Human Centric - Enterprise Security Culture

The profound change in technology and its rapid adoption by global enterprises and individuals has challenged the human behavior, demanding a serious change to deal with the emerging risks and safety issues associated with it. As awareness is key for any change, it requires people to learn and understand the risks and it impacts as a result of their behavior.


In the wake of the recent increase in cyber-attacks and data thefts, we don't need to be an expert to understand the seriousness and impact of these attacks as it's already causing a serious damage and never fails to become a media headline.


Geert Hofstede, a well-known social physiologist organizational states culture as “software of the mind” that allows individuals to align their thoughts, beliefs, and actions in order to solve specific problems.

While, most organizations are investing millions in security technologies as their defense, they are neglecting the human aspect of security which has proven to be the weakest link. Thus, making it possible for adversaries to take advantage by targeting the people through Social Engineering, Phishing and other means. Some of the recent attacks have shown us the serious impact of a small mistake such as a wrong click by a user or someone introducing external storage devices such as USB memory sticks (STUXNET attack) into the enterprise or industrial networks. These risks are not just limited to organizations as many individuals are falling victims to cyber-attacks. Some of the recent attacks involving phishing scams and ransomware have caused serious financial damages to organizations and individuals. The business email compromise where hackers have impersonated as CEOs and CFOs have been very effective Phishing attack resulting in financial damages and other successful attacks that include the CEOs have caused more than US$ 2.3 Billion in damages.


Human behavior is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organization -  Kai Roer, Build a Security Culture

All too often the security awareness is a one time or once a year effort that fails to engage employees. Educating people to be more security and risk aware is challenging and especially in attaining that as a competence is a process and not something that can be delivered by just a lecture or presentation. Human-centric security culture requires a change in how people think, what they believe and finally how they act on it. It may also vary depending on their past experience and background.


Organizations of all types and size have to invest and engage in employee security awareness to be successful and deal with modern day attacks and risks. Focus on SMART goals and right metrics to plan, implement and measure the security effectiveness. Security awareness should incorporate videos, online training, board briefings and other means to engage users depending on the audience. Awareness programs can be very effective if they are customized and tailored to highlight specific risks evident in users business environment and keep users aware of implications that security failure to business and individuals.


Finally, a few important points for better security awareness are

  • Identification of business specific and technology risks
  • Security Awareness Program
  • Establish Goals and Metrics
  • Identify effective awareness delivery medium
  • Delivery in multiple languages (Multilingual)
  • Understand Cultural sensitivities
  • Make it Ongoing awareness
  • Monitor the effectiveness
Continue reading
  7 Hits
7 Hits

Events Calendar




mescon ad