As I escorted him to his desk I became conscious that everyone was looking at me. I did all the usual self-checks of fly, food on face and freaky hair but came up negative on all counts. When someone had tailgated me through a secure door I had challenged them. Rather than leave them outside when they didn’t have their pass with them I offered to walk them to their desk. I found his manager who told me with an expression more serious than a budget facelift: ‘Yes, of course he works here – he’s hardly here for the view’. What had encountered amongst the engineers at this small satellite office was a very different security culture than what I was used to with my head office, ivory tower view of the world. The culture that I had encountered worked on high levels of trust. They all trusted Dave so couldn’t understand why I didn’t (even thought I’d never met him). I less than a block from the head office of this organisation and yet the security culture was completely different. For me, the experience was an eye opener that effort is needed to understand not just if people are following security policy but the extent to which policy is reflected in security culture.
I’ve been struggling with the idea of security awareness lately. Not only has the security awareness brand been tarnished by people’s bad experiences but it also has a weak relationship to behaviour. There are plenty of risks that people are aware of but their risk taking behaviour continues. In some ways, it makes more sense to start talking about security culture since it encapsulates a powerful behavioural component driven by the promotion of conformity.
So what do we mean by culture? Culture is a set of shared values and habits (‘how things are done around here’) exhibited by individuals as part of their allegiance to a group. Values and habits evolve over time and tend to converge to a stable equilibrium. Culture is very much the product of an evolutionary process where organisations experiment to find out what works and then stick with it. Some cultures evolve to be highly optimised for success, some cultures are broadly successful and some cultures actually hinder the goals of the organisation. Enron is a good example of when cultures become maladaptive and eventually causes catastrophe.
Cultural groups can be defined by many different factors including geography, function or even ethnicity. It’s quite common in large organisations to have sub cultures say within Marketing, Sales or Engineering. Culture exists at three different levels and has often been described in terms of an iceberg metaphor. At the top, visible above the water, are the set of behaviours and artefacts which can be observed. Below those are the exposed values that people will give to justify their behaviour. At the very bottom, supporting and driving people’s conscious explanations and rationalisations are a set of unconscious values. Usually, they are so basic, so assumptive that they don’t actually form part of conscious decision making. Many times a day when making decisions we automatically frame our choices by these unconscious values without realising it.
It’s very important to understand what security cultures exist in your organisation so you can identify unhealthy elements and change them. Are your users comfortable with reporting other users for suspected security breaches? Do they think that it’s ok to take work with them when they leave the organisation? Use interviews and surveys to try to find out what attitudes exist in your organization. Once you have collected a large enough number of individual responses you’ll start to get a view of what security cultures exist in your organisation. How to change a security culture? That’s for next month.