Cybersecurity ABCs: Delivering awareness, behaviours and culture change

6 UNDERSTANDING CULTURE

Bruce Hallas

Culture eats strategy for breakfast!

(attributed to Peter Drucker)

This is an old adage, widely used. It’s often quoted when explaining some of the greatest failures in corporate history and international diplomacy. However, it is more often the unrecognised and therefore misunderstood root cause of many of the challenges we face, day to day, when trying to influence anyone to get behind a new or even old course of action including cybersecurity.

Mergers and acquisitions, often examined minutely by analysts and advisers, management consultants and the media and vastly experienced business and organisational leaders, have, at significant cost to stakeholders and society, failed to deliver against expectations. This is because building a culture was either not thought about or was treated as an afterthought following the decision to merge; or because it was assumed that the matter of integrating cultures was not a risk worth considering as part of due diligence; or that the challenges culture would pose would be ironed out through a change programme. These failures are often not because mergers and acquisitions didn’t look great on paper, but because, in reality, data and information, on their own, don’t make something a success. People make the possibilities that justify the merger and acquisition on paper a success in the long term, and people are both subject to, and influencers of, culture.

Now think about the investments made by governments and businesses in cybersecurity. It is estimated that in 2020 the global market for cybersecurity will amount to $173 billion. This, it is anticipated, will grow to $216 billion by 2023.51 Much of this will be spent on engaging analysts, advisers, consultants and vendors of technical controls. The objective of much of this spend is to assess and define our appetite for risk and then to find and implement and review controls to manage that risk – including risky behaviours performed by people. These controls will include defining our organisation’s expectations in terms of employee behaviour and culture. But will we learn from the mistakes made in the past when it comes to the role that culture plays in achieving success and our expectations?

Within the context of security those same forces are at work. What looks good on paper, in this case the organisational security policy, finds itself in the ring, facing off against the organisational culture. And there can only be one winner.

This chapter will explore the concept of organisational culture and some of the key factors that create and shape that culture. Organisational culture is a dynamic and ever-changing concept, driven by the people who work in an organisation, the interactions between them and the interactions between staff and the world outside the organisation. First, we’ll define culture.

WHAT DO WE MEAN BY CULTURE AND ORGANISATIONAL CULTURE?

As innocuous a question as this might seem, it opens a can of worms. Definitions of culture can be found in any dictionary but those definitions can encompass a range of meanings and usages: just ask a microbiologist and a social scientist.52 Unsurprisingly, there isn’t a clear and, importantly, approved definition of the term organisational culture.⁵³ Without such a definition, our starting point for efforts to develop a security culture or to embed security into an organisation’s culture is on shaky foundations. Without a clear definition of the term culture, or even awareness and behaviour, you introduce uncertainty. Uncertainty drives anxiety and stress. And, as I’ll explain later, one, if not the main, purpose of culture is to reduce uncertainty and anxiety by introducing acceptable ‘norms’ and ‘values’, especially in some cultures around the world. These norms and values are an integral part of how behaviours are formed and influenced and tie closely with our decision- and judgement-making capacity as humans.

To draw an analogy, think of the potential for abuse of the risk assessment process. If such a process doesn’t document, define and approve your risk decision criteria (the norms), at what point is your risk exposure unacceptable or acceptable? Suddenly the process of calculating your risk exposure is uncertain and can become driven by short-term factors, and is definitely subject to cognitive biases and heuristics that we all have. People make decisions that suit their needs, and when it looks like there’s going to be too much work to do or the outcome doesn’t fit their personal agenda, they make the easier decision instead of what might be best for all concerned.

A definition provides clarity about the objectives. You can either record the definition in the form of a sentence or paragraph or maybe even a range of bullet points. But the process of documenting this and obtaining agreement from all relevant stakeholders provides an anchor to which all decisions and actions can be tethered. Thus, a definition of culture provides clarity for the education and awareness manager who has been tasked with ‘building a security culture’ or ‘embedding security into the organisational culture’. It provides the CISO, developing their team capacity and competency, with a clear sense of the roles, responsibilities and metrics of the team tasked with security awareness, behaviour and culture. And it provides options to address the long-standing challenge of how to measure metrics in a demonstrable and meaningful way.

The process of defining culture necessitates stakeholders agreeing, through a process of research and analysis, what ‘culture’ actually means to them.

Specifically, this process and a definition will provide the cybersecurity professional with an insight into the role culture plays in both forming and delivering the organisation’s cybersecurity strategy. In my experience this process regularly highlights a fundamental flaw in how organisations tackle the challenge and leverage the opportunity of really considering culture. Is the Head of Education, Awareness and Culture responsible for creating a culture or leveraging an existing culture?54 Does the ‘security culture’ actually belong to the security function? And if it does not, how can the security function actually be responsible for this? Does this mean that when we use the term ‘responsible’ what we are really allocating responsibility for is the process or facilitation of the process of embedding within the organisation’s culture?

Most of us stumble at clearly defining the term culture. It is not uncommon, and arguably reasonable, to say that culture is intangible. This may explain why culture is often seen as an abstract concept. Its abstract nature is what, to many, makes the challenge of understanding, influencing and then measuring culture so difficult to overcome. Definitions of (organisational) culture include the following:⁵⁵

The accumulation of individuals’ behaviours, goals and values.
How employees think and act when management is not in the room.
Culture is how things actually get done around here.
Customs and rituals developed by a group over time.
The norms and practices that organisations develop.
The culture of a group is:

… a pattern of basic assumptions invented, discovered or developed by a given group as it learns to cope with its problems of external adaptation and internal integration that has worked well enough to be considered valid, and therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems.

(Schein, 1985, 2016)

Culture is the social ‘programming of the mind that distinguishes the members of one category of people from another’ (Hofstede et al., 2010).
Culture is behaviour and behaviour is culture (Hammerich and Lewis, 2013).

Even as we struggle to correctly define organisational culture, we have to contend with other factors that can influence and alter our perception and definitions of culture. We start looking at these factors by looking at the types of culture that have been identified.

TYPES OF CULTURE

Broadly speaking there are four categories of culture:

macro-cultures: regional, national or religious;
organisational cultures: any human-made organisational structure; organisational cultures are found in public, private and not-for-profit organisations;
sub-cultures: occupational groups such as lawyers, doctors, accountants, teachers and cybersecurity professionals;

micro-cultures: typically, social groupings of people around shared interests or common characteristics such as music, sport, hobbies and even age.

Macro-cultures

Many people, when they think of culture, consider this in the context of geographical regions, or countries, North America, Europe, South America, Middle and Far East, and Australia and New Zealand, or countries within these. The culture of these regions and countries is considered to be the prevalent values that drive and reflect normal behaviour within these societies. By normal behaviours we mean those behaviours the majority of individuals within a society find acceptable. The use of the term ‘normal’ illustrates that we recognise that these behaviours are not necessarily universally performed across society. After all, all societies experience those whose behaviours fall outside the cultural norms. The evidence of this surrounds us. You can most readily see this in the records of those who have appeared before court or who inhabit our prisons and other forms of detention, for example.

National cultures refer to beliefs, values and practices that are shared by the majority of people belonging to a nation, and enriched by national laws and governmental policies with respect to education, family life, business and other factors (Van Oudenhoven, 2001). A great deal of time and effort has been invested in ‘profiling’ national culture. There are several profiling frameworks that have been developed over time and the most commonly used framework is the work of Geert Hofstede and his son Gert Jan Hofstede.56 In the 1980s Geert Hofstede performed research into the prevalent culture within IBM. This research has gone on to form the foundation of much of our understanding of culture from both a social and an organisational perspective. But it has also laid the foundation for Gert Jan Hofstede and fellow researchers, such as Michael Minkov, to further enhance this work in the past 40 or so years. In his research Hofstede listed what he called ‘Dimensions of national culture’ (see Table 6.1).

Table 6.1 Hofstede’s dimensions of national culture⁵⁷

Value	Description
Power distance index	This is a ratio that describes to what extent members within society are willing to accept unequal sharing or distribution of power. This value can be seen as a matter of hierarchy and a willingness of individuals to do as they are told by those in positions of authority.
Uncertainty avoidance	This describes how inclined a society is towards uncertainty or ambiguity. Uncertainty avoidance is sometimes referred to as a matter of truth. In a society with low tolerance for uncertainty there is one truth. In societies where there is a higher tolerance for uncertainty there may be more than one version of the truth.
Masculine and feminine	In masculine societies there is a willingness to both use and to be subject to the use of force: the focus is on winning at all cost and often to the detriment of others; there’s almost a cultural acceptance that only the ‘fittest survive’. In feminine societies we see polar opposites to masculinity. This value is a way of thinking and being rather than a physical gender definition. Both women and men display characteristics that do not fall within their namesakes’ value definition.
Long- and short-term orientation	This describes whether a society is indulgent and therefore focused on the short term, looking for the quick win, interested only in the present even where there’s a great loss in its future from a given decision. A great example might be climate change. Or whether a society values and places a priority on the long-term view of what is good for itself and its members.
Individualism and collectivism index	Does society have more of a focus on what benefits the individual or what benefits the group or, more broadly, society. When we talk about success, are we talking about what’s in it for me or what’s in it for the group or society? Are we willing to change for the greater good even if it means giving something up ourselves that we value?
Indulgence and restraint index	This describes the tendency of a society to fulfil its desires. A high indulgence versus restraint score indicates that society encourages fulfilment of an individual’s emotions and drives. A low score indicates the suppression of personal gratification, strict social norms and more regulation of people’s behaviour and conduct.

According to Hofstede’s research and backed up by further research over the last 40 years, nations can display a bias towards these values. While these descriptions are broad-brush, there is ready agreement that certain Western cultures display more masculine characteristics and certain Eastern cultures are more collective. While these values provide an opportunity to profile target audiences, they also materialise, day to day, in characteristics and attributes of given national cultures, in a more nuanced and often unrecognised way.

Often we can see these national values become tangible in the planning and delivery of advertising and other forms of marketing. For example, colours have different connotations and uses in different societies. In Japan a traditional wedding dress is likely to be red; funerals tend to be associated with the colour white. In many countries wedding dresses are traditionally white and funerals are closely associated with the colour black. The advertising of alcoholic drinks is not usually seen in Muslim countries, for obvious reasons.

Organisational culture

Organisational culture is often described as ‘the way things get done around here’. If culture is the way things get done ‘around here’ then the process or everyday practices by which ‘things get done’ must be the ‘organisational culture’.

Is there such a thing as organisational culture? The process of setting up an organisation and engaging people to support it in its mission will inevitably result in a culture evolving. The phrase ‘start-up culture’ is instantly recognisable. As the organisation evolves, its culture will naturally evolve with it to fit its environment. By environment I mean not just the physical or market environment but even the organisation’s own stage in its evolutionary path. Start-up entrepreneurs, with one set of values, if successful evolve. Their growth requires scale, which often means attracting investment. But those investors have a different set of values at the heart of their decisions, and this affects the values at the core of the organisation. In turn people are recruited with similar values, and slowly the values of the organisation change and then permeate across the organisation’s day-to-day processes. However, this evolutionary process within an organisation and the speed with which people change both within and outside the organisation can be outpaced by the speed of change in their business environment, the speed of change in technology or the speed of change in the social environment.

There may be smaller groups with specific tasks and in turn these groups may have macro-cultures. As such the term organisation could describe a group of people all working towards a stated goal or vision. Therefore, organisational culture may be an ideal way to describe the cultural context within which decisions are made day to day within an organisation.

Sub-cultures

Professions, such as doctors, lawyers, bankers and cybersecurity all have their own culture. Professional status is based on following a structured path of learning where individuals accumulate knowledge shared with them through formal educational processes, but also informally through work experiences and the groups, social media and other people we readily associate with day to day. Learning and working in these groups, combined with our natural behavioural bias towards social proof, means we look to others, especially when in new surroundings, to quickly establish the norms and acceptable behaviours. We assimilate the practices and behaviours associated with our profession or career path and identity. These processes for achieving and maintaining professional status, and the environment within which we use these skills, are common and relatively consistent across the world.

Micro-cultures

Micro-cultures are typically social groupings of people around shared interests or common characteristics such as music, sport or a sporting team, hobbies and even age. They are regarded as being more short-lived than other types of culture and may evolve or change much more quickly. In certain circumstances, these micro-cultures allow and encourage the relaxation of social norms (Fox, 2014). As micro-cultures involve shared interests, they may bring together differing age and social groups, resulting in the creation of different values and norms compared with the macro-cultures we have discussed (Arkalgud and Partridge, 2020).

Micro-cultures can be found in organisations in regional or branch offices, sales teams (compare inside versus outside or business to consumer (B2C) versus business to business (B2B) teams) and in the teams working on an assembly line. How these micro-cultures interact with each other and the cultures we have discussed above can play an important role in shaping both culture and culture change initiatives.

The process of developing a culture is more evolutionary in nature than we might expect. Initially people brought together will have a purpose in mind. This could be survival at the most basic level but would eventually move towards driving and maintaining economic or social prosperity or even self-actualisation as Maslow 58 would call it.

COMPONENTS OF CULTURE

Culture, within an organisation, is often considered abstract, yet many academics and people who perform culture change in organisations – not research (such as change management consultants and CISO), consider culture to have a structure. This structure is characterised by a mixture of abstract and intangible features as well as tangible ones. Edgar Schein’s model,⁵⁹ sometimes termed the ‘onion’, set out three levels in an organisational culture:

Artefacts: structure and processes we can see, feel and hear. Heroes and symbols.
Espoused beliefs and values: statements made by organisational leadership usually in the form of aspirations, ideals and goals associated with beliefs in values recorded in documentation.
Underlying assumptions: unconscious assumptions made based on inherent values.

The first layer in the onion is ‘artefacts’. These can range from office design, to the language used in conversations, to the way meetings are run and even dress codes. In the context of security, artefacts may include governance structure, organisational policy, processes and standards, by which either an organisation or the security function operates. You can think of these as your target operating model and should include governance, risk and control frameworks as a minimum. Heroes may be people with personal brands who are associated with security. They could include anyone in your security function with an outward facing role engaging across your organisation and even with external stakeholders. They can also include anyone, from across the organisation, who acts as an advocate for security, but doesn’t work within the security function, such as security ambassadors, leadership and managers (or Jess’s champions from previous chapters). Heroes definitely include those who have, through their own actions, chosen a path that has resulted in what I call a positive security outcome for the organisation and its stakeholders. But heroes don’t and shouldn’t always been seen as heroes in the context of security. Heroes, whether fictional or real, don’t have to be heroes because of security. They can be heroes for any other reason so long as people look up to them or associate with them in a positive way.

The second level of Schein’s onion is ‘espoused beliefs and values’, which are the aspirations of the organisation. They are usually identified and most definitely signed off by an organisation’s senior leadership. They are commonly recorded in organisational statements that should, in theory, set out the organisation’s ‘true north’. However, anecdotally, in real life, away from the environment of the board and its senior management teams, there is often a difference or gap between what the board ‘espouses’ as being the organisation’s beliefs and values and what those values actually are in practice. The same gap can be seen in how the board views daily operations and processes against what really happens day to day.60 The existence of this gap fuels the sentiment that the board is detached from reality on the ground; it doesn’t listen; or it ignores reality when it conflicts with perception. This serves to reinforce and entrench more deeply values at an operational level, which may actually cause excessive friction or lead to resistance when rolling out a new initiative (including a security strategy) and further reduce the trust relationship between employee and employer.

Individuals, who also have an important role to play in shaping organisational culture, will have their own values and their own view of how things should be done. How closely the values of the individual match the values of the organisation is very important, as individuals tend to resist change to their values and the imposition of values and procedures that clash with theirs. While individuals can work in situations where they experience a clash of values or thought, it can lead to cognitive dissonance⁶¹ and a gap between what is said and what is done. Such gaps can damage an organisational culture and lead to the rise of sub-cultures. Individuals will also take cues from senior leaders; if a leader talks about ‘compassion’ and ‘treating people fairly’ as key values of their organisation and then fires people by text or email, then staff are just not going to believe the leader. The leader has demonstrated they don’t believe in the values they espouse.

The final layer of the onion is ‘underlying assumptions’. These are the outcomes of our unconscious or semi-conscious minds at work. Our judgement and decision-making faculty is much more based on unconscious thought than most of us would like to think or acknowledge. Advances in behavioural science have highlighted that, when it comes to making decisions, we’re routinely less thorough than we think and we are driven consistently not by logic but by emotions influenced by the underlying, inherent assumptions prevalent within us. Our own underlying assumptions are brought into an organisation and combine with those of others to form an agreed set of underlying assumptions for the group. These assumptions include agreeing what ‘truth’ means, the importance of time, the ownership of space, the intrinsic aspects of human nature and how people should relate to each other.

These assumptions are deeply embedded within each and every one of us. The process of assimilating these values started from the day we were born and continues to the day when we face a choice between complying, or not, with our organisation’s security policy. They are so well entrenched that changing them is notoriously difficult, but not impossible with sufficient and consistent investment of time and resources, as well as clear leadership from the board and across what Kotter (2012) would call a wide coalition of change stakeholders, over a prolonged period. With this in mind it is probably true to say that tactical initiatives, such as computer-based training, workshops, annual communication campaigns and induction days, on their own, are highly unlikely to bring about a change in culture. They may contribute to the journey, but on their own, much of the tactical quick fix solutions we see routinely marketed as driving cultural change tinker at the edges and don’t go to the heart of the challenge.

Many of the tactical quick fix solutions routinely marketed as driving cultural change tinker at the edges and fail to make any kind of cultural change.

We talked about culture in our introduction and we discussed a different model, created by Johnson and Scholes (see Johnson et al., 2012). Recapping, their model had six factors that influenced and made up organisational culture: stories and myths, rituals and routines, symbols, organisational structure, control systems and power structures. These six factors are very similar to many of the factors discussed by Schein and highlight that irrespective of how you look at culture, there are some basic components you ignore at your peril.

So while ‘how things get done around here’ may relate to artefacts and potentially espoused beliefs and values, where there is an element of compliance, the underlying assumptions, upon which day-to-day decisions are made, are actually the values at work influencing our judgement and decision-making capacity. Sometimes these are consciously driving decisions but, often, they are at work unconsciously, influencing outcomes day to day and minute to minute.

CULTURAL AWARENESS

In their book Fish Can’t See Water (Hammerich and Lewis, 2013), the authors recognise that for almost all of us our own culture is invisible to us but that same culture can be observed by others from outside our culture. Our own awareness of our own culture is one of the first hurdles that those responsible for developing a security culture must recognise, understand and then accept if they are to effectively develop or embed an appropriate security culture into an organisation.

As a child I spent a considerable amount of time with my mother’s family in the Mediterranean. I remember long summer holidays in glorious sunshine, a slower pace of life perfectly suited to the conditions we were surrounded by. Compare this with my life back home either in the UK or any other European country where my father was posted and there were notable differences. The challenges, problems and joys were all the same, but there was something different. The social norms were different. I still remember the first time I was asked to put on a swimming cap in Germany. It was something I had never had to do in the UK or in Malta. I remember the cycle paths of Germany and Holland, which were so different from the choices of cycling on a road in the UK or cycling on the path upsetting the pedestrians. It was these simple experiences that provided me with an awareness and appreciation for the differences that exist between people, and it is awareness of our own cultural biases and the environment that is the first step in developing our cultural context. So, how can we apply our insights to develop cultural context? Well, we start by being aware of the following:

Culture is a force at play when you are trying to raise awareness and influence behaviour.
You personally interpret the world around you through your own cultural lens.
There is no right or wrong culture, just different interpretations of the same situation.
Which cultures are at play and what the espoused and underlying assumptions are within these cultures.

If you aren’t aware of the above then you need to start thinking about them and how you can apply them in your work. For awareness to have any meaningful effect you’ll need to understand the ‘why’, which will help you reason with the need and place a value on its importance. Understanding the cultural ‘why’ or ‘reasoning’ soon helps to potentially explain the behaviours of those we seek to influence and often calls into question our labelling them as ‘irrational’ behaviours. They are only irrational because we can’t explain them ourselves, to ourselves, and this more often than not is due to our own lack of awareness of the cultural context within which those decisions were made, as well as how people make judgements and decisions.

UNDERSTANDING THE CULTURAL FORCES AT PLAY

Having accepted the above it makes sense then to increase your own awareness of the cultural forces at play within the target audience. This invariably leads to organisational cultural surveys or the same thing by another name to try to avoid survey fatigue. Workshops are another option often used. But both have limitations. These all attempt to identify the underlying cultural attitudes towards information security, but rarely look at the overall values at work both in terms of the organisational culture and importantly the much broader and more deeply embedded national culture.

Often the design of these activities and their output is closer to a brand audit than a deep dive into the underlying culture or cultural attitudes towards security. A brand audit is important; however, it is not a complete assessment of the cultural forces at play, unless your definition of culture says it is so. There is, in many cases, a small crossover between a brand audit and cultural survey. Often the term ‘brand’ is misunderstood within the security industry. Many think of it as the ‘identity’, such as a logo associated with security. By brand we should actually mean: ‘the overall experience by a customer that distinguishes an organisation or product from its rivals in the eyes of the customer’.

If when you read this you think, ‘This sounds like marketing a product’, then you’re right, it does. That’s because the similarities between the objective of raising awareness, influencing behaviour and fostering an appropriate culture around security and developing, marketing, selling and then providing customer service to your clients are fairly strong.

Brand audits do look at attitudes towards and maybe values associated with a particular brand. Cybersecurity is knowingly or unknowingly a brand both within an organisation and across the public. More often than not the current brand has evolved organically and the values that underpinned its success or growth to date aren’t aligned or supportive of the prevailing organisational and national cultural values deeply embedded within the workforce. Where this happens, it can either cause a cultural clash between the values of security and those of the organisational culture or it can be aligned.

In national cultures where there is a tendency towards high uncertainty avoidance people might be more inclined to avoid the unknown. In cultures where there is a higher power to distance ratio people may be more inclined to do as they’re told as long as they’re actually told to do something and they’re told to do this by someone who they respect or trust. In countries with a higher individualism and collectivism ratio we may expect the concept of ‘What’s in it for me’, which appears to be a consistent principle in the design of education and awareness initiatives from Anglo-Saxon cultures. This may not suit audiences where what benefits the group and society is generally the culturally acceptable norm. As we’ve identified earlier (Table 6.1) there’s even an indulgence and restraint index, with some countries scoring higher than others. Now how could this knowledge better help us to potentially design our efforts to influence behaviour and shape culture when it comes to security?

What are the cultural values that new employees or other third parties bring into any given organisation, which they’ve assimilated over many years? How can and will this affect your efforts to bring about changes in behaviour?

THE ROLE OF CULTURE IN DECISION-MAKING AND BEHAVIOUR

Outcomes is what it is all about. In some cultures those outcomes have to be measurable to have any meaning. In others they don’t have to be measurable at all in the traditional metrics sense.

The outcome we desire from education and awareness activities is to:

embed new behaviours;
influence change to existing behaviours;
reconfirm current acceptable behaviours.

We record the desired normal and acceptable security behaviours within policies, processes and procedures. These are the espoused values that we mentioned earlier and if these are complied with, knowingly or unknowingly, through choice or design, they result in the day-to-day practices and norms that make up some of the observable elements of culture.

But recording them doesn’t make any difference to the behaviour of our audience unless we make them aware of these acceptable behaviours and they are also aware of them. While making someone aware, and that person being aware, may sound similar, there is a fine line between the two. One is the process for making someone aware of the acceptable norms and the other is the state of mind of the audience in terms of ‘are they actually aware’ what the acceptable norms are when they find themselves in a given situation, sometimes called situational awareness? In effect, do they actually consciously remember anything that you’ve made them aware of?

Memory retention is a metric I rarely see measured. The challenge of memory retention and recollection, which are again two different things, is a hurdle to be considered and overcome by those seeking to improve their chances of influencing behaviour where an organisation’s definition of culture is restricted to normal acceptable behaviour outcomes. However, there is an exception to the need for conscious memory retention and recollection and that is unconscious retention and recollection leading to unconscious decision-making and behaviour. An alternative way of looking at this might be muscle memory or habit.62

Security controls, like almost every aspect of society, are designed on the assumption that if we make people aware of their roles and responsibilities, provide them with access to information or endless options, they will rationally weigh up the value, to them, between options, such as to comply or not comply. This is not the case in reality and is the reason why we often label employees as irrational when they make choices not to comply, when they know and understand the risks to themselves and others of non-compliance: your job is at risk, you will be disciplined, this could have an impact on customers and the organisation’s bottom line. Some might think this was enough to influence or motivate employees to comply with policy. Anecdotally, most of us would recognise that such motivations do not work. And our anecdotal evidence and the gut instinct of many security professionals over the years is starting to materialise in the form of incident reporting data. For example, since the European Union General Data Protection Regulation was enacted in 2018, over 160,000 breach notifications have been reported.⁶³ This figure, on its own, arguably highlights the scale of the problem but also the lack of transparency, in the past, around data privacy and security and the difference between what is said in the form of policy statements, and what is done, day to day, on the ground by organisations when handling our personal data.

Humans are not creatures of logic. We do not weigh up the pros and cons of information and options nearly as well as we’d like to think. The evidence seems to be that any faith in our sense of logic is flattery, if not negligent, especially in circumstances where we are ill-informed or incorrectly informed, where we have no immediate feedback or where we are under some external pressure to make a decision quickly.

Our understanding of how people make judgements and decisions has advanced rapidly over the past 30 years. These advances have challenged the assumption that humans are logical and that the brain acts as a rational, mathematical processor of information.⁶⁴

In 2002 Daniel Kahneman won the Nobel Prize for Economics for his work delivering ‘integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty’. Since then Richard Thaler has also won a Nobel Prize for similar work.⁶⁵ Kahneman and Thaler built their work on the shoulders of many before them, and between them they have developed academic disciplines such as behavioural science and behavioural economics.

In brief, this work, along with other research, provided data that illustrated the case that human beings have two decision-making pathways:66 a fast, intuitive and effortless pathway (System 1) and a slower, deliberative and logical pathway (System 2). We tend to use System 1 in our day-to-day lives and it is this system that uses heuristics and biases to reach a quick decision. Heuristics are the ‘rules of thumb’ or shortcuts, based on previous experience or knowledge that we apply as part of our decision-making process.

Heuristics have both evolutionary and learned aspects. For example, the affect heuristic, where we make decisions based on how we feel emotionally about them – ‘trusting your gut instinct’, for example – likely has a deep evolutionary history and is in evidence in other species (Kralik et al., 2012). But in specific contexts, such as when attempting to change your organisation’s cybersecurity culture, we may encounter individuals who have learned to apply heuristics to their particular workload. For example, take the effort heuristic, where we place higher value on things into which we have put more time and energy (Kruger et al., 2004). Perhaps this is a phenomenon that you can see within the organisations you work with, where employees love the projects they have worked hard on, but not the ones they didn’t have to put any effort into. But these heuristics – and others – can be irrelevant and bias our decisions. System 2 requires effort to use; it is the ‘thinking hard’ pathway. As such, we tend not to engage System 2 if we are under pressure, stress or we think we already know the answer.⁶⁷

Remembering that culture relies on behaviours and that behaviours can be driven by our own decisions on what to do in a particular situation, we can now start to link these important ideas together. Many people in an organisation will have experienced and learned a number of acceptable or required behaviours, a number of heuristics (shortcuts) and biases from working in their team, function or group. When they are confronted with a decision to be made in the workplace, especially if they are under time or other pressure, System 1 will kick in. Processes or activities requiring ‘hard thinking’ – System 2 – will, in all likelihood, not be followed. When we think about many of the activities linked to cybersecurity, they will require the use of System 2 thinking for most non-specialists, because those non-specialists do not have the same heuristics and frames of reference as we security professionals do. So, when faced with a cybersecurity decision, most people (non-specialists) will follow the behaviours other people demonstrate (an illustration of the power of social proof⁶⁸) or use a System 1 decision-making approach. Thus the culture becomes self-reinforcing; people do what they see other people doing and then it becomes part of their in-built decision-making process.

Culture as a point of vulnerability as well as strength

If culture is made of espoused values, practices and underlying assumptions common to any given group, whether national, organisational or even professional, and these have a significant impact on the choices people make, then can they be a point of vulnerability as well as a strength (see Kemp, 2004)?

A mature approach to cybersecurity includes identifying and assessing vulnerabilities within people, processes and technology and understanding what, if any, threats could exploit these, the impact should this happen and the likelihood of the threat materialising. If culture is part of our mental programming, as argued by social anthropologists, and is a powerful unconscious influence on the decisions we make, then this knowledge could arguably be used to design attacks against organisations, resulting in a compromise of data security and privacy.

This argument then forces us to consider whether we should include culture as a threat or vulnerability to our organisation and include it in our risk assessment methodology and in our risk assessments. If we as cybersecurity professionals clearly identify culture as a risk, then we will need to be able to present quantitative or qualitative measures of its impact on the business and on the controls we implement.

THE ROLE OF CULTURE IN ‘AWARENESS’

As we will go on to discuss later, cultures are formed under the influence of many stakeholders. Formal structures exist that are both part of culture and responsible for embedding culture into the members of a group, whether they are working within an organisation or living within a nation state. Education, at all levels, from nursery through to professional training, is an example of a formal structure.

Informal structures predominately focus on the day-to-day living experiences of individuals: what they see, feel and hear in the environment in which they live or work and how others within their group respond to those environments. In the work environment, individuals become aware through experience of everyday practices of how things get done, including the shortcuts taken or the failure to comply with the organisation’s policies and processes.

In the work environment, employees, especially new ones, mirror the behaviours they become aware of around them. In behavioural science it is well documented that people are subject to cognitive biases and heuristics, one of which is called social proof. People, more often than they would like to admit, are heavily influenced by other people’s behaviours on an unconscious level. This is only natural as people prefer to identify with a group. They mirror behaviours as part of a survival instinct, herding, and because they do not want to be seen to stand out. This mirroring behaviour is common especially in environments or in relation to things that the individual doesn’t know much about or where the environment is new to the individual. This is even the case where people have been made aware of the rules, have gone through formal education, have demonstrated competency around the rules and their roles and responsibilities and have witnessed or experienced the impact when things go wrong. A good example of this is cultural attitudes towards driving.

In many ways if we could crack the organisational culture, then this alone would drive levels of ongoing awareness, as the culture would demonstrate the behaviours we wish to be followed from a security perspective.

HOW ARE CULTURES LEARNED?

If your job title or role is to bring about change in an organisation’s culture, whether that’s introducing a new set of values, leveraging existing ones or looking to scale back others, then it seems natural that understanding how cultures are formed and influenced is going to be of some help.

In our enthusiasm to bring about change, do good and be seen to be making early progress, especially against our goals, it’s tempting to launch straight into tactical initiatives to bring about a security culture.

We often label these ‘quick wins’ or ‘low-hanging fruit’. These initiatives should be welcomed, so long as they contribute to the longer-term vision and don’t undermine the foundations that need to be put in place. However, their effectiveness at bringing about cultural change is arguably limited.

From the moment we’re born we start experiencing life through our senses and interpreting this using our brain. Now our senses aren’t fully operational at this point and neither has our brain developed its full capacity. However, humans have evolved so that both our senses and our brain are sufficient at the point of birth to be able to do what they need to do, which is survive.

However, a newborn can’t survive on its own. It is reliant on others to survive. Maslow’s theory provides an interesting sense of the parents’ initial role of provider of food, physical safety, warmth and so on. Initially this is the parents’ role and it is here, as this small group, where we start to experience the importance of belonging to a group and become reliant on the impact of group dynamics.

Our brains and senses are well on the way to developing the capacities we often take for granted. But some senses are more developed and effective than others. All of this combined means our experiences of life are becoming broader and richer in terms of both content and emotion. The process of learning the acceptable norms within our group continues to evolve.

As we develop, from a newborn to a toddler and then move into early education, it is generally true within many cultures that the group within which we experience and become aware of the acceptable norms tends to get bigger.

When we start our early education, away from our close and extended family as well as their friends, we enter into a formal structure for learning. That learning is both structured and informal. Meeting other children and adults introduces us to their values. Where their values are similar or the same, they reinforce our own values. It also introduces us via the education system to policy and espoused values of key stakeholders, beyond our family and friends, including government, for example. The increasing role of government, through education as well as several other policy areas, means the institutions who we entrust with our children are significant players in embedding culture and cultural values into our children.

As children get older the role of formal and informal structures in their development continues. Their experience of applying cultural norms increases and their day-to-day encounters of life escalate. They branch out and pursue interests, establish groups of friends with similar interests and develop a shared experience of those interests with others within their social groups.

It’s not unusual at this stage to find children stepping out and finding their own two feet. Their relationship and reliance on the traditional family and extended family and friends’ connections will potentially change, especially in some cultures.

At this stage in life and the education system many people start to focus, whether of their own volition or because of an external factor, on a particular path for developing skills. Children are asked to think about their future profession, career or some other means of making a living and contributing to society.

Those choices appear to be discretionary. However, there are forces already at play stacking the odds in one direction or another. Family, friends, media and school all have an influence. When choices are made we commit to a particular course of action and sometimes study. Our circle of day-to-day contacts changes and we enter another period of the development of our cultural compass as we experience what it means and takes to pursue a particular career or skills set.

At a basic level many of these careers and skills are common across industries and national boundaries. Most professions have a relatively consistent structure, process, procedures and standards for achieving professional status in any country. Often these are accompanied by shared values and experiences as well as myths, rituals and stories. This applies just as much to those career and life choices that do not fall under what we traditionally think of as ‘professions’.

Then we find employment or work, within organisations or for ourselves, and join the workforce. The organisations we join in many ways are micro systems living and operating within a much greater system.

It is within these organisations we believe that we experience ‘organisational culture’ for the first time and, in many ways, the literature and industry thinking reflects this. However, there’s also a clear, undeniable argument that we have already experienced organisational culture through our participation in the education system, membership of social, sporting or other similar groups and our experience of family and life up to the date when we start working within organisations. These organisations of people don’t take the immediate form of organisations we work within, as employees, suppliers or some other form; however, they are organisations in almost every aspect.

We are exposed to organisational cultures from the moment we are born through our families, education, hobbies, friends and work. Organisational culture is not something we experience for the first time when we join the workforce.

Forming organisational culture

Is how organisational cultures are formed any different from the explanation about how national culture is formed? In many respects I don’t think so. But with two simple exceptions.

First there is the matter of choice. We have no choice in the matter when it comes to our own birth, where we are born, who our family is and the process by which we grow and develop, especially in our early years.

Second, when we are born most would argue that we turn up with a metaphorical ‘clean sheet’ as far as culture goes. As a newborn, we have not experienced cultural programming through life experiences but, as we grow, those experiences, both formal and informal, and our awareness of these, means we start to assimilate the culture in which we grow. This might explain how in the second and subsequent generations of migrants, original cultural values change over time. This may further explain the intergenerational gaps that are fostered as the younger generation assimilates the cultural values of a host country through their life experiences and interaction within their host nations or group’s members.

However, on a relatively simple level the similarities between how organisational and national cultures are formed are quite clear. Table 6.2 presents some examples.

Table 6.2 Common factors influencing the creation of national and organisational cultures

Outside the workplace	Within the workplace
Parents	Organisation founders/leadership.
Family	Leaders/managers/department.
Informal education	Day-to-day experience, sharing and observing of ‘how things are done around here’ or the values, practices and characteristics that are recognised and rewarded or penalised.
Formal education	Structured learning and development within an organisation on its espoused values and artefacts or professional development around skills. Assessing knowledge and competency of all of these.
Friends	Work colleagues you engage with closely day to day. Peers. Almost friends within a work context, possibly people you’d actively meet outside work because you have a shared interest.
People you interact with	Work colleagues you interact with but strictly in a work scenario.
	Other people whom you may or may not see or know at work or with whom you might engage due to work, such as customers/suppliers or other external stakeholders.
Media including all external stakeholders who develop and distribute content	Internal communication activities.
Social media	Social media.

Organisational culture: top down or bottom up?

Unsurprisingly, there is much debate about whether culture can be formed or changed from the top or the bottom of an organisation. Proponents of the ‘top down’ model make the not unreasonable assumption that if senior management (or their boss) says something is important – and changes their behaviour to match – then it is something they should follow. This calls up the idea of leaders and artefacts as mechanisms to change or influence culture.69 The same can also be said of cultures in start-ups; as these organisations are typically small, the influence and visible practices (rituals and routines) of the founder-leaders define and shape the culture going forward.⁷⁰ Interestingly, the UK financial regulator (termed the Financial Conduct Authority (FCA) at the time of writing) suggested that ‘culture comes from the past’,⁷¹ as ‘mindsets are developed and reinforced over years and even decades and are passed down from one generation to the next’. We could thus state that culture is not necessarily changed from the top down but could be reinforced top down.

Another view is that organisational culture develops daily as a result of the interactions between staff, staff and customers, staff and competitor employees and so on. The sum total of these interactions drives and shapes the corporate culture and, by changing how the majority of individuals carry out their work and their behaviours, changes the culture. These changes are then perceived by senior management, who act to capture and confirm the changes they see as being of benefit.⁷²

However, I suspect there may be a third way, just as in the setting and execution of organisational strategy: ‘middle out’. In this model, it is the decisions and judgements of middle managers who typically link lofty strategic goals to the day-to-day reality that determine the success, failure and overall implementation of the strategy. Likewise, how these individuals interpret the cultural messaging from senior management and apply that in the context of their teams, business targets and business environments will influence how the culture changes.

HOW ARE CULTURES INFLUENCED?

The answer to this question varies depending on how you interpret the term culture.

If you take a behaviouralist focus where culture and behaviour are one and the same, then your approach will be focused on influencing behaviour.

Behaviour is covered elsewhere in this book; however, it can be influenced in several ways: we can attempt to influence a single behaviour; influence multiple behaviours; use a single tool or intervention to drive change; or we can use multiple tools to drive change. But at a simple level we can design working environments that give people no option but to do it our way, using technical or process interventions. We can also design working environments where certain choices are rewarded, or promoted, or made easier than other choices, using what is termed choice architecture. Choice architecture refers to the practice of influencing choice by ‘organising the context in which people make decisions’, or ‘choice architecture can be used to help nudge people to make better choices (as judged by themselves) without forcing certain outcomes upon anyone’.⁷³ The design, layout and functionality of workspaces, cafeteria and software can be altered or include choice architecture from the beginning to change the context in which people make decisions. We discussed earlier the impact of moving fruit and chocolate around in a shop. In the work environment we can influence behaviour by building processes that require a security step or integrate security, so that individuals have no choice but to perform a task in a secure manner,74 or we can make certain choices difficult to pursue by requiring reporting, bureaucracy and time for completion. We can attempt to influence behaviours, by making people aware of our expectations and educating them so they are competent to fulfil these expectations and choose to do so when confronted with a given situation. We can understand how behaviours are formed and influenced and the role of culture within this and then use these principles to drive whatever change initiative we put in place.

Using choice architecture is considered a more interventionist approach. Such an approach reduces the human factor and associated risk from the equation along with the choices made when identifying, approving, implementing and managing the actual architecture. The approval process for investing in such a choice architecture, if it can be traced all the way to the top, may be interpreted as demonstrating a board culture where security is valued. If we use choice architecture and design it correctly, we do not remove choice from our employees: we make the desired choice an easier choice to make. In other words, choice architecture stacks the odds in our favour of a positive security behaviour and outcome. The choice architecture doesn’t guarantee that the desired choice will be made and, therefore, you can argue that where the employee still chooses a course of action, they are making a positive choice.

However, removing the option from employees to make a positive security choice by using interventions, such as technical controls that block actions, or the design of processes that give you only one way to get things done are behavioural interventions, rather than choice interventions. If we deliberately curtail choice, do we actually minimise the move towards fostering an organisational culture where security is truly valued by everyone? If employees don’t have to think for themselves when it comes to security, if employees become ambivalent to it, are they culturally aware or contributing to the security culture in a positive manner?

Some may interpret implementing choice architecture as somewhat Machiavellian, manipulative and an erosion of trust between employer and employee. Others may see them as interventions that go too far and bring them directly into conflict with values and underlying assumptions. Examples can include a technical control that enforces a policy no matter how hard you try to break it being used in an organisation where individual freedom, thought and action are part of the underlying values. The control will be seen as reducing the ‘rights’ of individuals to do things their way. Or turn gates at the office reception that only allow one person through at a time and don’t allow you to pass your office swipe card back to someone waiting on the other side, where an underlying value is to help out people in trouble.

If you take a broader view that culture is about the values that drive choices, which result in observable behaviour, and which underline the elements that make up both national and organisational culture, then your approach will probably incorporate a wider view of the challenge other than behavioural intervention and choice architecture. In an organisation, building a culture that aligns both organisational values and individual values⁷⁵ and linking strategy to culture are seen as key determinants⁷⁶ to building, strengthening and influencing culture. The penalties for ignoring culture or value alignment, or promoting poor cultural norms are regularly exposed these days.77

Building on the observation that national and organisational cultures are formed as an output of formal and informal structures and experiences, as detailed in this chapter, then it stands to reason that they can also be influenced by them.

That means culture is both flexible and dynamic, responding to changes in the environment that both nurtures and hosts it as well as benefits from it. This should give all of us responsible for embedding values and practices associated with security into organisations and society a degree of optimism. Some of these changes, specifically any change in values, can take a long time to take shape and others can appear to materialise relatively quickly. It’s not unusual to see internal communication campaigns, which can be rolled out within a year or less, extolling the organisation’s espoused values when it comes to security. However, just because you invest in a communications campaign to share those values it doesn’t make the underlying assumptions or values change.

In this chapter we have considered culture within the context of society as a whole as well as culture within the context of an organisation. The emphasis has been on how cultures are formed at a national and an organisational level. By understanding these formal and informal influences on culture we can identify the wide range of opportunities to intervene and shape an organisation’s, or even society’s, cultural attitude towards security as shown in Table 6.3.

Table 6.3 Major factors that influence culture

images

The table highlights what we consider to be the major factors that influence culture. We highlight the fact that a number of the manifestations of culture listed here (heroes, behaviours) have been discussed by other authors in this book and reinforce the tight linkage between awareness, behaviour and culture.

WHY IS CULTURE OF INTEREST IN A SECURITY CONTEXT?

Other than the lack of understanding of what we mean by the term ‘culture’, there is I believe a difference of opinion about why culture is of interest. When we think about the organisations we work in, we can now see there are at least three cultures we may wish to examine: the overall organisational culture, the security culture and the culture of the security function.

So, when we say ‘security culture’ are we:

laying down an objective to develop a security culture within an organisation?
referring to the current security culture within an organisation?
saying that we must understand the role of culture in achieving our end goals as professionals working within the security context?
examining the culture of the security professionals and function?

So, when we think about culture, where are we aiming? Why are we interested? Do we think that by changing ‘the culture’ we will see better security outcomes, less incidents and a happier, more educated workforce? Importantly, why should non-security individuals be interested?

SUMMARY

Culture is not as simple as it first seems. While we all know it when we see it, it’s much more difficult to reduce to an easy-to-grasp definition we can all agree on. In part, that’s because culture is made of tangible and intangible components; we can easily see the tangible but may struggle to identify the intangible. As the reader is aware, the intangible can often be the major force in shaping the culture we observe. Again, while we all know culture can change, it’s subject to many influences, so finding the influences with the most impact and ability to cause lasting change can also be difficult. We’ve briefly looked at differing types of culture, from the national to the team, from the organisational to the professional. It is true that many of these types of cultures display the same characteristics and influences; furthermore, each cultural type interacts with other cultural types, so we can see that culture is a rich tapestry.

Finally, we’ve discussed how we can approach culture change from a behaviouralist perspective, invoking the concept of choice architecture, and from a values perspective.

We will now use our understanding of culture as the launchpad to examine how we can change culture in the next chapter.

NEXT STEPS

Aside from reading one or more of the books we’ve quoted to gain a deeper insight into the topic, we would recommend that you take a very practical approach:

Answer the questions presented in Table 6.3 – identify the elements that make up your organisational culture.
Sharpen your focus and identify the organisational security culture.
Describe the culture of the security function or team using a cultural model.