Clarity Up Front:
- Cyber security is a top concern for boards and C-Suite executives, and latest data from IBM shows the average cost of a data breach in 2024 was $4.88 million, 10% up on last year. The impacts are felt across the business, and can have long-lasting effects.
- Technology is critical in protecting from cyber-attacks, but it is not foolproof.
- Human behaviour is an essential part of effective cyber security; Forrester predicts that 90% of data breaches involve the human element.
- Security culture efforts assume that if staff know the right thing they will do the right thing; in fact, behaviour is more strongly correlated to attitude than behaviour. Training alone does not change behaviour.
- Human risk management is emerging as a new framework for thinking about security culture. It stresses targeted interventions rather than generic ones, real-time nudges at the point of behaviour, and metrics focused on behaviours changed rather than activities conducted.
- The Clarity Factory advises clients on their security culture programmes, and offers six insights: measurement matters, risk-based approaches to training, campaign with caution, elevate security champions, senior leaders are critical, and partner with corporate communications.
- If you would like to discuss how The Clarity Factory can advise on your security culture programme, get in touch.
Cyber security is a C-Suite concern
Cyber security is at the top of the agenda for most C-Suite executives. Global leaders surveyed by the World Economic Forum ranked cyber security within the top five risks over the next two years,[i] and almost three-quarters of board directors rank it as a top priority.[ii] The latest data from IBM shows that the global average cost of a data breach in 2024 was $4.88 million, a 10% increase in the past year and the highest total ever. [iii]
While multi-million-dollar ransoms capture headlines, the impacts of cyber breaches are felt more broadly across the business: business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, higher insurance premiums, and regulatory actions. As a leading recruitment consultant told me about board concerns, “When you think about the things that keep them up at night, it’s cyber, because the impact can be unquantifiable. When it comes to data breaches, cyber hacks, the impact on your business can be exponential and potentially existential.” [iv]
Human behaviour is critical to effective cyber security
Technology is critical to protection from cyber-attacks, but it is not foolproof; human behaviour is vitally important. Forrester predicts that 90% of data breaches in 2024 will include the human element, such as staff clicking on phishing links, using weak passwords, mislabelling and sharing sensitive information, leaving laptops open and unattended, or allowing someone else to use their office pass.[v] A strong security culture is a central component of effective cyber security, one where staff, contractors, and third parties understand and perform their role in keeping the company safe.
Attitudes are more important than knowledge in changing behaviour
Change management efforts often focus on knowledge, in the assumption that if staff know the right thing, they will do the right thing.[vi] There is little evidence to support this; in fact, behaviour is more strongly correlated to attitude than knowledge: the extent to which staff care about security, understand why they have a role, and are motivated to follow instructions. Knowledge is non-negotiable, of course, but its impact is only unlocked if staff choose to do the right thing. Training – giving people knowledge – on its own does not change behaviour.
Human risk approaches to security culture
Human risk management is emerging as a new framework for thinking about security culture. It moves beyond knowledge and incorporates the full range of components necessary to shift the hearts, minds, and behaviours of staff across the organisation:[i]
- Attitudes: do employees care about security?
- Behaviours: what are acceptable behaviours? What do employees see others doing?
- Cognition: what do employees know? Do they understand how to use what they know?
- Communication: how is security communicated through the organisation? To what extent is the leadership involved? Is security considered a core value?
- Compliance: how well do employees adhere to policies and procedures?
- Norms: to what extent are security-related beliefs, behaviours, and values embedded in the norms and unwritten rules of the organisation?
- Responsibilities: to what extent do employees feel empowered? To what extent will they help ensure that other employees follow the rules?
So what does this mean in practice? Forrester’s human risk management framework is useful because it breaks things down into actionable insights: targeted interventions rather than generic ones, senior rather than junior-level leadership of security culture, metrics focused on behaviours changed rather than activities completed, and real-time nudges at the point of behaviour instead of annual trainings. The table below from Forrester describes the shift.[ii]
Six Clarity Factory insights for building an effective security culture
Based on our work advising clients on their security culture programmes, we offer six key insights for organisations:
# Measurement matters
- Any effective change management initiative starts and ends with metrics: Baseline: where are we now? Goal: where do we want to be? Progress: how fast do we expect to move?
- Use metrics that correspond to behaviour changed rather than activities completed.
- Make metrics accessible via a dashboard, so staff, managers and leadership can chart progress and spot areas for improvement.
# Risk-based approaches to training
- Shift from one-size-fits-all training to training that is risk-based: workers on an oil rig need different cyber training than HR staff processing payroll, a branch bank manager has a different risk profile to an investment banker, and the implications of a breach for a coder writing software are a magnitude different from a junior manager working in a call centre. Some regulated industries need to organise risk-based training alongside their regulator-mandated training.
- Incorporate real-time nudges delivered at the point an employee does something right or wrong, so the learning or praise is delivered when it has most impact.
- Respond to cyber-related news events to provide more context for employees whose interest has been piqued.
# Campaign with caution
- Security awareness campaigns (roadshows, security awareness month, posters, banners in email signatures, desktop backdrops, laptop stickers, podcasts/videos, and webinars) can reinforce security culture messages and create visibility.
- Campaigns can be time and resource intense: use metrics to measure return on investment and learn lessons about what really works.
# Elevate security champions
- Security champions can be a useful resource, creating a local point of contact for security culture across the organisation.
- Recruiting senior as well as junior staff members in this role is critical for impact.
- Ensure your security champions are well organised and resourced.
# Senior leaders are critical
- Senior buy-in is a critical component of any successful change management process.
- Identify opportunities for senior leaders to champion security culture: mentioning cyber security in end of year results, town hall meetings and other corporate gatherings; appearing in cyber week and campaign activities, including events, videos, and podcasts; and raising cyber security issues at Executive Committee meetings.
- Senior accountability for security culture is impactful; the most mature organisations tie executive performance to security culture metrics.
# Partner with corporate communications
- Support from the corporate communications team is critical to security culture maturity. The most effective security functions build strong and productive relationships with communications colleagues.
How The Clarity Factory can help you
The Clarity Factory works with security functions to drive improvements and best practice. We conduct benchmarking, generate new data, and provide consulting to multinational corporations. If you would like to discuss our work on security culture or learn more about how we can help you, get in touch.
References
[i] The Security Culture Playbook, Perry Carpenter and Kai Roer, 2022
[ii] The Future is Now: Introducing Human Risk Management, Jinan Budge, 13 February 2024
[i] The Global Risks Report, World Economic Forum, 2024
[ii] Is Your Board Prepared for New Cybersecurity Regulations? Keri Pearlson and Chris Hetner, Harvard Business Review, November 2022
[iii] Cost of a Data Breach, IBM, 2024
[iv] Effective Board Governance of Cyber Security: A source of competitive advantage, Richard Brinson and Rachel Briggs, Savanti, 2023
[v] The Future is Now: Introducing Human Risk Management, Jinan Budge, 13 February, 2024
[vi] Switch: How to change things when change is hard, Chip and Dan Heath, 2011