Building security culture
An individual walks down the street late at night talking on his phone when he suddenly realizes that he missed his turn and that he will have to go through a scary dark alley in a bad neighborhood to get to where he is going. Having no choice, he takes off his watch, hides the gold chain hanging from his neck and puts his shiny new iPhone in his pocket. He walks fast through the dark alley trying not to call attention to himself, and in no time, he is out of the bad neighborhood and back on track to his destination.
This is a pretty common story, so what does it have to do with building security culture in an organization? The question we have to ask ourselves is this: What led this individual to take action before he walked through the alley? The answer is security culture.
We believe that one of the most effective ways of fostering a security culture is to educate people on the threat and on how their actions impact risk.
That night the individual in our story was convinced that the threat was real and that he needed to take measures to protect himself from risk. This conviction may have resulted from office gossip of situations that happened in this alley in the past, from a friend who was mugged precisely in that alley or from news reports of crime in the area, any of which was education on the threat. He was convinced the alley was dangerous and that he could be mugged. The individual voluntarily proceeded to hide his gold chain, take off his watch and put his cell phone away because he understood clearly that if he performed these specific actions, his risk of getting mugged would be reduced. He was convinced that the threat existed, and he was aware of how his actions would impact his risk (for example, “If I take my watch off, the risk is lower; if I leave it on, it is higher”).
If personnel at your organization are not convinced that a threat is real, it is likely that they will continuously expose you to the “dark alley,” and if they additionally are unaware of how their actions impact risk, you will probably find yourself late at night, showing off your shiny valuables in a dark alley somewhere.