. Behaviours: The actions and activities of employees that have a direct or indirect impact on the security of the organization
  3. Cognition: Employees’ understanding, knowledge, and awareness of security issues and activities
  4. Communication: The quality of communication channels to discuss security-related topics, promote a sense of belonging, and provide support for security issues and incident reporting
  5. Compliance: The knowledge of written security policies and the extent that employees follow them
  6. Norms: The knowledge of and adherence to unwritten rules of conduct in the organization
  7. Responsibilities: How employees perceive their role as a critical factor in sustaining or endangering the security of the organization

The Security Culture Index

The Security Culture Index (SCI) is the global index for rating organizations based on their security culture score. The index was created by the team of researchers at KnowBe4 Research and is calculated by analyzing the security culture of thousands of organizations around the world.

90 up to 100 Excellent80 up to 89 Good70 up to 79 Moderate
60 up to 69 Mediocre0 up to 59 Poor 

It should be noted that none of the industry sectors have demonstrated an Excellent or Good Security culture this year.

A Global Perspective on Security Culture

Measuring security culture is a global concern. Understanding the security culture of your workplace is proving increasingly important for the organization’s security posture. As we demonstrated in the 2021 SCR, 9/10 global security leaders believe that security culture is a critical factor in their successful implementation of a security program.

A Barbadian Perspective on Security Culture

There was no survey targeting the Caribbean or Barbados, but it measured Central and South America, which averaged 73.

Let’s look at the Cybersecurity Observatory in Latin America and the Caribbean (https://cybersecurityobservatory.org), which is facilitated by the Inter-American Development Bank (IDB) and the Organization of American States (OAS). There is a lot of data to unpack.

Using the Cybersecurity Capacity Maturity Model for Nations (CMM), they evaluated Latin America and the Caribbean. The Caribbean region’s maturity level oscillates between levels 1 and 2.

When we look closely at CMM data for Barbados to extrapolate how security culture impacts Barbados, the Cyber Education, Training, and Skills (CETS) aspect is most insightful, as shown below.

CETS looks at Awareness Raising, Framework for Education, and Professional Training; our last CMM rating averaged 1.5. This puts Barbados between the Start-Up and Formative stages. The formative stages suggest to the country that there is evidence of initiatives, but they are at the initiation states or just ad hoc.

The CMM score for the United Kingdom in 2015 was between Stage 3 and 4 or Established and Strategic, and their Security Impact is 73, so Barbados at CMM below Stage 2 probably falls below 60 into the mediocre or poor range for Security Culture for business entities.

A post-COVID-19 review of CMM and Security Culture for the region would be enlightening and interesting to see if our CMM has improved. However, the lack of a functional National Cyber Security Strategy, Incident Response, Critical Infrastructure Protection, Crisis Management, Cyberdefense, and Communication Redundancy continues to deter Barbados’ advancement of its Cyber Security Maturity past level 2.

Once Security Culture is fully integrated, the user becomes the true counterbalance or organically the human firewall. As a result, Security Culture & Awareness are now second nature, sustainable, perpetual, and ubiquitous.

Barbados Information Systems Security Association