Paul Wood
Problem statement
Internal and external threats to an organisations' people and assets exist which pose a risk to its current and future states. The behaviour of an organisations’ partners themselves may increase this risk.
Issue
The lack of an effective security regime in support of an Insider Threat programme and framework is often evident in cases of insider activity. A good security culture is an essential component of a robust protective security regime and helps to mitigate against both insider threats (leaks) and external threats (including state and non-state led espionage).
The behaviour of every single partner within an organisation is essential to security and resilience. With security being based on a convergence of people, process and technology, we should consider ways of positively influencing all three areas, in an inclusive and balanced way. We should identify appropriate ways of influencing the people aspect by encouraging positive change within the attitudes and behaviours of partners, designed to increase security mindedness and vigilance across a workforce. Over time, measurable adjustments in the predominating attitudes and behaviours that characterise a organisation will be observed, indicating the development of a positive and robust security culture.
What an effective Security Culture programme should do
Physical and information security measures can only go so far, to mitigate security threats. All of an organisations’ partners must behave in the right way, to optimise the effectiveness of security designs. Vigilant and security mindful partners, can in themselves act as a protective measure, playing a significant role in the detection, deterrence and prevention of potential security threats.
While we may all recognise the important role that people play in a protective security system, encouraging partners to be consistently mindful and security conscious can be challenging. To help counter this, an effective Security Culture Programme should be designed to influence behaviours in a way that is appropriate to the context within which an organisation operates and within the nuanced contexts of the different global regions and business areas that it covers. A Security Culture Programme should be based upon some key principles and supported by the latest research and thinking, to help to ensure that the right combination of interventions are in place to encourage partners to play their part in a protective security picture.
Before engaging with teams or locations, an organisation should aim to ensure that everyone has a clear understanding of the security behaviours it desires from its partners. This consultation phase will gather some information through asking a series of questions:
What assets require protection?
What security threats are we currently facing?
What level of security risk are we exposed to?
What is our security risk appetite?
What level of protective security do we think is proportionate?
An effective Security Culture Programme can draw upon Protection Motivation Theory, the COM-B model of behaviour change, academic research and experience in the practical application of security behaviour programmes. The resulting framework can be applied to behaviours within both built and digital environments and it relates to behaviours associated with activities such as asset protection, pass wearing, locking computers, and escorting visitors and style, such as accepting and complying with policies, or questioning and adapting security practices to something that better suits the needs of the individual. An effective Security Culture Programme can adopt the 5 E's proposed by the UK's National Protective Security Authority, to improve and embed positive security behaviours; Educate, Enable, Environment, Encourage, Evaluate, Endorse.
Educate:
Partners are more likely to adopt the required behaviours when they are informed of the susceptibility to threats (both their own and an organisations susceptibility) and the severity of the consequences.
This can be achieved by:
• Educating partners on their susceptibility to security threats given where they work e.g. What threat actors are interested in an organisation and its partners?
How might, or do, they target it?
What assets are they most interested in?
• Educate partners on why these threats matter to the an organisation e.g. How do they impact on its ability to deliver core work?
What harmful implications are there to its people, assets and reputation?
• Educate partners on the benefits to them of demonstrating positive security behaviours e.g. What are the positive benefits in relation to their role?
What are the possible negative consequences or penalties for them if they do not adopt the behaviours?
What benefits apply outside of work such as to their personal life or family?
An effective Security Culture Programme can provide this through:
- Providing threat updates on a security culture hub page
- Regularly posting articles on a security culture hub page
- Signposting partners to further security training and services
- Delivering interactive security events
- Management briefings
An organisation can provide this through:
- Aligning security to core business goals
- Developing appropriate role profiles or job descriptions
- Performance appraisals
Enable:
Enabling partners to demonstrate the behaviours being asked of them.
If partners aren’t provided with the appropriate information, training, advice and support they may not know what security behaviours are expected of them, how to do these, or have the necessary confidence to demonstrate them.
This can be achieved by:
• Explaining to partners what security behaviours are expected of them e.g. What does good security behaviour look like?
What does poor security behaviour look like?
What security behaviours are expected in different roles, buildings or work areas?
• Equipping partners with the knowledge and skills so they feel capable and confident in demonstrating the security behaviours e.g. What do partners need to know to be able to perform the behaviours?
What skills do they need to have?
Are all partners confident in enacting the behaviours or does it vary by demographics, roles or business areas?
An effective Security Culture Program can provide this through:
- Security behaviour hand-outs or booklets
- Ongoing security culture briefs and mandatory training
- Role-specific security training
- Security events
- E-learning
An organisation can provide this through:
- Knowledge checks
- Role profiles or job descriptions
- 1:1 mentoring or buddying
Environment:
Shaping the environment to enable partners to demonstrate the desired security behaviours easily.
This is about ensuring that partners have the resources they need (e.g. equipment, materials, people), the physical opportunity (e.g. space, time, access) and the social opportunity (e.g. peer pressure, leadership, support) to demonstrate the behaviours. If partners perceive that there are too many hurdles or barriers to applying the behaviours in a practical setting, they will be less likely to do so.
This can be achieved by:
• Developing a physical work environment where security behaviours are easy to do e.g. Are security processes and procedures simple to follow?
Is security related information easy to find and digest?
Do partners have the tools and equipment needed?
Are the systems, processes and technology making security easy or cumbersome?
Is there sufficient time in the day for security?
Are there prompts and reminders to help?
• Developing a social environment where doing security the right way is valued, respected and seen as the norm e.g. Do managers lead by example?
Do peers support one another with security tasks?
Will partners challenge one another on poor security?
Do organisational processes, systems and activities promote and reinforce good security practice?
An effective Security Culture Programme can provide this through:
- Induction activities
- Training activities
- Reporting processes
- Leadership briefings
- Posters
- Reminders
- Managers leading by example
An organisation can provide this through:
- Redesigning security policies
- Redesigning IT systems
- Performance appraisals
- Workplace equipment
Encourage:
Providing feedback to partners to encourage the desired action and discourage the undesired action.
This is absolutely key to sustaining security behaviours in the workplace. If partners receive little or no feedback when trying a new behaviour, or they associate the behaviour with a negative experience, they may be less likely to perform the behaviour again. This can mean that any observed improvement in security behaviour is short lived and will subside over time.
This can be achieved by:
• Providing partners with feedback on their security behaviours e.g. Is feedback on security behaviour provided during performance appraisals and team meetings?
Are partners encouraged to learn from their own and others’ security actions?
Are corporate communications used to report on and praise good security practice and address poor performance or mistakes?
• Providing tangible and/or intangible incentives e.g. Are partners thanked for reporting a security concern or incident?
Is recognition provided by management for positive security behaviour?
Are there rewards or career benefits for adhering to good security practice?
Are there consequences and sanctions built into systems for partners who don’t comply with important security policies and practices?
Is poor security behaviour visibly challenged and managed?
The Security Culture Program can provide this through:
- Publishing blogs and articles on positive and
negative security stories
- Intranet articles and case-studies on how staff
behaviour is impacting on the threat
An organisation can provide this through:
- Breach policies
- Soft and hard incentive schemes or programmes
- Acknowledgement and thank you messages
- Corporate communications on An organisations’’s security performance
Evaluate:
Evaluating the impact that the interventions have on partners security behaviour.
An organisation can assess the extent to which the time, resources and costs involved have had a positive effect on protective security, and whether improvements or modifications in the approach are required. Any lessons that have been learned must then result in effective action so staff can see these have been made. This will help to ensure that future behaviour change activities remain current and valid, and that any changes in contextual factors are considered.
This can be achieved by:
• Assessing the results of a security culture assessment tool. The ERG TRUSTiN assessment tool has been designed to measure changes in the levels of security mindedness and vigilance, within partners.
• Identifying return on investment (ROI) and key performance indicators (KPIs) against which to evaluate progress. This may be related to security culture program attendance, cornerstone training attendance, unauthorised disclosures and insider events.
• Developing a range of metrics over time. This may include quantitative measures of breach records, reports of suspicious activity, observational data or survey data.
An effective Security Culture Programme can provide this through:
- Staff surveys
- Intercept surveys
- Focus groups
- Security culture assessment tool
An organisation can provide this through:
- IT monitoring
- Breach records
- Observation studies
The benefits of an effective security culture include:
Partners are engaged with, and take responsibility for, security issues;
Levels of compliance with protective security measures increase;
The risk of security incidents and breaches is reduced by encouraging partners to think and act in more security conscious ways;
Partners are more likely to report behaviours/activities of concern.
Endorsement
The effect of the security culture program will be augmented if it is perceived by partners to be endorsed by credible sources, which can include senior partners and champions.
The personal touch can help to make the messages meaningful and impactful to partners and leaders can endorse the program by releasing statements of endorsement in educational materials, attendance and visibility at events, inclusion in senior level communications to staff (e.g. briefings, newsletters), engaging in formal and informal conversations around the behaviours.
Implementation
This article provides a framework for embedding security behaviours and creating an environment that sustains these. A security culture assessment tool, feedback tools and data generated by the Unauthorised Disclosure programmes will provide a measure of the change in partner behaviours. Support via working groups containing Executive Sponsorship and representation from across Physical Security, Information Security, commercial business departments, as well as programme support provided by business programmes & initiatives, governance, internal communications and employee engagement teams, is critical for the effective coordination of a Security Culture Programme. This is key to ensuring timely messages are communicated across an organisation as well as coordinating activities and providing clear lines of accountability. In addition, a Security Culture Programme should be supported by representatives from across an organisation, who have adopted the role of security culture champions.
The consistent adoption of the communications strategy and message, of encouraging partners to “care” about each other, an organisations' assets and reputation, will help an organisation to augment its protective security regime, which in time can support a holistic approach to improving its security and resilience posture.