Culture is often talked about as a factor that is crucial in creating successful organisations. But do we know what we mean? When we talk about culture we probably don’t mean Neolithic pottery styles or the palace rituals of imperial China. From a social-psychological point of view we are talking about the beliefs, values, and attitudes that predominate in a given group.
So when we talk of building a more effective cyber security culture, we are talking about moulding the beliefs, values and attitudes of users towards interacting with information technology. We focus on these, because all of these factors play a huge role in determining our behaviour – and it is often the user’s behaviour we need to change in order to reduce risks, and guard against cyber attackers. Ensuring users hold useful beliefs, values and attitudes towards cyber security, then, is crucial to whether a user reports that phishing link, or invests the time necessary to ensure strong password security – without them thinking anyone is constantly checking up on them.
Attitudes are thoughts and feelings. Beliefs are attitudes about what is true and false. You may train a user or increase their awareness. But if they believe that cyber security is something for the professionals to sort out, you may not see them act on this awareness or knowledge: after all, they have a day job to get on with, don’t they? Instilling a belief such as I am a key part of my organisation’s cyber security defences may drastically increase motivation to actually enact what they have learned.
Values are beliefs about what is morally correct. If we can instil values in users that not only are they a crucial line of defence, but that it is morally correct to act on this understanding, then we have most likely increased our organisational protection. So when your colleague reminds you to lock their terminal when away from the desk, they aren’t being a sanctimonious pedant. They are being a good citizen safeguarding your interests.
But moulding beliefs, values and attitudes is not solely – or even mostly – about making rational arguments. It involves incisive interventions harnessing what we know about how we humans are influenced – and is related to factors as wide-ranging as individual social and professional identity, incentives and sanctions, environmental stressors, social pressure and social norms, power, alienation – and a host more.
Is cyber security culture important to you? If we want to ensure users are our greatest line of defence and not our weakest link, it should be. Social machines is expert in baselining cyber security culture, identifying where the vulnerabilities lie, and working with our clients to strengthen these.