Security Awareness Blog

Behaviors First, Then Culture

STH-Image-SecurityAwarenessMaturityModel-TextI'm beginning to notice a trend within the world of security awareness, different groups of people talking about changing behaviors vs. changing culture. Some people talk as if they are separate projects or even separate goals. While they are different, they are very much related.

Behaviors are the actions or manners of individuals within an environment. To learn more about behavior and changing behaviors I highly recommend the BJ Fogg Behavior Model. Culture is a bit more squishy, it is the attitudes, beliefs and behavioral norms of a group. So which one is more important, what should you be focusing on? Well ultimately both, but you want to start with behaviors first. In fact, you will notice that in the Security Awareness Maturity Model we have behaviors listed first. Why is that, why don't we just focus on culture? There are a several reasons for this.

  1. Ultimately, it is behavior that secures an organization, not culture. If you have a strong security culture people will believe in the need of security and the importance their role plays, but do they still know what behaviors they need to exhibit? They may think they should be locking the door to their car, when in reality it is the fact their mobile device has no passcode that is a far larger issue. Ultimately behaviors secure the organization, not culture. It is just much easier to create and maintain secure behaviors in a strong secure culture.
  2. You can change behavior in days, but it takes years to change culture. John Kotter explains it in his book "Leading Change" that for people to believe in change, they have to see their behaviors have a positive impact. When people see how phishing training helps them detect attacks, when they see how a passcode protects their lost phone, they start believing in security. As a result, their attitudes and beliefs change. Ultimately, to change culture you need to first start changing behaviors.

For a truly mature awareness program, you want to not only ensure you are changing behaviors but changing culture (and have a metrics framework to measure it). These goals are highly related, but to get there you have to start with behaviors first.

2 Comments

Posted May 13, 2015 at 10:54 AM | Permalink | Reply

Geordie Stewart

Ultimately, it is behavior that secures an organization, not culture"
''but, culture is what helps secure behavior to continue (or not) long after the security awareness session has finished and the security person has left the room.
Culture change can take years, but it can also happen in a short space of time if there's a sense of crisis that employees can identify with.

Posted May 13, 2015 at 11:10 AM | Permalink | Reply

lspitzner

Geordie, I could not agree more on both accounts. Ultimately a secure culture enables secure behaviors. And it is far easier to change both behaviors and culture during a crises as their is a tremendous sense of urgency throughout the organization (Step #1 ref John Kotter).