Build a Security Culture (2015)
CHAPTER 2: THE ELEMENTS OF SECURITY CULTURE
We will look at the elements that together make security culture: technology, policies/rules and people/competence, and how they work together to form culture.
Social behaviour, ideas and customs are to a large degree based upon rules. Some rules are written into laws, regulations and standards. Other rules, most of them in fact, are unwritten and come in the form of ethics, moral codes and our mutual ideas of what is acceptable behaviour in the different groups we belong to.
In this chapter I refer to all rules, laws, regulations, ethics, moral codes and so on as policies. To make it absolutely clear: policies in this context is more than just written policies in your organisation. In this context, policies comprise the written and unwritten rules that regulate our ideas, customs and social behaviours.
Technology is also a wide area. From the Mars Rover, to your phone and car, to the glasses some people use to help see - these are all technology. In this context, I will use the word technology to describe any tool - made or not - that we use in a determined way. A rock you use to crack open a coconut is considered technology by this definition. A club our forefathers used to go hunting, to protect themselves or to look cool is a tool. The bow and arrow is a tool.
Evidently, technology is a wide area, one that goes back to the origins of man. Interestingly, man is not the only one who uses tools to a means. Some birds use sticks, at least one type of octopus uses tools to get food and different kinds of apes use rocks to crack open nuts.
Technology is not only about tangible things like computers, cars, hammers and so on, but also models: mental models (patterns and schemas in our mind) as well as patterns, standards and models used as templates and starting points.
The third part of the triangle is people. It is people who use the technology, and it is people who form and inform the policies. The society you are brought up in determines your policies and your use of tools. As described in Chapter 1, social behaviour is learned behaviour. We can think of culture as competence, the knowledge and understanding of how to function properly in a social group. This competence includes how to use technology, and at least the basic rules of engagement in our society.
These three elements - People, Policies and Technology - give us perspectives to the world. The more we understand their formation and their continued interaction, the easier it is to understand how we can use them to build and maintain security culture.
Each of these elements directly impacts the other two. No matter where the change happens, the other two elements are changed too.
Imagine Thor. He lived in long-forgotten times, back when phones and cars and even horseback riding were unheard of. Thor learned from his mother that he could use a rock to crack open nuts. One day, Thor saw a small deer nearby and threw a rock at it. It was a lucky hit, and the deer fell to the ground, to the amazement of Thor’s tribe. Soon after, every member of the tribe started experimenting with throwing rocks, sticks and so on at animals.
Thor took a known technology, the rock, and repurposed it to do something new. In modern language we call this innovation. Back then, they were just happy to eat fresh meat.
This example shows us how people can use technology, and through their use, create new opportunities. It is similar to what Apple did with the iPod: MP3 players already let you store your whole collection of CDs on the device, but what did not exist was a commercially viable ecosystem for the sale and distribution of electronic music - from artists to consumer in one easy step.
Another example is the development of firewalls from its initial start as a port master, into highly advanced filtering devices capable of looking for malicious content during transit.
Let us go back to Thor.
As the use of throwing rocks grew, another tribal member threw a large rock at a fellow tribe member, killing him. The rock had changed from nut cracker, to a hunting tool, and finally a murder weapon.
At this point, the tribe had to consider the use of the rock. Some folks advocated the need to only accept the rock as a nut cracker, whereas the hunters argued strongly that the need for fresh meat meant they should be allowed to continue using the rock too. After many talks, discussion and debate, the tribe finally agreed that rocks, and any similar tools, were only allowed to be used as intended, in this case crushing nuts and hunting food, but not to kill people.
Everyone rejoiced and the party lasted for many days.
For the tribe, and for mankind, this was one of the first formal policies adopted. The policy was created based on how people used the technology: the policy was initiated by technology. Throughout history we see the same scenario: a technological innovation enables both positive (hunting for food) and negative (killing tribe members) possibilities. As we learn of the consequences, we adapt our social behaviour, customs and ideas and form policies. Some are written, and some are not.
You can of course substitute Thor’s rock with any other tool ever used by mankind. The point remains the same: the use of tools is regulated by our ideas, customs and social behaviours, which are strongly informed by policies.
Just as technology creates policies, policies can create technology. By creating standards and regulatory laws, our lawmakers not only can change how we use a particular technology but also require us to come up with new technology. One example is the environmental regulations in California, demanding a steep reduction in car emissions. Similar acts are enforced in the EU too. When these regulations were made into law, low-emission car engine technology was not available, and the global car industry was forced into creating new technology. A number of innovations were made in a relatively short period of time - from hybrid electric cars to fuel additives.
Similar examples apply to other industries. Anti-pollution regulations have been enforced in most of Europe and North America, providing a large number of innovations10.
The general consensus in the western world that the death toll from traffic accidents is way too high, has resulted in new policies about speed, safety and driving behaviour. These in turn have led to a number of security-related innovations: streetlights, physically separated driving lanes, airbags, electronic monitoring and alerts, and distance meters to name but a few. Without policies, many of these innovations may not have been around.
In security, we also see how policies spur innovation. Privacy regulations in Europe, and increasingly around the world, create new technology: assessment tools to see how “our system” compares to the regulation, forget-me tools to allow people to be forgotten by the system, information security management systems to monitor and control our implementation of privacy controls, and so on.
Just like Thor’s tribe mate who forced a policy change, technology and our use of it forces changes in our policies. The changes in the policies then change the way people use technology, and it also may change the technology itself as we have just seen.
Since culture is defined as the ideas, customs and social behaviours of a particular people or group, we now understand that our surroundings are important factors to consider when we want to work with security culture. Although changing only one part of the triangle will change culture, it makes sense to analyse just how that change will impact the other two. It also makes sense to set out to use all three elements: when implementing a new policy, make sure you teach the people in your organisation to understand the change and the reason for it, and use technology to help enforce the change.
In the next chapter I take a closer look at security awareness, and how it relates to security culture.
10 Since the introduction of modern anti-pollution regulations, for instance, we’ve seen an astonishing increase in green technologies, including more efficient solar cells, whole windfarms, more powerful electric and hybrid cars, and so on. Even traditionally non-green technologies like car engines have improved efficiency in order to compete as a ‘greener alternative’.