BUILDING SECURITY CULTURE - Build a Security Culture (2015)

Build a Security Culture (2015)

CHAPTER 7: BUILDING SECURITY CULTURE

In this chapter we take a look at the Security Culture Framework, and explain how a methodology helps organisations develop and maintain good security culture.

Building and maintaining security culture is like any other process you manage: continuous, planned, controlled and audited. I am sure you are familiar with the PDCA (Plan, Do, Check, Act) flow of process management from the ISO/IEC and other standards. What you may not know is that the same pattern of planning, doing, checking the results and implementing necessary changes (act) also works great when it comes to working with people.

After many years of listening to frustrated security professionals who felt they had failed in building security awareness, I analysed what went wrong. I also wanted to see what successfully implemented programmes had in common. In my travels around the world, I spoke with a large number of security people in a wide variety of organisations of all sizes. Two things quickly became apparent:

1. There are more successful programmes than we realise.

2. The failures could be easily mended by changing the approach.

The first finding is important because it gives us hope, and proof, that building and maintaining security culture is possible, and may not require that much from us.

The second finding is important because it points us in the right direction: by changing the way we design and implement security awareness programmes, we too can be successful.

Next, I looked at what was being done. Again, I found fundamental differences:

• Successful programmes were designed and implemented in the organisation using resources from HR, marketing and communication in addition to the security officer (SO). They leveraged the different competences in the different fields of speciality to set up programmes that actually worked. They also had long-term perspectives, with clearly defined goals, milestones and metrics. And finally, they ran their programmes as projects within a process – following the PDCA cycle.

• Failed programmes came in two broad categories: those where the SO did everything himself, and those who only focus on checkbox compliance.

These findings made it easy to pinpoint the mistakes to avoid, and the best practices to share, and I could create the first iteration of the Security Culture Framework together with Lars Haug and Mo Amin.

The Security Culture Framework is free and open. You can find it at securitycultureframework.com, and as with all free and open approaches, it gets better the more people join the discussion, sharing experiences and working on evolving the framework itself.

The Security Culture Framework consists of four parts, making a fully repeatable process. It targets large organisations, and its open and flexible structure makes it easy to adjust to any organisation and size. It is designed to help you organise your work with building and maintaining security culture, and will not replace any of your existing tools, suppliers or materials; you will still need those.

The framework was created to help set up and run your security culture programme – it is not a programme in itself.

The framework consists of four parts:

1. Metrics

2. Organisation

3. Topics

4. Planner.

Each of the parts are tied to the other, and they operate together to form a template of a security culture programme. Depending on where your organisation is today, the starting point is usually one of two: the Metrics, where you would define goals, or the Organisation, where you would set up your team. For the sake of simplicity, I run through each of the parts, and then walk you through one iteration of the programme, starting by setting up a team.

A security culture programme is the combined activities you do to build and maintain security culture in your organisation.

Metrics

The Metrics part of the framework helps you understand what you are setting out to do with your security culture programme.

In this part of the programme you will define your goals – long-term and short-term. You may have different kinds of goals – from specific results goals like “By the end of this year, we will have reduced the number of successful phishing attacks by 50%”, to learning goals like “By the end of this programme, the participant will demonstrate how to discover and avoid a phishing attempt.”

A question that I get from time to time is “Why do I need to set goals?” The quick answer is that a goal helps you understand where you are supposed to go.

Considering the two kinds of goals just mentioned, both focus on phishing, which helps you determine what kind of activities you should implement in your programme. The result goal is telling you what you want to achieve in the metrics on your systems and reports: a 50% reduction of successful phishing attempts. A result goal used correctly will help you understand where you will find supporting data to document your progress towards your goal.

In this example, there may be a number of different sources in your current system that may provide the metrics you need.

Another pointer that a result goal gives you is to understand your current situation. To reduce the number of successful phishing attempts by 50%, you need to know how many attempts are currently being successful. You use the goal to help you understand where to find metrics that you can use both to understand your current status and the status of your future.

You may use this basic template to define result goals:

By …………………………………. (time/date)

we will have ……………………….………….. (reduced/eliminated/increased/created)

the ……………………………. (task/area/topic) by ……………. (#/%/days).

In the ISO/IEC 27000 series, the current state is defined as “as is”, and the future state is defined as “to be”. Since you are setting out to change the current state of your organisation, you need a clear understanding of both states. The Metrics module is your reminder to do just that.

The other kind of goal, the learning goal, is designed to help you consider what you want, or sometimes need, your participants to learn. The learning goal should be created to support your result goal, and is defined by asking yourself what participants need to know, do or understand to move from their current state into the state of your goal.

You can use the following basic template to define learning goals:

By the end of this………………………………… (training/course/programme)

the participant will …………………………......... (demonstrate/know/show/understand)

…………………………………………………… (topic/area of knowledge/skill).

Using SMART goals

When defining results goals for your security culture programme, I advise creating so-called SMART goals:

• Specific

• Measurable

• Achievable

• Realistic

• Timed.

SMART goals use a model that helps you create goals that are more likely to succeed. The model forces you to be as specific as you can, adding necessary detail and focus to your goal. By being measurable, a SMART goal helps you know when you have reached the goal. Achievable is a test to see if it is possible to do what you set out to do with the current resources available. Realistic is a quality control to remind you that we set out to do something for real; this is not a dream or a vision. Finally, a SMART goal should have a clearly defined deadline, so that you have something to help you plan towards, as well as a period in time where you can say “We did it!”

One of the challenges many security officers share is the need for more funding for their awareness programmes. Having clearly defined goals, backed by numbers that relate to the business, is a great help to communicate such needs. The Metrics part of the Security Culture Framework helps you better understand how to measure your progress, as well as document your results and needs. It also helps you pinpoint your area of focus, which in turn makes it easier to implement the right kind of activities in your programme.

The Organisation part

As just mentioned, one of the challenges faced by failed awareness programmes was the idea that “I have to do it all by myself.” This was in contrast to the successful programmes, which generally involved a larger team with a broad understanding of culture, training, communication and security.

The Organisation part of the Security Culture Framework helps you understand what kind of resources you need in the core security culture workgroup, as well as who else should be involved.

At a minimum, your core workgroup should have the following competencies on board:

• Security

• Communication

• Culture and training.

This often translates to someone from the security office, someone from marketing/communication and someone from HR. With the core competencies in place, you can start planning your programme.

In larger organisations you may want a steering committee who sponsor and govern the programme, and act as the liaison between the programme and top-level management. In smaller organisations, you may report directly to the CEO, chief information officer (CIO) or CISO.

Depending on your chosen goals, you may also include other people in the workgroup. Competencies that often come in handy include:

• training design/instructional design

• graphic design

• copywriting/editing

• data analytics.

Some organisations have these resources internally, and others choose to buy external services.

One point to make is that the core workgroup requires security competence, but that does not mean that the SO must also be the group manager. One very efficient way to handle the workgroup is to use a project manager, or at the very least a project administrator to take the administration, meeting planning and so on off the shoulders of the SO. Remember that the SO’s primary role in the workgroup is to provide security competence and guidance, which is not the same as managing the group itself!

Another important aspect of the Organisation is the audience analysis section. People are different, with different interest and areas of focus. Departments are different – they come with different tasks, some of which attract people with special competence and different personality types. Organisations with different locations, including multinationals, may experience that each location has its own particular subculture.

When you design, plan and implement your security culture programme you must understand the differences and similarities of these groups, so you can adapt your activities, goals and expectations to each of the target audiences.

A target audience is the name that we borrow from marketing professionals, set to the group of people we aim our security culture activities at. Unlike what some awareness training companies may tell you, there is no such thing as “One Size Fits All” when it comes to training and communication. To reach your defined goals, you also need to understand what your audience is like, so you can adapt to their needs.

Using the phishing example from before: instead of running a generic phishing training campaign towards all the employees in your organisation, you may analyse who are the most likely targets and who are the most vulnerable targets, and come up with a list of top-level managers, key business developers, key engineers and a few others whom you consider the likelier targets for spear phishing attacks. Based on your list, you create two subgroups: Business Focus and Engineering Focus. Now you have two separate groups, with different characteristics.

The Business group consists of the top-level (and possibly key mid-level) managers plus the business developers, whereas the Engineering group consists of a selection of patent lawyers, key engineers and developers, plus perhaps their assistants.

At this point, it should become clear that although both groups are considered targets for spear phishing attacks and need training, the groups also differ in their interests, area of focus, knowledge and understanding.

Your conclusion should be to create two different campaigns, both with the same overall goal of reducing the total number of successful phishing attacks by 50%, and the content and the activities of the two campaigns should be different to best communicate with the people in the groups.

For the Business group, you may focus your example phishing attempts on relevant (and current) projects and business development focus. You may write the collateral in words that resonate with their area of focus. For the Engineering group, you will do the same, focusing on examples and words they can relate directly to.

You will reach your goals faster and easier if you help your target audience to quick and painless learning. The more you know about your target audience, the easier it will be for you to adapt the message and content to their particular needs.

Knowing the area of focus and interest of all different target audiences may not be feasible. One strategy I see implemented with great success is to involve the target department or audience in the security culture workgroup for the particular goal. In the preceding example, you could invite someone from the Business target group to advise on what may or may not work in that group, and you could invite someone from the Engineering group to do the same for that target audience. By inviting your target audience into the planning of activities, you are also likely to learn about issues you did not know about, as well as building relations and bridges to people around your organisation who may become your sponsors and advocates.

Topics

So far, using the Security Culture Framework, we have defined one or several clear goals, we understand how to measure them, we have set up a workgroup to organise the programme and we know that we need to adapt our activities to the people we are training.

The next part of the Security Culture Framework is Topics. Building on your defined goal and your understanding of the target audience, the Topics are there to help you choose the kind of activities that ensure a successful security culture programme.

There are no limits to the kind of activities that can be used in building and maintaining culture, and this is where the marketing department may excel in creating content.

Marketing departments are usually well versed in communicating a message in a way that the target audience can relate to in a positive way. Let them go crazy with their creativity. Just a fair bit of warning: marketing people usually know how to build great communication campaigns, but they may not understand security. You need to be in control of the overall message, and remind your creative allies what the goal is. One tip is to ask the following question: “How exactly is this activity taking us closer to the goal?” If you are happy with their answer, go with it. If not, you may want to follow up with “What can we change to align it to our goal?”

To help you get going with what can be used as activities, consider this list as a starting point:

• e-learning

• Nano-learning

• Classroom training

• Lunch & learn

• Breakfast sessions

• Demonstrations (live and recorded)

• Knowledge Pills

• Google Hangouts

• Question and answer sessions

• FAQ

• Gamification (done properly!)

• Posters

• Stickers

• Giveaways.

One of the challenges SOs face is to explain complex and abstract security issues in a way that people without the expertise can understand. Consider spear phishing as an example. How would you explain that to someone who doesn’t know what it is? What examples would you use? Which words, taxonomy and context would you use?

Most of us will focus on the terminology we know and use every day, without regard to the other person’s level of knowledge.

The same is true for the other areas of expertise in the world: most people will use words, concepts and context they can relate to, and they will think that you understand that without even asking. Your challenge is that you are the one who must adapt to their needs: at no point can you assume that a person who does not work in security will understand what you are talking about. Hiding behind the terminology of your industry only works against you by alienating your audience.

To help others understand your message, you can change the wording and use concepts and terminology they relate to and understand. You may also try to convey the message in an entirely different way, as Mo Amin28 puts it:

“Awareness demonstrated is awareness achieved.”

For the preceding phishing example, you may set up a demonstration using equipment from your lab, and show in detail what is going on during an attack. Just remember to avoid the technical terms and instead focus on what is happening from a business point of view: a person clicks on the link and is taken to a hosted server that installs malware. Malware scans a computer for files of a particular type/name/date, and sends them to a different server.

This scenario is not very complicated to set up using a lab, and demonstrating the results can be done easily too: demonstrate that files of particular names/types are actually moved from the computer to the server without the person using the laptop knowing.

Just one word of warning: make sure you control the full environment, and let the person who is being taught use a lab computer, not their own.

This kind of demonstration does not require a large investment, and it can be done in a board meeting, in the hallway outside the lunchroom, in a coffee area or also virtually.

Similar demonstrations can show general malware, password strength, social media scraping and so much more. All it takes is a bit of planning.

Activities go better together. Combine a selection of three or more activities to have them support and strengthen the message you are creating. In our phishing example, you may consider presenting a series of short video lessons, an “Alert me” phone number to call if they suspect phishing, and perhaps a selection of stickers in addition to the phishing demonstrations.

It is important to remember that the activities you choose should be focused on the needs of the audience. Using your audience analysis in the Organisation module, you can determine the level of knowledge and interest of your target audience. Use that analysis to pick the kind of activities that will help your audience to understand and grow their competence.

The activities are closely tied to your goals, as defined in the Topics module, too. Activities should be designed and implemented to help you reach your goals. One question you can use to assess how your chosen activity will help you reach your goal, is:

“How will this activity help me reach my goal?”

Describing your answer is important to control your direction. It also makes sense to note your answer for later reference. The templates available at securitycultureframework.com will help you to select your activities, and to ensure your selection will in fact help you reach your goals.

Planner

The fourth part of the Security Culture Framework is the Planner. The Planner is a selection of different ways to plan and execute your security culture programme, where three elements are vital:

1. When to run activities.

2. When to do measurements (metrics).

3. When to revise and assess your progress.

The Planner is not another planning tool like Microsoft Project. Instead, it is a description of what actions a security culture programme should consist of, and at what interval. Templates are downloadable at securitycultureframework.com.

One example of a security culture campaign is the Security Culture Framework 12-week campaign. The 12-week campaign is one full iteration of a security culture programme, run over the course of 12 weeks. The campaign is divided into three parts, following the Planner module:

Four weeks of metrics, followed by six weeks of activities, and then two weeks of measuring progress, analysing results and revising future actions.

A 12-week campaign may look like this:

Week

Action

Comment

1

Set up team

Get the core security culture team

1

Define main goal

Set one main goal to work towards

1

Define subgoals

If desirable, define subgoals

2

Create baseline(s)

Using the goal metrics, collect data for baseline (as is)

2

Analyse

Use baseline data and defined goal state to create gap analysis

2

Select activities

Brainstorm a selection of activities to close the gap

3–4

Source activities

Create, develop or buy the preceding activities chosen

3

Plan activities

Plan when to execute each activity

5–10

Run activities

Activities do not have to be run at the same time!

11

Rerun baseline metric

Do the same measure as in week 2, collecting new data

11

Analyse

Use gap analysis: baseline vs. new metric = progress; new metric vs. goal = new gap

12

Revise

Consider your results. Consider what you would do differently. Revise accordingly

A note on the 12-week programme: this is a generic example, which you may have to change for your own needs. Some organisations need more time to run one iteration, and this is especially true in larger companies. You may have to adjust it to a six-month iteration, or even a 12-month cycle depending on your needs, your resources and the current culture.

The 12-week programme was designed as a bite-sized chunk. By creating a small, standardised approach, it becomes easy to set up and run security culture campaigns. This approach also helps you to keep your goals tangible, and to do small and efficient activities to build and maintain culture. Instead of a “Do it all” approach, the Security Culture Framework encourages you to take the small steps, each step building on the previous one, and steering you towards your overall goal of building and maintaining security culture.

Setting up your organisation to use the Security Culture Framework

With the basic knowledge of the Security Culture Framework, you are now ready to set up your organisation to use it to build and maintain security culture. You may use these steps to start.

• Set up your core security culture workgroup. Using the Organisation Module, set up your core team with one resource from the security office, one from HR and one from marketing or communications. If you do not have those resources internally, you may use external resources.

In addition to your core team, you should create support for your security culture programme by getting your CEO to sponsor it. One way to get top-tier sponsorship is to set up a steering committee where you involve the key players, and get their support.

• Define goals and scope. Defining a long-term goal is a good idea early on, as it will help you steer your activities in one direction. A long-term goal may be defined using the SMART method mentioned earlier, or it may be described as a vision. The purpose of a long-term, overarching goal is to remind you of the direction you are directing your organisation towards, and to help you prioritise and select milestones and subgoals. Use this long-term goal to define your scope, resource requirements and long-term strategy.

• When you have defined a long-term goal, it is time to break it into bite-sized chunks, or 12-week campaigns. Start with your first campaign, and decide on one or a few goals you want to achieve.

• Define your target audience. Considering your goal, who will benefit most in your organisation? Are there some departments, locations or groups that stand out as more beneficial?

• Analyse your target audience. Who are they? How do they prefer to communicate? What is their security knowledge? Use the template available at securitycultureframework.com as well as the experience your marketing department have in analysing customer segments.

• Create baseline (as-is) measurement. Using your goal as a guiding light, decide how to measure your success, and create a baseline measurement to document your current status. Do a gap analysis to determine the difference between your baseline and your goal.

• Identify activities. Using your gap analysis, your defined goal(s) and your analysis of your target audience, you are ready to choose activities. Remember that learning activities come in a wide range – from classroom and e-learning sessions, to giveaways, posters and demos. Be creative, and allow yourself to try out different activities to see which gives the best results in any given setting and group. As long as you are confident that your activity is supporting your goal, you should be fine.

• Source activities. Now that you know what kinds of activities you want to use, it is time to either create them, buy them or download them. There are many suppliers of security trainings around, and approaching them with specific requirements of what you are looking for is a great way to help them supply you with exactly what you need. If you have in-house expertise, you may produce the content internally. If you do not have a budget, consider all the free sources of content available. For a growing list of suppliers, check out the securitycultureframework.com community.

• Plan and run activities. In your planner, add the different activities, their start, duration and end times, and any comments you find relevant. Then run the activities as you planned and watch as your organisation learns.

• Measure results. After the activities are successfully ran, it is time to do your second measurement. Using the same data source and method as you used to create your baseline metrics, collect the new status. If your activities were implemented successfully, you should notice differences between the baseline and the new metric. If you don’t, there is no need to panic: there are a number of reasons why your data did not change:

Image they do not show what you try to measure

Image the changed behaviour you want to see takes longer to show

Image not enough data is available.

• Analyse results. Using the baseline data, your new data and your defined goals, analyse any progress you made, and try to understand why you get the results you get.

• Revise. While analysing your results, make notes of your findings. Consider what you could have done differently when it comes to activities, goals, timeframes and budgets, and put them in your report. For your next campaign, use your newfound knowledge to improve on what you did.

The first time you set up the Security Culture Framework in your organisation, it may require more time and resources. This is normal. Identifying the key resources for your core team may take some time, which you do not have to repeat every time you run a campaign – the team generally stays the same.

It is also normal that doing something new takes more focus than when you do something you are familiar with. The same is true with the Security Culture Framework. As you run a few campaigns, you start to get hold of the process, and soon you will notice how the framework is saving you and your organisation time and resources when building and maintaining security culture.

If you do find yourself in a squeeze and need help figuring out how to move forward, the community is only a browser away. You will find both certified Security Culture Coaches, certified Security Culture Practitioners and a growing number of users of the Security Culture Framework at securitycultureframework.com. And I did mention it is free and open, right?

28 Mo Amin is a Certified Security Culture Coach and dedicates himself to building better security culture: www.moamin.com.