New report provides a peek behind the curtain on cybersecurity cultures

Aug. 20, 2020
Security attitudes, beliefs of employees in a wide range of industries revealed in new research

Cybersecurity technology has evolved by leaps and bounds in recent years but ask any expert in the field what the key is to mitigating attacks and almost all of them will tell you it is the practices and attitudes of people within organizations. Don’t use the same login credentials across sites and applications, carefully scrutinize emails seeking confidential or financial information and don’t download files or click on links from unknown sources are among some of the common precepts preached by cybersecurity evangelists. However, they often fall on deaf ears because security has not been instilled as a priority from the top-down.

Of course, these attitudes vary across industries due to the nature of the business or institution. A new study from KnowBe4 Research, the recently launched research arm of security awareness training firm KnowBe4, actually sought to quantify the security cultures of organizations in 17 different industries – banking, financial services, insurance, consulting, business services, technology, healthcare and pharmaceuticals, consumer services, not-for-profit, retail and wholesale, legal, manufacturing, government, construction, energy and utilities, education, and transportation – by assigning them an aggregate culture score based on how they performed across seven different dimensions including attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.

According to the 2020 “Security Culture Report,” which was based on data collected from more than 120,000 employees in over 1,100 organizations across 24 countries, the mean and median of the total security culture score across industries was 73. Security culture scores for individual organizations ranged from a minimum of 50 to a maximum of 86. The scores for industries ranged from 76 on the high end to 68 on the opposite end of the spectrum. Additionally, the research found that 92% of organizations have a moderate security culture, while only 7% have a good security culture.

Unsurprisingly, the research noted that the best performers were the industries of banking (76), financial services (76) and insurance (75), which are already well-acquainted with mitigating risk and must also adhere to various compliance regulations regarding data protection and cybersecurity. However, according to Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4, just because firms in these industries are leading the pack does not mean their cybersecurity culture is where it needs to be.

“Even the verticals that are doing well are doing just ok,” says Carpenter, who formerly served as an analyst at Gartner and now heads the KnowBe4 Research division. “They would be in the high ‘C’ range if we were giving them an academic grade. That means that everybody has a lot of room for improvement.”

Industries that performed the worst included transportation (70), energy and utilities (71), and education (68), which Carpenter says is a real cause for concern, particularly within education which has been hit hard by the coronavirus pandemic.  

“COVID-19 has strained education to the breaking point as we try to figure out what this next school year looks like and so there is a blend of technology that is having to be used that’s never been used before and when you look at where education is in the security culture rankings, they’re dead last in everything,” he adds. “They are really in a position – this coming year with COVID – to be pushed to the breaking point from a security perspective and some really bad security incidents could potentially come out of that unless they really embrace this new space that they are being forced into. They are having to embrace technology like never before, can they embrace security and owning the culture aspect of that also like never before?”

The Seven Dimensions of Security Culture

To measure security culture, the research compared industries across seven different dimensions including:

  • Attitudes - Feelings and beliefs of employees toward security protocols and issues.
  • Behaviors - Actions and activities of employees that have direct or indirect impact on the organizational security.
  • Cognition - Employees’ understanding, knowledge, and awareness of security issues and activities.
  • Communication - Quality of communication channels to discuss security-related topics, promote a sense of belonging, and provide support for security issues and incident reporting.
  • Compliance - Knowledge of written security policies and the extent that employees follow them.
  • Norms - knowledge of and adherence to unwritten rules of conduct in the organization.
  • Responsibilities - How employees perceive their role as a critical factor in sustaining or endangering the security of the organization.

Carpenter says he would like to see organizations improve their cultures when it comes to norms and how employees adhere to these unwritten rules.   

“Norms, if you flashback in maybe a good way or traumatic way to your high school days, and you think about peer pressure and the way that peer groups modeled behavior and if you’re modeling a certain behavior you’re an insider and if you’re not modeling that behavior you’re an outsider – that’s behavioral norms within an organization, those unwritten rules and the way that people get subconsciously trained to behave in certain ways,” he explains. “Across the board I would like to see that unwritten rules side of things improve quite a bit.”

Organizations Lacking ‘Intentionality’

Carpenter said the biggest thing that many organizations are lacking today when it comes to their security culture is “intentionality.”

For example, prior to the release of the Security Culture Report, KnowBe4 commissioned a study conducted by Forrester Consulting that looked at organizations’ understanding and implementation of security culture. Although a vast majority (94%) of organizations agreed that security culture was important, security leaders could not agree on what the term means as respondents provided more than 750 unique definitions for it.

“When you cannot even define a concept reliably or come to an agreement on what the concept means, then you can’t change it,” Carpenter explains. “The Security Culture Report gives definition and these seven different dimensions that we measure against so that you can start to crystalize your understanding about what security culture is and then you can start to measure those different dimensions and see where the gaps are and build a plan to improve them. But until you measure something and understand what it actually is, you’re kind of shooting in the dark and you’re just hoping for the best.”   

For more information or to download a full copy of the report, click here.

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].