In many organisations the management of cyber risk is improving, benefiting from better security tools and techniques and a more in-depth knowledge of the changing threats. However, increasingly there is a focus on the people who interact with digital technology, recognising that behind every tool and application there is a human who either designs it, implements it or uses it.
It may feel more natural to focus on the ways humans can make things go wrong, but it’s worth considering those points when humans are an essential part of the right outcome. A dramatic example would be when Captain Sully landed his plane safely on the Hudson River, mitigating the impact of double engine failure. A more common and recognisable example for businesses would be when an employee reports a phishing email and doesn’t click on a malicious link. In both cases the consequences of the ‘wrong’ action can be just as far reaching. So what are the factors which make the ‘right’ action more likely?
Training is clearly an important factor and one which many organisations address first. But what about others? One factor the health and safety world has considered for some time is culture and it is one which is being mentioned more and more in cyber security. Culture can be seen as difficult to define, measure and change, but simply put it’s ‘the way we do things around here’. Also culture is unique to every organisation. However, are there common elements within an organisation which mean the culture is more cyber secure? What does a good culture for cyber security look like? And what difference can a strong culture really make?
These are difficult questions to answer particularly as there are few case studies and little evidence. However, there are parallels with safety culture and here there is evidence. During the ‘Big Build’ for the London 2012 Olympics, culture was a key part of the focus on health and safety. The health and safety practices used to develop the strong safety culture during the project were not found to be unusual; the key difference was the embedding of the desired health and safety behaviours and attitudes through leadership and staff engagement. How can this knowledge benefit cyber security? For a start we should challenge ourselves to:
- Understand what security behaviours and attitudes are needed
- Reinforce the desired behaviours and attitudes with tailored initiatives engaging leadership and staff
- Foster trust and belief in the organisation’s commitment to the behaviours and attitudes through consistency of message over time
The outcome of the ‘Big Build’ was an accident frequency rate of less than a third of the construction industry average and also less than the HSE ‘all industry’ average. There were also no work-related fatalities. Mean scores of culture measurements, taken from the responses to 10,000 safety climate questionnaires completed during the build, were the highest across the ‘all industry’ data set at the time, indicating a more positive safety culture.
Measuring the impact of a strong culture in cyber security may not be as easy as in health and safety but when the benefits such as reduced cyber security incidents and breaches are considered, shouldn’t we all be working on our security culture?