Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Sep 12, 2017

NBlog September 12 - Security Culture Framework

In preparing for our forthcoming awareness module on security culture, I've been re-reading and contemplating Kai Roer's Security Culture Framework (SCF) - a structured management approach with 4 phases.

1. Metrics: set goals and measure

Speaking as an advocate of security metrics, this sounds a good place to start - or at least it would be if SCF explored the goals in some depth first, rather than leaping directly into SMART metrics: there's not much point evaluating or designing possible metrics until you know what needs to be measured. In this context, understanding the organization's strategic objectives would be a useful setting-off point. SCF talks about 'result goals' (are there any other kind?) and 'learning outcomes' (which implies that learning is a goal - but why? What is the value or purpose of learning?): what about business objectives for safely exploiting and protecting valuable information?

SCF seems to have sidestepped more fundamental issues. What is the organization trying to achieve? How would what we are thinking of doing support or enable achievement of those organizational objectives? Security awareness, and information security as a whole, is not in itself a goal but a means to an end. I would start there: what is or are the ends? What is information security awareness meant to achieve? 

Having discussed that issue many times before, I'm not going to elaborate further on today, here except to say that if the Goals are clear, the Questions arising are fairly obvious, which in turn makes it straightforward to come up with a whole bunch of possible Metrics (the GQM method). From there, SMART is not such a smart way to filter out the few metrics with a positive value to the organization, whereas the PRAGMATIC metametrics method was expressly designed for the purpose.

SCF further muddies the waters by mentioning a conventional Lewin-style approach to change management (figure out where you are, identify where you want to be, then systematically close the gap) plus Deming's Plan-Do-Check-Act approach to quality assurance. I'm not entirely convinced these are helpful in setting goals and identifying measures. I would have preferred to elaborate on the process of analyzing the organization's core business, teasing out the 'hooks' in the business strategies on which to hang information security and hence security awareness. Those are powerful drivers, not least because only a fool would seriously resist or interfere with something that explicitly supports or enables strategic business objectives - a career-limiting move, to be sure!

2. Organization: involve the right people

Involving the right people makes sense for any activity including the previous step in SCF - in other words, the right people need to be involved in defining and clarifying the organization's objectives, which means these two activities overlap. Despite the numbering, they are not entirely sequential. The right people must be actively engaged in setting goals initially, and in deciding who else needs to be involved.

Sequencing issues aside, the second module of SCF discusses ways to identify 'the right people' for two distinct purposes: (1) those who will run the 'security culture program' (whatever that is! It is undefined at this stage); and (2) the target audience for security awareness (again, part of the vague 'security culture program').  

I fully support the idea of identifying awareness audiences, which is why NoticeBored delivers three parallel streams of content aimed at workers in general, managers and professionals. While we don't subdivide those audiences, we recommend that the security awareness professionals to whom the materials are delivered do so - it's standard advice in the train-the-trainer guide in virtually every awareness module to identify who has an interest in the monthly topic, and work with them to customize, communicate, inform and persuade. In many cases that comes down to business departments or functions, and sometimes individual people (e.g. the Privacy Officer clearly needs to be actively engaged in privacy awareness, along with the Legal/Compliance function - or their equivalents since their titles, responsibilities and interests may vary). 

SCF picks out executives, HR and Marketing as obvious examples of groups you would probably want to involved, and fair enough ... although I can think of many more (such as the two mentioned above). In fact it's hard to think of any part of the organization that could safely be excluded, given that information flows throughout the entire organization like a nervous system.

SCF mentions the idea of nominating ambassadors or champions, hinting at the process we call 'socializing information risk and security'. It also mentions the need for regular communications of tailored messages - good stuff.

3. Topics: choose activities

The advice here is to "Build culture that works by choosing relevant topics and activities". I'm confused by 'culture that works' but in practice determining the security awareness and training topics is the focus of this module, and that's quite straightforward.  There's sound advice here:
"One thing to note about topics is that it is highly unlikely, and usually not something you would want, to cover all topics in one year. Long-term results are created by carefully crafting a plan to build the security culture you want over the course of several years."  
True, for two reasons: (1) given a broad perspective on information risk and security, there are lots of topics to cover, hence a lot of information to impart; and (2) cultural changes are inevitably slow. People need time to receive and internalize information, and change their ways. They need gentle encouragement and support, motivation and, in some cases, enforcement of the security rules.
"Some topics are relevant at different stages of an employee lifecycle. One example is introducing new employees to policies and regulations when they begin working. Another is during relocation, when it may make sense to train the employee in local security routines."
The need to include information risk and security in induction or orientation training is obvious, no problem there. Relocation, though, is not a strong example: in 'employee lifecycle' terms, what about internal moves and promotions, and eventually leaving the organization?  Those are almost universal activities that do indeed have information risk and security implications that the awareness program might usefully cover. Hmmm, perhaps we should put that idea into practice with NoticeBored awareness materials. We already cover some aspects (such as periodically reviewing and adjusting workers' information access rights).

Some of the advice in SCF has become lost in translation e.g.:
"To map down topics that builds up under goal and matches an organizational map is one method to get a good overview. The easiest one is those who targets the whole organization and builds up under the overall goals in the goal hierarchy. Those who only target segments of the organization demands mostly more work."

SCF mentions a few forms or styles of awareness and training - mostly training in fact, with an emphasis on computer methods. 

4. Planner: plan and execute

SCF's advice in this area is straightforward and conventional, quite basic though helpful for someone just getting into security awareness for the first time, or at least the first time in a structured, planned way. 

Aside from defining goals, audiences and topics, and establishing metrics, there's little discussion of project or program management as a whole, including (1) risk management (what are the risks to your awareness program? What could go wrong? What should you be doing to mitigate the risks? And what about opportunities? Can you seize the opportunity and take advantage of business/organizational situations, or for that matter novel information risk and security situations such as the recent ransomware outbreaks, and forthcoming changes in privacy as a result of GDPR?); (2) resource management (e.g. recruiting, training and developing the awareness team, plus the extended team taking in those awareness ambassadors mentioned earlier); and (3) change management (it's ironic that change is noted earlier in SCF but not in the sense of managing changes to the awareness program itself - aspects such as changes to management support and perceptions, personnel changes, changes of focus and approach as old ways lose their impact and new ideas emerge, maturity, and changes prompted by the security metrics).


SCF has some good points, not least focusing attention on this important topic. The advice is fairly basic and not bad overall, although the sequencing and reference to other approaches is a bit muddled and confusing.

Of more concern are the omissions, important considerations conspicuously absent from the website's overview of SCF e.g. business value, psychology, adult education, compliance, motivation and maturity. I'm disappointed to find so little discussion of security culture per se, given the name of the framework: it mostly concerns the mechanics of planning and organizing security awareness and training activities, barely touching on the before and after stages. Perhaps Kai's training courses go further.

That said, both the Security Culture Framework website and Kai's book "Build a Security Culture" are succinct, and patently I have been sufficiently stimulated to write this critique. I prefer Rebecca Herold's "Managing an Information Security and Privacy Awareness and Training Program" but you may feel differently. There's something to be said for getting to know both of them, plus other approaches too such as David Lacey's "Managing the Human Factor in Information Security" - another excellent book.