Blog post

Growing positive security cultures

Created:  18 Sep 2017
Updated:  18 Sep 2017
Author:  Emma W
Growing positive security cultures

Security culture, and how to improve it, is a hot topic for many UK organisations.

This is a good thing, because - I think we can all agree - healthy and positive security cultures actively contribute to supporting and enabling business. Poor security cultures can undermine the efforts of otherwise diligent staff. 

The subject may be high profile at the moment but the fact remains: many employees across different kinds of organisations don't seem to feel they're part of positive workplace security cultures at the moment. Why is that, and what can we do about it?

In this post I will consider the function that organisational security cultures serve, why our common conceptions of security culture can be wrong, and how we can create, maintain and - crucially - improve security culture in our own organisations.


What is security culture?

Well, there is no single definition that works for everyone, in all circumstances (and that's ok). For now, we're considering how non-security specialists - you know, Normal People - tend to think about security culture. Ask Normal People what security culture means to them, and many will say that it's about the security decisions people make at work.

Imagine a situation where people:

  • always remember the things they are supposed to do for security,
  • always do those things, at the right times and in the right circumstances, and
  • prioritise doing things in secure ways when needed, 

Many people would call that a 'strong security culture'.

Conversely, when people frequently skip vital security tasks, take risks and cut corners to get the job done, we have what is often called a 'poor security culture.'


Does a strong security culture always help the business?

Good question. From the list above, you might think that the stronger your security culture is, the stronger your business is. This is true - but only up to a point.

  • If people used all their brain power remembering things they are supposed to do for security, how would they do their actual jobs?
  • If they used all their time doing security related things, when would they do their actual jobs?
  • If they always prioritised doing things in secure ways, even when that stopped them doing their jobs...well, they couldn't do their actual jobs.

In business, it's crucial to balance the tensions between doing the job securely, and doing it at all.


How do we shape security culture?

In deciding what we think security culture is, most of us don't look far below the surface. We consider our own security knowledge and skills, our attitudes and our decisions. We examine our behaviour, and our relationships with others. We look at what others say and do, and from that we try and infer their thoughts (this is fraught with peril, by the way).

When thinking about how to change organisational security cultures, it's common for many of us to focus on these same superficial factors. Mostly we seek to increase knowledge, and shape attitudes and behaviour, by applying a fairly standard set of top-level, user-facing interventions. These fall under three broad headings: Awareness, Education and Training.

This top-level focus is a mistake. It’s looking only ‘skin deep’. It's a bit like a doctor trying to cure a fever with paracetamol, but missing the patient’s gangrenous leg, the actual source of infection and fever[1].

Just like the physician in our example, if we want to create a healthy, positive security culture, we first need to take a step back. We need to look at the systemic factors underlying the things people do day-to-day.

We also need to recognise that just as the doctor doesn't expect a patient to have advanced medical knowledge, as security professionals we can't expect everyone we meet to know everything we know about security. We have to meet them on their ground, and find solutions that help them in the ways they live their everyday lives.

If we don't do these things, superficial behaviour-change initiatives cannot lead to long-lasting, positive cultural change.


How are security cultures really created?

Organisational security culture is intertwined with general organisational culture. This is shaped by messages sent out – at all levels, consciously and unconsciously - about, “How we do things here”.

This means far more than just formal communications. People's ideas of "how we do things here" are created and informed by many more things than we commonly think about. These include:

  • Physical buildings: open plan, or private offices? Brightly coloured, or shades of grey? Staid and serious or bunting, bunting everywhere?
  • How we organise: rigid hierarchies and working processes, or fluid task-based teams?
  • What tools we use: clunky and unbending, or intuitive and fitting our needs?
  • How we talk to each other: can you go and perch on the boss's desk for a chat any time you like, or must you make an appointment with her PA three weeks in advance?
  • How we learn: most of us learn far more from our immediate colleagues than we ever do from formal training programmes. Do people around us normally follow the security rules and processes, or routinely ignore them?
  • What we do when things go wrong: rush around looking for someone to blame, or pitch in and fix things?

None of these things, individually, are right or wrong. Different approaches are needed for different situations. But these are the things that inform people’s real experiences at work. Official comms may only match the organisation’s aspirations and ideals, and this isn't always the same thing!

Campaigns aimed at changing security behaviour are likely to fail if they clash with people’s underlying knowledge of “how we do things here”. This is even more so if the security rules and practices involved don’t fit people's real needs.

Another complicating factor is that large organisations don't usually have just one, single security culture (any more than they have a single business culture). There can easily be several different cultures, existing side by side, in separate parts of the business. This is natural and inevitable, but it does mean it's very hard to identify and spread correct, useful security messages that apply to everyone in the organisation, and which everyone interprets in the same way.


How to make real changes

To improve your organisation's security culture, you must first hear and understand the messages your organisation sends out about "how we do things here".  You must also listen to the messages people are sending back, and demonstrate that you are paying attention to what you are told. Only then can you start to understand what really needs fixing in your business, and build the foundations of a strong, healthy security culture.

When you act, don't confine yourself to your usual ways of doing things. Consider trying new ideas, to engage and connect with employees in a different way. Normal People tend to think they know what to expect from Security. By giving them something different you can start to involve and engage people, and bring them along with you. This in itself, is the start of changing the conversation and kicking off a fresher, more positive security culture in your organisation.

The goal is to support users so they can do the right things without feeling they need to break the rules. Here's a few examples of common problems, and some ideas on how to put them right:


1. Tough choice

Organisation says: "Security is a critical enabler for our business. Security is very important to us".

Organisation does: Have a security manual that is long and detailed but rarely referred to day-to-day. Its rules conflict with what needs to be done in practice.

People hear: “Security and business demands don't actually match up, and business always wins. Security isn’t really that important here”.

How to improve: Look at where your security policies clash with common practice. Amend or abandon policies that no longer work. Give users reasonable ways to do their jobs. Let them tell you where security doesn't meet their needs - and then do something about it!

Where security requirements clash with business need, involve the right decision-makers in resolving the problem in a way that works for your business, but meets your organisation's overall risk appetite. This might mean making pragmatic compromises, or carrying extra risk for a period until you can put a better solution in place. Either way, the organisation should take the responsibility.

Don't leave your users stuck between a rock and a hard place: having to choose whether to follow the policy, or do their jobs.


2. Password juggler

Organisation says: “Our work is very important. We expect you to work hard and focus 100%. But Security is important too!”.

Organisation does: Expect users to juggle multiple complex passwords to log on, which they are not allowed to share or write down.

People hear: “We don’t know, or don’t care that humans can’t achieve this task. We have not invested in anything to cut the time you spend on authentication, or make it more secure, or make your lives easier. Security isn’t really that important here, and neither are you”.

How to improve: Recognise that people aren't computers. Tailor your expectations to what people can reasonably achieve. Examine your password practices and introduce better authentication solutions - look at our guidance for help.

If you keep finding passwords on post-it notes around the office, it doesn't mean your users are losers - it means your password policies aren't working for them.


3. Rules are rules

Organisation says: "You must know the rules, and obey them. If you break the rules, we will punish you. This is for your own good. Security is very important here".

Organisation does: Actively look for people who are breaking the rules, and punish them without considering why they broke the rules - even if the member of staff was trying to do the right thing, but couldn't find a permitted way to do it.

People hear: “We are keener on punishing you if we catch you out, than helping you to do things right in the first place. It's in your best interest to hide your rulebreaking from Security - don't let them get in the way of the job. Security isn’t really that important here.”

How to improve: Figure out why people are breaking the rules. This might mean gathering different incident data, in more detail than you have done previously. Decide what would help people to comply: Change the system? Change the rule? Educate the user?


The bottom line

If users think Security is there to catch them out, they won't come to you with their problems. They will do their best to hide their necessary shortcuts and workarounds.

If you don't know what your staff are doing, you can't assess or mitigate the risks. The result is much more hidden risk for your organisation. Fundamentally, security that doesn't work for people, doesn't work.


But I don't know where to start!

Don't panic.

You're not alone. This issue is one that many people and organisations struggle with. We'll be bringing out new guidance in the next few months, to help you start improving your organisation's security story - developing and maintaining positive security cultures that help your business to run more efficiently and effectively, as well as more securely. 

I touched on a lot of these themes in my keynote presentation from CyberUK2017 - the Director's Cut is presented below.

Emma W

People-Centred Security Lead | Sociotechnical Security Group

[1] explains why training, education and awareness are important in security, but not enough by themselves.




David F - 09 Nov 2017
Emma W, have you considered bringing this insight to Cyber Security Students...who, from my experience focus on the 'hardware' of security and not the people or culture that must be established first. People are, as you stated always made out to be the weakest link in security...but can a Firewall balance finances or deal with sensitive human problems affecting performance? I agree, people are thee most important security 'device' in an organisation and security must work for them...not them for security.
Catherine H, NCSC Academic Engagement Lead - 18 Feb 2018
You make an interesting point. I’ll assume you mean those doing a Bachelor’s or Master’s Degree in Cyber Security or similar. Some, not all, of our NCSC-Certified degrees consider to some degree the human and cultural aspects of cyber security, but you're right the courses' focus is usually on the technical – because that’s what the market generally wants. Our experience is that students take such courses precisely because they're interested in cyber security's technical aspects, and are likely to become the future technical specialists. That doesn’t mean they shouldn’t have an appreciation of the human, social & cultural factors but that is often not their skill set.

Over the last year, we've started to encourage our academic colleagues to take cyber security beyond the Computer Science building. Many tell me that they regularly speak to their Psychologist colleagues; in fact, that has become pretty much the norm. But my challenge to them has been to go and talk to their colleagues in the Management/Business School, or Engineering, or (even!) Modern Languages or Fine Art and to talk about what cyber security means in those contexts, so that they can find ways to help graduates of those courses understand what cyber security might mean for them and their future employers. And of course, the track runs both ways – what can those disciplines contribute back into Cyber Security education and research?

However, there is a big language and cultural divide. We need to find common ground and spend time understanding where our touch points could be and what each discipline brings to the cyber security party (bunting optional!). It is work in progress but if you’d like to help accelerate the thinking, you might like to talk to your local university and tell them that you’d like to see a different flavour of cyber security student coming out of their university. If enough of the market speaks out, there’s a good chance universities will rise to the challenge.
Mark Richards - 13 Jan 2018
Our industry is so used to I want, I get culture, that the idea we have to design, review and audit isn't happening.

Agile Software Development in typical practice, pushes us to do things without thinking properly. We sketch out an idea and evolve it as business demands, but that is often driven by profit and not compliance and risk management.

If you work in retail, you have to count the cash and check tills (30mins, 1-3 staff each day in places I worked).
If you work in high end retail, you have to put high value items into the safe (most staff, upto an hour in my experience).
If you work in warehouses there are often rigorous safety measures in place to protect health and safety that involve all natures or processes, reporting and levels of responsibility.
If you work as an HGV driver, you have to check your vehicle daily

Every industry has it's regular tests, reporting and risk mitigation processes. We need them. Not only partial test coverage (most places?).

In software development, we leave things without review for weeks, months, dare I say years! (Wannacry, Equifax Struts, etc). In too many places I've worked, the servers have had less software updates than the laptops.

As an industry, software isn't unique, we don't "need" to be agile and run before we can walk. We need to open our eyes and realise that the theme of the problems we face (complex risk, adversaries, etc) everyone else faces (health and safety, thefts, etc).

Lastly, if an online business is in a bad shape (data protection mess, security vulnerabilities, etc) then require execs shut it down (hours, days, weeks) or face prison. We do it for pest control,, do it for insecure websites (exceptions for healthcare and infrastructure). Open doors again when they've fixed the mess.
Nicola B - 19 Jan 2018
Hi Mark, thanks for your comment. There certainly are examples of ineffective or lacking security practices within teams using all kinds software development approaches. I think we should be careful though not to conflate how long something takes with how valuable it is. The retail examples you give seem like they could be automated with the right technology, if it made business sense. Similarly, when done well agile can also give you opportunities to automate some repetitive security tests within a build pipeline, and should encourage other kinds of review/testing to be incorporated into the process at a sustainable pace. But all security and risk management activities should be undertaken to meet the business objectives, or (if applicable) regulation, not just for the sake of it.

Being agile isn’t about running before you can walk. It’s about starting to walk in one direction and then frequently checking you are still heading in the right direction for the current circumstances. You should get to your end goal sooner, but mainly because you didn’t take so many unnecessary detours along the way.

Sociotechnical Security Group

NCSC Communications Team - 05 Sep 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No