5 security culture maturity indicators every organization must know

March 30, 2022
Though frequently discussed today, security culture is often confused with 'security awareness'

Security culture is one of the hottest topics in cybersecurity these days. Researchers, security vendors, industry enthusiasts -- everyone’s talking about it. Unfortunately, most of that talk is absent of meaning. Instead, what we often see is that the term is used interchangeably with ‘security awareness’ and is often seen as a byproduct of security training exercises.

What is Security Culture and Why Is It So Important?

One of the fundamental reasons why security culture is misunderstood is because there hasn’t been a proper, universally accepted industry definition. As a result, organizations and security leaders floundered to interpret and assume its meaning. They knew it must be important…so they filled phrase ‘security awareness’ with their own assumptions of what it must be and mean.

But here’s the thing. Security culture can be and has been defined: Security culture can be defined as the set of ideas, customs and social behaviors of a group that influence its security.

Security culture is a far richer and more intricate topic than security awareness. As an example, if we collect metrics about phishing, it tells us what people are doing but doesn’t explain why people are doing it. With 85% of breaches involving human error, it’s clear that organizations need a deeper understanding of the “why” instead of the “what.” What’s more, as technological defenses mature, cybercriminals are increasingly focusing on employees as an attack vector. This is because employees hold the keys to the castle and can easily help bypass any and all forms of mature cybersecurity controls.

How Can Organizations Gauge the Maturity of Their Security Culture?

It’s no secret that data serves as the core foundation of any major organizational strategy or transformation project. So, if an organization aims to improve its security culture, they must first gain a deeper understanding of where it stands today. To do this, businesses must identify key data points that help paint an overall picture of their organization’s security maturity. Let’s explore the top five security culture maturity indicators (CMIs):

1). Security Awareness Training:

Results from security awareness training can serve as insightful data points on the cyber seriousness quotient of employees in an organization. These can include things like how frequently training programs are conducted, average attendance; the types of delivery mechanisms used (in person, online, mobile); type of content used; popularity level; common areas of strength and weakness; and determining if personalization improves participation or interest.

2). Simulated Phishing Testing:

Results from simulated phishing tests over time are also a critical piece of evidence in understanding common security behaviors and cultural practices. These can include data points from simulation exercises like the average open rate, click rate, attachment download rates, percentage of employees that failed exploit-enabled tests and macro-enable tests, percentage of employees that reply to malicious emails versus percentage that report malicious emails, accuracy of reported emails and more.

Measuring the Phish-Prone Percentage can help measure an organization’s susceptibility to phishing attacks. But don’t stop there—one of the most important phishing-related metrics you can track is how often your people are reporting suspected phishing emails. That proactive engagement by your people is so valuable. That transforms them into a critical and effective part of your organizational defense. They become a human defense layer. 

3). Behavioral Data Awareness

Behavioral data basically captures how employees interact with the systems they access. While KPIs from phishing simulations provide a piece of the puzzle, behavioral data (which can be collected from security technologies like SIEM, DLP etc.) help expand the scope of visibility. This involves categorizing employees based on their behavioral profiles and job profiles and monitoring how they change or interact in certain situations. For example, monitoring how a group of employees behave in a certain way and how it changes from device to device. Or measuring their reporting performance post the announcement of a reward or a gamification exercise.

4). Organizational Tone and Activities

Organizational tone and activities relate to things like how frequent is the organization communicating its security policies or security milestones? Is there a presence or an absence of a Security Champions Program? Are there frequent executive-led discussions around security procedures? Are there any security-centric events? Is there a reward or a contest for people that exhibit mature security behavior? Such data points indicate whether the organization themselves have mature processes in place to boost security behavior and awareness in their employees.

5). Survey Data

Security surveys are an efficient mechanism for organizations to capture real-time security maturity metrics. They can also be used to measure a variety of unobservable dimensions like attitudes (employee feelings and beliefs towards security protocols and issues), behavior (employee activities that have direct or indirect impact on organizational security), cognition (employee awareness and knowledge of security issues and activities), communication (quality of communication channels to discuss security-related issues), compliance (knowledge of written security policies and the extent that employees follow them), norms (the unwritten or unspoken rules of conduct in an organization), and responsibilities (how each employee perceives their role in sustaining or endangering the security of the organization).

While each of the above CMIs might be useful in their own right, studying them in isolation can mislead organizations into making the wrong cultural assessments. Ideally, organizations must aggregate these data sets and compare it with industry benchmarks to analyze their security maturity.

Remember, security culture is never built overnight. Organizations must invest in an evidence-based framework that is backed-up by rich data and measured over time, so that leaders can visualize their journey to security maturity and plan the actions needed to progress from one stage to the next.

About the Author:

Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and the host of the 8th Layer Insights podcast on The CyberWire network. He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.