The Security Culture Playbook

Mitigate human risk and bake security into your organization’s culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.

The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.

The book offers:

• An expose of what security culture really is and how it can be measured
• A careful exploration of the 7 dimensions that comprise security culture
• Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
• Insights into building support within the executive team and Board of Directors for your culture management program

Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.

About the Authors viii

Acknowledgments xii

Introduction xxv

Part I: Foundation 1

Chapter 1: You Are Here 3

Why All the Buzz? 4

What Is Security Culture, Anyway? 8

A Problem of Definition 9

A Problem of Overconfidence 11

Takeaways 12

Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13

A View from the Top 14

Telling the Human Side of the Story 15

What’s the Cost of Not Getting This Right? 16

Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19

Your People and Security Culture Are at the Center of Everything 20

The Implication 22

Getting It Right 24

Takeaways 25

Chapter 3: The Foundations of Transformation 27

The Core Thesis 29

The Knowledge-Intention-Behavior Gap 29

Three Realities of Security Awareness 31

Program Focus 31

Extending the Discussion 33

Introducing the Security Culture Maturity Model 33

The Security Culture Maturity Model in Brief 35

The S-Curves 36

The Value of the Security Culture Maturity Model 37

You Are Always Either Building Strength or Allowing Atrophy 37

Takeaways 38

Part II: Exploration 39

Chapter 4: Just What Is Security Culture, Anyway? 41

Lessons from Safety Culture 42

A Jumble of Terms 44

Information Security Culture 45

IT Security Culture 45

Cybersecurity Culture 46

Security Culture in the Modern Day 46

Technology Focus 47

Compliance Focus 48

Human-Reality Focus 49

Takeaways 51

Chapter 5: Critical Concepts from the Social Sciences 53

What’s the Real Goal—Awareness, Behavior, or Culture? 54

Coming to Terms with Our Irrational Nature 55

We Are Lazy 56

Why Don’t We Just Give Up? 60

Security Culture—A Part of Organizational Culture 61

Takeaways 62

Chapter 6: The Components of Security Culture 63

A Problem of Definition 64

The Academic Perspective 64

The Practitioner Perspective 65

Defining Security Culture 66

Security Culture as Dimensions 67

The Seven Dimensions of Security Culture 69

Attitudes 69

Behaviors 69

Cognition 69

Communication 70

Compliance 70

Norms 70

Responsibilities 71

The Security Culture Survey 71

Example Findings from Measuring the Seven Dimensions 72

Normalized Use of Unauthorized Services 73

Confidentiality and Insider Threats 74

Last Thought 74

Takeaways 75

Chapter 7: Interviews with Organizational Culture Experts and Academics 77

John R. Childress, PYXIS Culture Technologies Limited 78

Why Is Culture Important? 78

Why Do You Find Culture Interesting? 79

Is There a Specific Definition of Culture That You Find Useful? 79

What Actions Can Be Taken to Direct Cultural Change? 80

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 81

How Does a Culture Evolve (or How Often?) 82

Professor John McAlaney, Bournemouth University, UK 82

Why Is Culture Important? 83

Why Do You Find Culture Interesting? 83

Is There a Specific Definition of Culture That You Find Useful? 83

What Actions Can Be Taken to Direct Cultural Change? 84

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 85

How Does a Culture Evolve (or How Often?) 85

Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida 86

Why Is Culture Important? 86

Why Do You Find Culture Interesting? 86

Is There a Specific Definition of Culture That You Find Useful? 87

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 87

Michael Leckie, Silverback Partners, LLC 87

Why Is Culture Important? 88

Why Do You Find Culture Interesting? 89

Is There a Specific Definition of Culture That You Find Useful? 90

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 90

What Actions Can Be Taken to Direct Cultural Change? 91

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 93

How Does a Culture Evolve (or How Often?) 93

Part III: Transformation 95

Chapter 8: Introducing the Security Culture Framework 97

The Power of Three 99

Step 1: Measure 100

Know Where You are 101

Decide Where You Want to Be 102

Find Your Gap 104

Step 2: Involve 106

Building Support 106

Different Audiences 108

Step 3: Engage 109

Rinse and Repeat 111

Benefits of Using the Security Culture Framework 111

Takeaways 112

Chapter 9: The Secrets to Measuring Security Culture 113

Connecting Awareness, Behavior, and Culture 115

How Can You Measure the Unseen? 116

Using Existing Data 116

The Right Way to Use Data 119

Methods of Measuring Culture 119

Observation 120

Experimentation 121

Interrogation (Surveys and Interviews) 121

A/B Testing 122

Multiple Metrics, Single Score 124

Trends 125

A Note Regarding Completion Rates 127

Takeaways 128

Chapter 10: How to Influence Culture 129

Resistance to Change 130

Be Proactive 131

The Complexity of Culture 133

Using the Seven Dimensions to Influence Your Security Culture 134

Attitudes 134

Behaviors 136

Cognition 138

Communication 140

Compliance 141

Norms 143

Responsibilities 144

How Do You Know Which Dimension to Target? 146

Takeaways 147

Chapter 11: Culture Sticking Points 149

Does Culture Change Have to Be Difficult? 150

Using Norms Is a Double-Edged Sword 151

Failing to Plan Is Planning to Fail 152

If You Try to Work Against Human Nature, You Will Fail 153

Not Seeing the Culture You Are Embedded In 155

Takeaways 156

Chapter 12: Planning and Maturing Your Program 157

Taking Stock of What We’ve Covered 158

View Your Culture Through Your Employees’ Eyes 159

Culture Carriers 160

Building and Modeling Maturity 161

Exploring the Data 162

Culture Maturity Indicators 162

Level 1: Basic Compliance 165

Level 2: Security Awareness Foundation 165

Level 3: Programmatic Security Awareness & Behavior 166

Level 4: Security Behavior Management 167

Level 5: Sustainable Security Culture 168

There Are Stories in the Data 170

A Seat at the Table 174

Takeaways 175

Chapter 13: Quick Tips for Gaining and Maintaining Support 177

You Are a Guide 178

Sell by Using Stories 179

Lead with Empathy, Know Your Audience 180

Set Expectations 184

Takeaways 185

Chapter 14: Interviews with Security Culture Thought Leaders 187

Alexandra Panaretos, Ernst & Young 188

Why Is Culture Important? 188

Why Do You Find Culture Interesting? 189

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 190

Dr. Jessica Barker, Cygenta 193

Why Is Security Culture Important? 193

Why Do You Find Culture Interesting? 194

What Actions Can Be Taken to Direct Cultural Change? 194

What Is Your Most Interesting Experience with Culture? 195

Kathryn Tyrpak, Jaguar Land Rover 195

Why Is Culture Important? 195

Why Do You Find Culture Interesting? 196

Is There a Specific Definition of Culture That You Find Useful? 196

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 196

What Actions Can Be Taken to Direct Cultural Change? 197

Lauren Zink, Boeing 197

Why Is Culture Important? 198

Why Do You Find Culture Interesting? 198

Is There a Specific Definition of Culture That You Find Useful? 199

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 199

Mark Majewski, Rock Central 200

Why Is Culture Important? 200

Why Do You Find Culture Interesting? 200

Is There a Specific Definition of Culture That You Find Useful? 201

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 201

What Actions Can Be Taken to Direct Cultural Change? 201

Is There a Success or Horror Story You’d Like to Share Related to Culture Change? 202

How Does a Culture Evolve (or How Often?) 202

Mo Amin, moamin.com 203

Why Is Culture Important? 203

Why Do You Find Culture Interesting? 203

Is There a Specific Definition of Culture That You Find Useful? 203

How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 203

What Actions Can Be Taken to Direct Cultural Change? 204

Is There a Success or Horror Story You’d Like to Share

Related to Culture Change? 204

How Does a Culture Evolve (or How Often)? 205

Chapter 15: Parting Thoughts 207

Engage the Community 208

Be a Lifelong Learner 209

Be a Realistic Optimist 210

Conclusion 211

Bibliography 213

Index 217

PERRY CARPENTER, C|CISO, MSIA, is an author, podcaster, thought leader, and cybersecurity expert specializing in security awareness and the human factors of security. His research focuses on marketing, communication, behavior science, organizational culture management, sociology, and more.

KAI ROER is the author of several books on security and leadership, a keynote speaker, and a thought leader in the security culture field. In addition to his research, he is an entrepreneur and the inventor of technology and frameworks that transformed the information security industry.

An expert demonstration of weaving security into your organization’s culture

In The Security Culture Playbook, two of the world’s foremost experts in security awareness, behavior, and culture deliver actionable insights—grounded in data and their own extensive experience—into how to revamp your organization’s security culture and reduce behavioral risk at every level of your company. You’ll discover the shortcomings in how firms have traditionally approached human risk and strategies and how to understand, measure, and improve every facet of your company’s security culture.

The authors demonstrate what security culture really means and how it can be measured, and identify the seven dimensions that make up a culture of security. You’ll find practical tools for managing your security culture program, including the celebrated Security Culture Framework and Security Culture Maturity Model. Importantly, you’ll also gain critical insights into how to build support within your executive team and Board of Directors to implement your culture management program.

Perfect for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders, The Security Culture Playbook delivers a concrete blueprint for producing real change, reducing risk, and proactively managing your company’s exposure to cybersecurity threats. You’ll also find:

• Revealing interviews from security culture thought leaders in a variety of industries
• Strategies for bringing all the security culture pieces together into a coherent program
• Actionable and modern insights from sociology and other academic disciplines
• In-depth explanations of how to implement and shape behavioral outcomes, foster social pressures, and create positive patterns

“Perry’s exploration of security as a cultural force, created by processes and communications but separate from them, is a unique look into precisely that zone of our identity.”

— Matt Wallaert, Behavioral Scientist and author of Start At The End: How to Build Products That Create Change

“ Perry has his finger on the pulse of security awareness culture and knows how to bring it to life. His real-world expert advice focuses on what is actionable and most essential for protecting your organization right now.”

—Rachel Tobac, CEO of SocialProof Security and Friendly Hacker

“I can’t think of a better guide for organizational executives trying to reduce their inherent risk via an improved internal security culture.”

—Rick Howard, CSO, Chief Analyst, and Senior Fellow at the CyberWire

“I have seen Kai Roer demonstrate his passion and sincere dedication to improving the security culture of organizations for many years … Kai providing guidance for executives to understand their role and responsibility for creating a secure business ecosystem through using The Security Culture Playbook is a brilliant idea!”

—Rebecca Herold, CEO of The Privacy Professor consultancy, and Privacy & Security Brainiacs SaaS services

“There is no one better placed to present expertise related to security culture than Kai.”

—Raj Samani, McAfee Fellow, Chief Scientist