How CISOs can build and sustain a cybersecurity culture

Cybersecurity culture is crucial for effective cybersecurity risk management.

This article presents a roadmap describing how companies can start building and lay the foundation for sustaining cybersecurity culture to enable effective cybersecurity risk management. The steps in the roadmap are based on the author’s practical experience gained from supporting organizations to build and sustain a cybersecurity culture. The roadmap includes five sequential steps:

1. Make the strategic objectives clear
2. Assess the current culture state
3. Design a culture change strategy
4. Execute a culture change strategy
5. Review and improve the culture

This article has been outlined according to these five steps. In the following, each step will be described together with examples supporting how your organization can start working with each step. The outcome of each step will also be described. The purpose with the roadmap presented in this article is to provide guidance to the Chief Information Security Officer (CISO) on the steps needed to establish a program to build and sustain a cybersecurity culture, a cybersecurity culture program. 

There are three articles related to sustain cybersecurity culture, this being the last article. The first article emphasized on the importance of why a cultural change program is essential for an effective cybersecurity program supporting an organization’s business objectives. The second article sheds light on why organizations are struggling to build and sustain a cybersecurity culture. 

1) Make the strategic objectives 

The first step is to start thinking about what the strategic objectives are with the cybersecurity culture program, i.e., what your organization wants to achieve in the future by building cybersecurity culture and what the value is for the change in culture. The target culture and the value it provides to your organization should be clearly defined in a vision statement and acknowledged by stakeholders.

This can include ensuring that your workforce adapts to a change in the threat picture, external and internal requirements and technology and thereby supporting the continuous improvement of the organization’s cybersecurity risk management. One example could therefore be:

To build and continuously improve our culture for cybersecurity to maintain cyber risks at acceptable levels and thereby support our organization to achieve its business objectives.

While the vision statement should provide a clear image of the future of the organization in terms of cybersecurity and how culture change supports this image, the program’s change goals are set as specific targets that move your organization towards the defined vision. Change goals help you and your team to stay focused and on track. The change goals should be the starting point when performing both a human risk analysis in the second step and the definition of metrics or KPIs to measure the deployment and impact of the program that are defined when designing the culture change strategy (step three). The ambition should be to utilize the metrics defined in step three   to track how well your organization is doing in fulfilling the defined change goals. To provide one example that can be used as an inspiration, three change goals are exemplified below:

Within three years, all our personnel should have sufficient:

• Understanding of the cybersecurity threat picture relevant to our organization 
• Understanding of cybersecurity requirements and responsibilities related to their role
• Level of information competence to manage their responsibilities

Output: Vision statement with clear strategic objectives and defined culture change goals

2) Assess the current culture state

During the second step, the current state of cybersecurity culture is assessed. The purpose during this step is to ensure that the right human risks will be addressed in the culture change strategy developed in the third step i.e. designing a culture change strategy. 

The employees at risk are identified and the gaps in the existing processes are identified.  To define the measurement instrument, a human risk analysis (HRA) first needs to be performed. The HRA provides working hypotheses and limitations to the measurements. This covers the top-risks that are the important to address in your organization. This can be done through one or a series of working meetings with your team and/or stakeholders from the business side and can result in 3-6 risks that need to be measured. Evidence to test the hypothesis can be collected through several means and you should decide which mean is most effective to your context in regard to time and cost.

The three pillars that forms the framework is described below together with its dimensions and how evidence can be collected for each pillar:

Organizational measures:

The organizational measures describe all measures that you and your team employ to establish cybersecurity awareness and govern proper behaviors throughout your organization. The basic hypothesis is that what you do here influences the motivation and ability of your organization’s employees to adhere to policies and requirements and thereby shaping proper cybersecurity behaviors. 

The measures include a role responsible for the culture change program (e.g., Head of organizational culture change, Chief Information Security Awareness Officer, CISAO and so on). It also includes sufficient resources (FTEs and dedicated budget), a formal culture program strategy, policies and guidelines. These guidelines govern cybersecurity behaviors, awareness raising activities and training on both minimum-security requirements for all employees and specific training for high-risk groups. Finally, it includes an established measurement process for monitoring program deployment and effects in relation to program change goals. 

Data can be collected by identifying and reviewing relevant documentation and performing interviews, workshops or focus-group interviews with stakeholders. Relevant documents to review includes organizational charts, reporting lines, role descriptions, strategy, policies and procedures. It also includes results from stakeholder analysis/target group analysis, awareness and training material, defined security requirements for different training target groups and defined metrics. Stakeholders to interview include CISO, CISAO, HR and business leaders.

Motivation and ability:

This pillar describes an individual’s motivation and ability to act in accordance to cybersecurity rules and to combat cybersecurity threats. The pillar contains dimensions such as leader communication, norms about cybersecurity, awareness about policies or rules and common threats, perceived knowledge or skills and intentions to protect an organization’s information assets.

Data can be collected through surveying employees and performing focus-group interviews with a set of employees. If the survey methodology is used, questions to measure changes in motivation and abilities among employees can be a part of an annual cybersecurity survey. Furthermore, to obtain an indication of employees’ motivation and prioritization of cybersecurity, e-learning completion rate and page views of published messages on the company’s intranet can be analyzed.

Cybersecurity behaviors:

This pillar captures an individual’s cybersecurity behavior. The pillar defines cybersecurity behaviors in two dimensions; adherence to the organization’s policies and rules and resistance to cyberattacks. 

Data can be collected by utilizing scenario-based surveys, phishing simulations, password cracking exercises, analyzing data from already installed tools etc. These four examples are shortly described below.  

• Scenario-based surveys are surveys where written hypothetical scenarios are used to measure behavioral intentions and self-reported behaviors. To attempt to capture the employee’s actual cybersecurity awareness, a “smoke-screen” approach can be used to collect survey data. That is, the true purpose with the survey, which is to collect data on cybersecurity behaviors, is masked by providing a false context to the survey, e.g. a survey on “work efficiency”. If a “smoke-screen” approach is not used, the scenarios could be a part of the annual survey of cybersecurity. Regardless of the chosen approach, the scenarios should be constructed based on the performed HRA where hypotheses of the organization’s top-risks are identified. This could result in utilizing scenarios that reflect actual threats relevant to the organization, such as phishing threat, weak password practices, unsecure handling of classified information, etc. 
• Phishing simulations can be performed to measure resistance to common cyberattacks as a single activity in the assessment phase and as part of a cybersecurity culture change program. It can be used before and after a performed training (e.g., e-learning course) to measure effects of the training. 
• A password cracking exercise is used to find weak passwords, not crack as many as possible. Password cracking can be used as a single activity to measure users’ adherence to the organization’s password practices and to measure effects of performed training and thereby measure potential changes in password behaviors.  
• Analysis of data from tools already installed in the organization involves the assessment of behaviors and actions performed by insiders accessing the company network. It is enabled by identifying datapoints and collecting data from tools, e.g., monitoring- and incident reporting tools that represent user actions or behaviors.   

Once the data collection methodology has been chosen and the data has been collected and analyzed, the results is mapped to the working hypotheses and thereby the actual top-risks, high-risk groups and gaps are identified which provide valuable input to the culture change strategy.

Output: Defined measurement framework, identified top-risks, results baseline assessment, identified high-risk groups

3) Design the culture change strategy 

In the third step, a formalized strategy for the implementation of the culture change program is designed. Here, activities to reach change goals are defined and prioritized. 

To clarify how this should be done in a structured way and to avoid encountering unexpected problems during the implementation is the main purpose in this step. The following pointers are important to adhere to:

• Defining important stakeholder to the program, including stakeholders that you need on your side for supporting the program (supporters) and stakeholders that need awareness training (target groups). 
• Defining training requirements, learning topics and learning goals per target group. For instance, the target group “all personnel” might need training on the organizations top-risks, i.e., minimum cybersecurity requirements, “developers”, “HR-personnel” and “IT-support personnel” might need add-on specific training relevant to their role. 
• Identify the most efficient means to provide training to each target group. Some examples of training are:
  • E-learning to all employees in the organization’s top risks and the requirements and responsibilities they have related to their role
  • Regular phishing simulations to provide training to all on how to detect and report the phishing threat in practice
  • Scenario or dilemma training in workshop format for specific target groups
  • Capture-the- Flag exercises (CCTFs) for IT-personnel and developers that challenge players to solve a variety of tasks to find a hidden piece of text (the flag).
  • Cyber War Games for the board or crisis management group to practice on how to manage the consequences of a cyber-attack, including investigation and communication to internal and external stakeholders
• Define metrics or KPIs based on the defined learning goals per target group to measure deployment and change impact of performed training and communication activities.
• Establish a process to measure deployment of the program and effects on learning goals. This is similar to the measurement methods defined in step 2 (Assess the current culture state).
• Plan execution of training by establishing a training and awareness plan where prioritized activities are outlined. Also, responsibilities for performing and monitoring the training are assigned.

Example of program metrics 

Metrics and KPIs are utilized to track and measure the deployment and impact the program have on change goals. Based on your defined overall change goals and learning goals for prioritized target groups; you and your team can find the metrics that fits your context and purpose. However, to provide some guidance, here are a set of example metrics. In a very simplified way metrics can pertain to three categories:

• Distribution: Measures distribution of training, e.g. launched e-learning modules, Face 2 Face (F2F) sessions (lectures, one-one induction for new hires), published awareness raising articles on internal channels and others (e.g., competitions, surveys, quizzes and phishing simulations)
• Completion: Measures completion of training, e.g., e-learning completion, survey completion and page views of published articles.
• Impact: Measure changes in cybersecurity attitudes, beliefs and behaviors, e.g., improved cybersecurity attitudes, beliefs through user survey assessment, increased reporting of phishing e-mails, decreased number of false positives in phishing reporting, increased amount of documents classified according to information classification rules, decreased amount of classified documents distributed externally, increased number of passwords complying to password requirements, etc.

Output: Defined stakeholders, including target groups, defined learning topics, defined metrics and KPIs, defined training means and communication channels and training and Awareness plan

4) Execute culture change strategy

The fourth step is about executing the culture change strategy and monitoring the deployment of the program. That is, delivering communication and training activities targeting employee’s motivation and ability to adhere the organization’s policies and combat cybersecurity threats. Communication activities will serve to increase awareness of your organizations top risks and how to manage them, and also provide knowledge of your organization’s existing policies and rules. Training activities will teach employees how to detect and report potential cyber threats in practice. 

The metrics and KPIs defined in step three (Design a culture change strategy) will be employed to measure the deployment of the program. Effects of training is evaluated in the last step. 

Output: Executed training and measurement results

5) Review and improve culture

The last step will evaluate the quality of the culture change program, i.e. review the activities performed to change awareness and behavior. An analysis of metrics collected to assess effects of training in relation to learning goals and overall change goals needs to be performed. In addition to analyzing collected metrics, the culture change strategy (including the stakeholder analysis) should also be reviewed based on potential changes in the threat picture and business environment to ensure that the strategy still covers the "right" risks. Potential new stakeholders, requirements and risks need to be addressed in the reviewed strategy. Developed learning material such as e-learning courses should also be reviewed. The adequacy of utilized metrics and KPIs need to be evaluated to ensure that the most effective metrics that generate consistent and optimum results in capturing and improving cybersecurity culture is used. In addition to these review activities, a qualitative review can also be employed to assess the program impact. For instance, you can perform a qualitive assessment against these example indicators of cybersecurity culture change:

• There's a common understanding of why cybersecurity culture is needed throughout my organization
• Our key target groups are identified
• Key cybersecurity risks relevant to the target groups are defined
• Communication and training methods to ensure ownership of these risks (and behavior change) are identified
• There's an awareness and training plan consisting of defined and repeatable steps on how key risks will be addressed throughout the organization 
• Deployment metrics and effect metrics are defined and followed up to ensure that provided training have influenced behavior and culture change

The results of the review, including areas of improvement, should be summarized in a report on reported to program stakeholders. 

Output: end-year report, areas of improvement