Security culture is the ideas, customs and social behaviours of an organisation that influence its security. KnowBe4 defines security culture as the ideas, customs and social behaviours that influence an organisation's security.
It lists seven dimensions as determining an organisation's security culture:
- Attitudes: The feelings and beliefs that employees have toward the security protocols and issues.
- Behaviours: The actions and activities of employees that have a direct or indirect impact on the security of the organization.
- Cognition: Employees’ understanding, knowledge and awareness of security issues and activities.
- Communication: The quality of communication channels to discuss security-related topics, promote a sense of belonging and provide support for security issues and incident reporting.
- Compliance: The knowledge of written security policies and the extent that which employees follow them.
- Norms: The knowledge of and adherence to unwritten rules of conduct in the organization.
- Responsibilities: How employees perceive their role as a critical factor in sustaining or endangering the security of the organization.
KnowBe4 Research developed what it called the security culture maturity model as part of its security culture report. The five maturity levels represent an organisation's security culture in relation to the likelihood of a breach and the cost of remediation.
The 2022 Security Culture Report noted that large organisations reported better attitudes and behaviours than smaller organisations regarding security culture, yet small organisations scored better on all other dimensions of security culture.
Source: KnowBe4 Research, 2022
In Asia, a wide variation of security culture scores across nations exists. While Japan (76) is doing reasonably well, countries like Malaysia (66) and Indonesia (67) show an alarmingly low-security culture index score.
It also noted that in Asia organisational size is a smaller factor compared to other regions. With the exception of medium organizations on the attitudes and behaviours dimensions, organizational size has little impact on security culture.
“Security culture involves how people think about and approach a more secure environment and this report focuses on those key elements,” said Perry Carpenter, chief evangelist and strategy officer, KnowBe4.
He added that in the new trend data, which looked at security culture over the last two to three years, security culture has improved across regions and industries overall. This was the most promising finding from the research and emphasizes that security culture should be viewed as a critical asset used to reduce risk and improve security.
The recommendation is for continuous security awareness training and simulated phishing assessments as well as measurement tools to create a stronger security culture.
