Build a Security Culture (2015)


In this chapter, we take a look at one of the important psychological mechanisms of humans: groups and social interaction. Learn how to use in-groups to build trust.

A key to success with building and maintaining good (security) culture is to understand that people are different, and that you need to adapt your efforts to their needs, backgrounds and knowledge. Successful security culture is built by security professionals who know their own strengths and include relevant personnel and competence from across their organisation.

One of the challenges of our human mind is how we are hardwired to relate and interact with other individuals18. We are, as species, a social creature, designed to live in groups. Research in psychology strongly suggests that our grouping behaviour is built in in our basic functions. We, humans, cannot survive alone; we rely on our group to feed us, to teach us and to support us. You can observe this need easily in babies and small children: they would not survive without parents or other grown-ups to feed and care for them.

What is interesting from a perspective of building and maintaining security culture is that as we grow up, we rely as much, perhaps even more, on groups. These groups come in different shapes and sizes, and form inter-group relationships. All human beings belong to a number of groups, from your family, extended family, to the school you attended, to the sports team you support, to the workplace and so on. The groups we belong to, are a member of, are referred to as in-groups in psychology.19

There are an even larger number of groups that we do not belong to. Examples can be different families than your own, people in a different workplace, supporters of sports teams you do not support, political groups, as well as cities and countries around the world. Groups we do not belong to are referred to as out-groups in psychology20.

Based on in- and out-groups, we can look at how we interact inside our groups, and how we treat people not from our own groups21.

Think about your workplace. There are a number of people working there. The organisation where you work is an in-group for everyone who works there. All your colleagues, across the organisation, share the same in-group. The larger your organisation, the more complex it becomes, and the more likely it is that smaller groups of people form: workgroups, teams, departments, locations and so on. Each member of these subgroups share the common in-group of the organisation, and they create new in-groups based on the new subgroup.

To use an example: you and your team, and everyone else in your organisation, form one in-group: the employer. You and your team are also members of a subgroup of that group: your department. Everyone inside your department shares this in-group with you, and no-one else in your organisation does. Your department becomes an in-group, and every other department becomes an out-group. And for all the other departments in your organisation, your department is an out-group: you are not with them, you are an outsider, possibly even an enemy.

You can continue to create subgroups inside the department, and you will see that every team, project and group of people form and take part in a number of different in-groups. And, consequently, are considered a member of numerous out-groups.

Forming groups is a very good strategy to create greater results than can be achieved alone, a strategy seen in many other creatures. To make groups effective, each individual is required to give up some of its own power and resources to the mutual benefit of the group. We pay a membership due by accepting to obey certain rules, to follow the commands and so on. In return we are supported by the others, as well as being defended from outside threat. This is sometimes referred to as a social contract22.

This outside threat is important. Any out-group is considered a potential threat, no matter how weak we consider the group to be. Also, no matter how weak our affiliation is with our in-group, our mind is biased when meeting and dealing with people who are not members of our in-group. It’s almost like we automatically jump into the trenches and start firing at anything they say or do.

Understanding how strong our social bonding is when it comes to our ability to connect with others, will help us to change our behaviours when we meet with and try to engage people in our out-groups. It also helps us understand why some groups of people are difficult to connect and bond with. As the security professional, it is part of your job to interact with all the different groups in your organisation. Realising that some of the difficulties you encounter with other people may be due to how the human mind is wired, and not about you personally, may help you do a better job.

With the backdrop of in-groups and out-groups, you are now ready to figure out how to handle the challenges created by these social bonds. Knowing that each department forms an in-group, effectively enforcing a hostility towards anyone not in that department, will help you come up with a strategy of using social contracts and group membership to build security culture.

Knowing about in-groups, and the biases we have, points towards a solution: make yourself and them members of the same group, turning on the in-group bias for all of you. The good news is that you already share one such in-group: your employer, the organisation you all work for. So, the first step towards building security culture is to create a strong company culture: a common ground for all the employees, an “us” mentality. Successful enterprises have used this knowledge for decades. Think of brands like Coca-Cola, IBM and Google. They all share one important thing: they have formed and cultivated a company-wide identity, forming an in-group of all the employees.

On the start-up scene you see the same strategy applied: by building a strong brand awareness, first internally, later externally, the employees feel a strong connection to the business. This connection creates a sense of purpose that enables the company to build a strong internal culture, an in-group that is used to tackle any challenge and struggle that comes their way.

Organisational culture is very often the responsibility of HR. Just like any other department, HR itself forms a subgroup, an in-group sharing all the properties of groups. You, the security professional, are most likely not part of their in-group. As you just learned, that means you are more likely to be met with suspicion and hostility when approaching them. Remember that this is not a deliberate attitude, it is a bias all human beings succumb to.

In organisations without a strong corporate identity, there is a likelihood of compartmentalisation: departments, and possibly teams, have formed their own strong in-group cultures, trumping that of the organisation. In such organisations, all the in-group biases are being enforced, creating a culture of suspicion, hostility and change-resistance23.

Working with HR is key to successfully building and maintaining security culture. Your ultimate goal should be to incorporate security culture as a part of the organisational culture: you want security culture to be a natural part of the culture in your organisation.

If you do not already have a good relationship with HR, this is the time to start. Using what you just read about groups, start bonding with HR. There are two main strategies to apply:

1. Create a strong company culture, where everybody pulls in the same direction.

2. Build a new subgroup, where you include people from the relevant groups you want to interact with.

Most of the time, you will find it easier to start with building a new subgroup, and leverage that to build organisation-wide change.

There are many tactics you can use to create new subgroups: you can appear at the coffee machine used by the group you want to influence, forming a new informal group; you can establish a new project involving people from the department(s) you want to influence, forming a formal group; you can combine these tactics in mixed-level interactions.

The Security Culture Framework impacts culture on several levels through the way it leverages in-group biases. Think of the core team as a cross-department group that forms a new in-group with a group mission to change the culture of the organisation. As the work progresses, this cross-department project builds new subgroups that create change in how things are done, effectively impacting the organisational culture. Each training that is completed by employees form new subgroups comprising the new competence and expected behaviour your core team set out to create.

Over time, with repeated messages across a number of channels, a new culture is forming, replacing the existing culture24.

Trying to change culture without understanding the force of group bias is very tough. You can use the power of groups to build support across departments, and to learn about particular challenges other groups face in their day-to-day jobs.

Fortunately, we are not supposed to do everything ourselves. We are social creatures, which enables us to reach out to others for help. The power of groups is profound.

As the Organisation module of the Security Culture Framework states, your core workgroup should include resources from HR and marketing in addition to security. Already, you have a new group that bridges the gap between three different departments. This group also makes it easier for you to succeed in your job, as it will likely introduce you to other security challenges these departments face.

If your resources allow for it, you can also include other people in your core group. Another way to use the group bias to build your success is to set up specific taskforces.

Imagine a department that is especially challenging with how they treat you and security. They have formed a strong, negative opinion towards the services you provide, and do their best to figure out how to avoid your involvement in their systems and policies.

You have tried to reason with them, and you have tried to apply the organisational-wide policies. This department is not paying attention, and instead they are doing what they can to sabotage your security efforts. You are quickly running out of options.

This is a common situation. Often our gut response is aggression - and so is theirs. Aggression creates stale boundaries, where the trenches form and dialogue stops. Instead of working towards a common good, we find each other fighting.

It is hard to change this response, which is a manifestation of group bias, yet it is our responsibility to solve these fights for the good of the organisation. Again, the best strategy to apply relies on forming new in-groups. Groups you can use to establish communication, through which you can form an understanding of their side of the story. Groups you should use to build trust.

You may have to take it slow, and accept their rejection: if the conflict has evolved into the trenches, building trust and communication may be time consuming25. Your first steps should be to establish a common ground, where you invite the other party to discuss their perspective. Do not object, and avoid judgement. Let them talk. Make them talk. Make them commit to one thing only: agree to meet again!

What you just did was to form a new group. A group you are a member of. A group where both parties participate and where you are all together. Use this group to form a strong group identity, an identity you can leverage later in the process.

Understanding group bias, and how we all succumb to it, will make you better at building and maintaining security culture. Your ultimate goal is to build a company-wide security culture. As you have seen in this chapter, some of that work must be done through the active use of groups and projects. Build trust and relationships on all levels throughout your organisation. Ask for help, ideas and feedback. Most people will gladly talk to you and share insights. And those bonds you make walking and talking are new groups: in-groups that give you the power to create better culture and easier change.

People who like you, consider you as part of one or more of their in-groups. The group bias tells us that members of our groups are more likely to help us. Reach out to them!

In the next chapter, you will learn about measuring culture and how you can see behaviour in your own systems.

The story of non-functioning awareness

John, the CISO of a large, multinational bank in Europe, had a mounting feeling that he had forgotten something. He looked through his pockets, found his keys, his smartphone, a few coins and his access card. Everything was present. He sat in his office to read the threat reports he received from the computer emergency response team every morning, and everything seemed fine. John asked his colleague Peter for an update on the progress of the pushout of the latest patch for the online banking security system.

The phone rang as Peter entered John’s office to update his boss. There was a blink of panic in John’s eyes as he suddenly remembered what he had forgotten: a sales meeting with the awareness training provider they had used the past two years. He picked up the phone, listened and said, “Yes, thanks, I will be right down.”

Peter smiled, shook his head and said, “John, you really should take some time off! You could use it!”

John smiled back and replied, “Right, you know what this job is like. When was the last time you took some time off?” before he rushed out of his office.

A few minutes later, he had installed himself and Sheila, the salesperson he loved for her easy answers and great service, in one of the meeting rooms with windows overlooking the city far below. Sheila asked if he had had the time to consider what kind of awareness focus the bank needed this year, and was not surprised when he admitted that he had not looked into that yet. She pulled out a glossy brochure, and told him all about their latest offering. John did not notice anything new since last year, except a possible change in the colours. Or perhaps it was the same ones. He could not tell.

Later that day, John was back at his desk wondering if he had made the right choice when he just reordered the same training programme from Sheila that he had used the past three years. According to Sheila, there were some additions to the training programme to reflect the recent password breaches and the new spear phishing attacks. When asked how he could measure the success of the programme, his training vendor offered a number of metrics:

• Total number of trainings distributed.

• Total number of trainings opened.

• Total number of successfully completed trainings (here, John wondered if this was just a record of everyone who had clicked through the slides).

John had the metrics from earlier years, and Sheila said they looked ok. What nagged John was that even with trainings every year, the number of breaches were on the rise. His security metrics showed a trend towards more people clicking on phishing links, and an increasing number of malware being detected in the bank’s systems. Were the metrics the training company provided simply wrong? Did they show something else? What do the present metrics really tell me, John pondered. After some reflection, John realised he needed help.

The challenge John had is one we see with many security awareness programs - vanity metrics, a coin termed by Eric Ries in his book The Lean Startup. Vanity metrics are numbers, reports and statistics that seemingly provide value, but on closer inspection don’t give us any information that we can use to analyse our scope. Vanity metrics are just nice numbers, with little or no meaning. In other words, the numbers John got from his training supplier gave no meaning by themselves; they did not give him any information about the change in behaviour that the trainings were supposed to give. To solve this challenge, John had to come up with metrics that would give him real information that was relevant and on target.

We devised a plan where John first had to define a set of target behaviours he wanted in the employees. Next, we had to translate those behaviours into something he could measure on his computer systems and networks. Finally, he had to set up a baseline metric, using the measures defined, so he could compare the results of his security awareness program.

By following this plan, John decided that he wanted to focus on one behaviour only, a wise choice if resources are limited or you are setting out to do something new. The behaviour he chose was phishing detection and avoidance. Later, he also added what he called “Safe Rescue” to his behaviours, a mechanism in employees that if they had been breached, they would promptly turn to the information and communications technology support with their computer, to have it assessed and cleaned. He named this particular behaviour Safe Rescue because he realised how important it was for employees to feel safe and secure in the handling of a successful phishing attack.

Now that John knew what behaviour he wanted to change, he could look at how to measure that particular behaviour. Using his team and their technical knowledge, they identified existing systems and logs they could use to collect the number of incoming phishing attempts. A challenge they faced was how to measure successful phishing attacks. They decided to use the number of compromised systems, and that 10% of compromised computers were due to successful phishing. That definition allowed them to measure the change in compromised systems, and use the fluctuation as an indicator of successful phishing.

John and his team came to the understanding that most compromised systems were not reported by the user, and made the hypothesis that people were afraid of reporting a successful phishing attack - people were not willing to accept and report that they had clicked on a malicious link, or opened a bad attachment. This is when John added Safe Rescue to his behaviour target. He realised that he needed two things: a metric of actually compromised systems from phishing, and users who were not afraid of reporting a compromised system. The former would help him better understand his metrics and provide better reports to management. The latter would create a culture where compromised computers were quickly reported and managed, effectively increasing the overall security of the bank. He also realised that users who approached support with their compromised systems would create a metric that he could use to learn of trends in phishing as well as measure users’ behaviour.

With the target behaviours defined, John could use the metrics he had devised to create a baseline. And that is what he did.

18 Group formation has long been studied in psychology and researchers generally recognise two in-built pressures that provide the impulse to form groups: social cohesion (interpersonal attraction drawing people together) and social identity (mutual identification of some social class, such as culture, employment, hobbies, and so on).

19 Tajfel, Billig, Bundy and Flament, “Social categorization and intergroup behaviour”, 1971.

20 Ibid.

21 The infamous Stanford Prison Experiment clearly demonstrates how groups can be formed rapidly and coerced into applying significant pressure against out-groups.

22 Social contract theory extends across a number of disciplines, including psychology, philosophy, political science and sociology, and describes an implicit agreement within a group that determines the rights and responsibilities of the group and its members. Notable writers on the topic include Thomas Hobbes, John Locke and Jean-Jacques Rousseau.

23 Neville Symington identifies this form of conflict as a type of narcissism, describing “organizations so riven by narcissistic currents that [...] little creative work was done”. (Symington, Narcissism: A New Theory, 1993.)

24 In sociology, this constant shifting of cultures and the movement of ideas and traits between cultures inevitably results in the development of new, distinct cultures. It does not describe the origin of a culture, in the sense that no culture springs up fully-formed - all cultures are adaptations of earlier cultures, and all cultures will inevitably change and become something else. (Wendy Griswold, Cultures and Societies in a Changing World,1994.)

25 There are a number of valid approaches and strategies for dealing with conflicts; for a more nuanced and detailed overview, conflict management theory offers a wide range of options applicable to almost any field or industry. The International Journal of Conflict Management provides a wealth of information and analysis of conflict management, and is published quarterly.