SESSION ID:SESSION ID:

#RSAC

Kai Roer

How Measuring Security Culture Is Different from Counting Employees

SDS-F03

Founder and CEOCLTRe - the Yardstick of Culture - https://get.clt.re@kairoer

#RSAC

The speaker: Kai Roer

2

CEO & Founder, CLTReCreator of the Security Culture Framework

Ron Knode Service Award, Fellow at the National Cybersecurity Institute (USA)

Bestselling author, Columnist Help-Net Security. Columnist Infosec Magazine. Expert Panelist, keynote speaker, blogger, conference speaker in more than 40 countries on 4

continents, Guest Lecturer, Radio and TV, consulting organisations worldwide, 20+ years experience from IT, Security, Leadership and communication.

Psychology at the University of Oslo. Culture builder.

#RSAC

Security CultureJust another term for security awareness, right?

#RSAC

knowing about, having knowledge of, security.

Security Awareness - definition

4

#RSAC

The ideas, customs and social behaviours that influence security.

The Security Culture Framework

Security Culture - definition

5

#RSAC

Security Culture - vs Awareness

6

Attitudes

Cognition

Communication

Compliance

Behaviours

Responsibilities

Norms

#RSAC

Measuring CultureHow long is a fish?

#RSAC

Observation (anthropology)Discourse analysis (sociology)Experimentation (psychology)Surveys and interview (sociology, psychology)

People are also measured by: numbers, kg, cm, money, success, failures, family, network, relations, education, publications…

Culture - how people are measured

8

#RSAC

Vanity MetricsSee! A school of fish!

#RSAC

Completion rates

Vanity metrics - looking good on surface

10

62% completion rate

873 employees attended training

4.5 of 5 star rating of awareness content

1400 employees (not) started program

#RSAC

Measuring what mattersAre the fish moving?

#RSAC

Half full or half empty?

12

#RSAC

A standard of measurement

13

#RSAC

Culture dimensionsComparable data (compare across departments, business units. Benchmark against industry sectors, countries and organization size)Relevant data (behaviours, attitudes, compliance…)Ultimately, measure behaviours

Sources can include logs and technical controls. Supplement with cultural metrics to allow a more complete picture

Measuring what matters - meaningful data

14

#RSAC

Measure what matters - benchmarking

15

#RSAC

Recent FindingsThe Security Culture Report 2017: In-depth insights into the human factor

#RSAC

Security Culture Report 2017 - Gender

17

#RSAC

Security Culture Report 2017 - Age

18

#RSAC

Security Culture Report 2017 - Science

19

#RSAC

Next week you should:Review how you measure security culture

In the first three months following this presentation you should:Identify options for improving how you measure, for example by using the CLTRe ToolkitConsider how better metrics can reduce risk and improve your security culture

Within six months you should:Select a method / tool to measure security cultureImplement the selected method / tool

What now?

20

#RSAC

Thanks! @kairoer | https://roer.com | kai@roer.com