New framework helps organizations measure cyber security culture

Published: Tuesday, 06 July 2021 08:11

Infosec, the cyber security education company, has released findings from a new research report, ‘Cybersecurity Culture - Quantified’. Designed to assess employee perceptions and sentiments towards cyber security best practices and policies, the study revealed a significant variation of security culture by industry, department, and organization size.

A strong cyber security culture, defined as an organization’s collective awareness, attitudes and behaviors / behaviours toward security, is based on employees willingly embracing security best practices both professionally and personally.

ISACA and CMMI Institute research has shown that organizations with strong cyber security cultures experience increased visibility into potential threats, reduced cyber incidents, and greater post-attack resilience; among other measurable benefits.

However, cyber security culture has historically been seen as an abstract concept and difficult to quantify. To help overcome this challenge, Infosec has developed a framework and survey to classify cyber security culture and systematically measure results, allowing organizations to turn this important security variable into a data-driven element in their cyber security strategy.

“Our goal with this study was to understand the current state of security culture and uncover employee sentiments impacting security behaviors. The results show employee beliefs toward cyber security vary widely, which can have a major impact on an organization's security posture.” said Jack Koziol, CEO and founder at Infosec. “If employees aren't engaged in security training and best practices, it limits the security team's ability to effectively mitigate security threats. Understanding where your security culture is today is an essential first step to build an effective cyber security strategy.”

Quantifying the current state of security culture

To conduct the study, Infosec surveyed over 1,000 professionals across dozens of industries to measure employee attitudes and perceptions towards cyber security and the organization’s security practices among five cyber security culture domains (confidence, engagement, outcomes, responsibility, trust).

Results revealed unique cultural strengths and weaknesses based on respondents’ organization size, department, and industry. Large organizations with 50,000+ employees, IT and security departments, and law firms and legal services reported the strongest cyber security cultures, and small organizations with less than 100 employees, distribution departments and agriculture reported the weakest cyber security cultures.

Other key findings on employee attitudes and perceptions around cyber security include:

Organizations of all sizes can use the findings included in the report as a reference point for their own cyber security culture or to focus their efforts on specific departments or cyber security culture domains.

To obtain the full Cybersecurity Culture—Quantified report, click here.