Distinguishing between security culture and security awareness helps articulate the risk management value of these terms
Security culture and security awareness should be two different things.
For security geeks, I’ve started reading The Security Culture Playbook. At this point I really like the book, but it begs a question.
Perry Carpenter and Kai Roer lay out some key reasons why employees are so vulnerable to cyber attacks.
Importantly, they have also defined “security culture” as meaning: “Security is embedded into the organization”.
I agree that this should be true.
But I think there is an opportunity here to make a distinction between “security culture” and “security awareness”, in practical risk management terms.
Just as we often see “threats” defined as the product of “likelihood” and “capability”, it can be helpful to define an employee’s “intent” and “ability” as components representing their effectiveness (inversely proportional to vulnerability) in responding to a threat.
Photo by Randy Fath on Unsplash
For just $325 USD, you can run a 6 week, automated program for phishing, social engineering and working from home. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Here are a few ways I believe these terms might be related:
1) Security Culture (intent) x Security Awareness (ability) -> ? (vulnerability)
2) Security Culture (intent) x ? (ability) -> Security Awareness (vulnerability)
or… (I’m not a fan of this one)
3) ? (intent) x ? (ability) -> Security Awareness = Security Culture (vulnerability)
So, without having finished the book yet, the question I would ask is, “Should security culture be a component of security awareness”, or do you view them differently? And why?
I think there’s an answer that makes the distinction more useful.
Maybe that’s covered later; or maybe it’s in another book, which I’d love to contribute to.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.