SESSION ID:SESSION ID:
#RSAC
Kai Roer
How Measuring Security Culture Is Different from Counting Employees
SDS-F03
Founder and CEOCLTRe - the Yardstick of Culture - https://get.clt.re@kairoer
#RSAC
The speaker: Kai Roer
2
CEO & Founder, CLTReCreator of the Security Culture Framework
Ron Knode Service Award, Fellow at the National Cybersecurity Institute (USA)
Bestselling author, Columnist Help-Net Security. Columnist Infosec Magazine. Expert Panelist, keynote speaker, blogger, conference speaker in more than 40 countries on 4
continents, Guest Lecturer, Radio and TV, consulting organisations worldwide, 20+ years experience from IT, Security, Leadership and communication.
Psychology at the University of Oslo. Culture builder.
#RSAC
The ideas, customs and social behaviours that influence security.
The Security Culture Framework
Security Culture - definition
5
#RSAC
Security Culture - vs Awareness
6
Attitudes
Cognition
Communication
Compliance
Behaviours
Responsibilities
Norms
#RSAC
Observation (anthropology)Discourse analysis (sociology)Experimentation (psychology)Surveys and interview (sociology, psychology)
People are also measured by: numbers, kg, cm, money, success, failures, family, network, relations, education, publications…
Culture - how people are measured
8
#RSAC
Completion rates
Vanity metrics - looking good on surface
10
62% completion rate
873 employees attended training
4.5 of 5 star rating of awareness content
1400 employees (not) started program
#RSAC
Culture dimensionsComparable data (compare across departments, business units. Benchmark against industry sectors, countries and organization size)Relevant data (behaviours, attitudes, compliance…)Ultimately, measure behaviours
Sources can include logs and technical controls. Supplement with cultural metrics to allow a more complete picture
Measuring what matters - meaningful data
14
#RSAC
Next week you should:Review how you measure security culture
In the first three months following this presentation you should:Identify options for improving how you measure, for example by using the CLTRe ToolkitConsider how better metrics can reduce risk and improve your security culture
Within six months you should:Select a method / tool to measure security cultureImplement the selected method / tool
What now?
20
#RSAC
Thanks! @kairoer | https://roer.com | [email protected]
Top Related