Security Culture

• Common Sense Security
• Cryptoparty

Introduction

A security culture can be defined as a pattern of behaviours, beliefs, assumptions, attitudes and ways of doing things that promotes security. Culture evolves as a type of shared history as a group goes through a set of common experiences – it cannot be imposed from above. A security culture exists in every community; it may be weak, ineffective, disorganised, contradictory, unrecognised and haphazard, but it exists.

The aim of creating an intentional security culture is to create a mindset across the community that moves away from perceiving security as something that should be endured or accepted grudgingly, to individuals ‘buying-in’ to the view that effective security is essential to enabling the community to operate, and taking personal responsibility towards achieving this goal.

Communities developing an intentional security culture achieve this through a combination of mechanisms beyond awareness activities, such as rewarding and promoting good behaviour, taking action against offenders and developing moral attitudes. Creating a security culture is not an easy or quick task; but if people behave with security in mind and willingly incorporate security practices into their daily activities, then there is a much better chance of protecting community assets.

What does a Security Culture look like?

An intentional security culture requires a proactive ownership of security by all individuals across the community. Security is everybody’s responsibility. With an intentional security culture, people want to and are able to protect the entire community; people automatically think in terms of what information to share and what to protect.

Benefits of an Effective Security Culture

A culture of security is not an end in itself, but a pathway to achieve and maintain other objectives. It leads to greater internal and external trust, consistency of results, easier compliance with laws and regulations and greater value in the community as a whole. An effective security culture ensures there is an understanding of why security policies and rules were created and the underlying intent behind them, so that individuals have the context for appropriate decision making in times of ambiguity.

An effective security culture ensures that individuals apply sensible security, and do not apply levels of security that are either too high or too low, with ensuing cost or risk implications.

Improving Security Culture

There are a number of obstacles towards improving security culture, in particular:

• Security is perceived as a negative
• Security is ‘not my problem’
• Broader societal and community cultural issues
• Practical difficulties in achieving deep-lying cultural change
• Difficulty in measuring cultural change

Organisations that attempt to create an intentional culture of information security generally do so through a coordinated programme of activities, including:

• Change perception of security to be seen as a positive enabler
• Establish a number of Security ‘Champions’ to represent security
• Establish cross-functional teams, working together to advance security
• Undertake Security Awareness Training for all personnel
• Align personal Goals and Objectives with security requirements