The three pillars that forms the framework is described below together with its dimensions and how evidence can be collected for each pillar:
Organizational measures:
The organizational measures describe all measures that you and your team employ to establish cybersecurity awareness and govern proper behaviors throughout your organization. The basic hypothesis is that what you do here influences the motivation and ability of your organization’s employees to adhere to policies and requirements and thereby shaping proper cybersecurity behaviors.
The measures include a role responsible for the culture change program (e.g., Head of organizational culture change, Chief Information Security Awareness Officer, CISAO and so on). It also includes sufficient resources (FTEs and dedicated budget), a formal culture program strategy, policies and guidelines. These guidelines govern cybersecurity behaviors, awareness raising activities and training on both minimum-security requirements for all employees and specific training for high-risk groups. Finally, it includes an established measurement process for monitoring program deployment and effects in relation to program change goals.
Data can be collected by identifying and reviewing relevant documentation and performing interviews, workshops or focus-group interviews with stakeholders. Relevant documents to review includes organizational charts, reporting lines, role descriptions, strategy, policies and procedures. It also includes results from stakeholder analysis/target group analysis, awareness and training material, defined security requirements for different training target groups and defined metrics. Stakeholders to interview include CISO, CISAO, HR and business leaders.
Motivation and ability:
This pillar describes an individual’s motivation and ability to act in accordance to cybersecurity rules and to combat cybersecurity threats. The pillar contains dimensions such as leader communication, norms about cybersecurity, awareness about policies or rules and common threats, perceived knowledge or skills and intentions to protect an organization’s information assets.
Data can be collected through surveying employees and performing focus-group interviews with a set of employees. If the survey methodology is used, questions to measure changes in motivation and abilities among employees can be a part of an annual cybersecurity survey. Furthermore, to obtain an indication of employees’ motivation and prioritization of cybersecurity, e-learning completion rate and page views of published messages on the company’s intranet can be analyzed.
Cybersecurity behaviors:
This pillar captures an individual’s cybersecurity behavior. The pillar defines cybersecurity behaviors in two dimensions; adherence to the organization’s policies and rules and resistance to cyberattacks.
Data can be collected by utilizing scenario-based surveys, phishing simulations, password cracking exercises, analyzing data from already installed tools etc. These four examples are shortly described below.
- Scenario-based surveys are surveys where written hypothetical scenarios are used to measure behavioral intentions and self-reported behaviors. To attempt to capture the employee’s actual cybersecurity awareness, a “smoke-screen” approach can be used to collect survey data. That is, the true purpose with the survey, which is to collect data on cybersecurity behaviors, is masked by providing a false context to the survey, e.g. a survey on “work efficiency”. If a “smoke-screen” approach is not used, the scenarios could be a part of the annual survey of cybersecurity. Regardless of the chosen approach, the scenarios should be constructed based on the performed HRA where hypotheses of the organization’s top-risks are identified. This could result in utilizing scenarios that reflect actual threats relevant to the organization, such as phishing threat, weak password practices, unsecure handling of classified information, etc.
- Phishing simulations can be performed to measure resistance to common cyberattacks as a single activity in the assessment phase and as part of a cybersecurity culture change program. It can be used before and after a performed training (e.g., e-learning course) to measure effects of the training.
- A password cracking exercise is used to find weak passwords, not crack as many as possible. Password cracking can be used as a single activity to measure users’ adherence to the organization’s password practices and to measure effects of performed training and thereby measure potential changes in password behaviors.
- Analysis of data from tools already installed in the organization involves the assessment of behaviors and actions performed by insiders accessing the company network. It is enabled by identifying datapoints and collecting data from tools, e.g., monitoring- and incident reporting tools that represent user actions or behaviors.
Once the data collection methodology has been chosen and the data has been collected and analyzed, the results is mapped to the working hypotheses and thereby the actual top-risks, high-risk groups and gaps are identified which provide valuable input to the culture change strategy.
Output: Defined measurement framework, identified top-risks, results baseline assessment, identified high-risk groups
3) Design the culture change strategy
In the third step, a formalized strategy for the implementation of the culture change program is designed. Here, activities to reach change goals are defined and prioritized.