1. COMP.SEC.100
  2. 3. Risk Management and Governance
  3. 3.5 On security culture (advanced)

On security culture (advanced)

Managing risk management (advanced)

Risk assessment and the development of mitigation measures to manage risks are likely effective only if a coordinated and well‑communicated governance policy concerning the system under management is in place. Four things affect the perception of risks:

  • intuitive assessment related to probabilities and harms
  • contextual factors related to perceived characteristics of the risk (e.g., familiarity) and the risk situation (e.g., personal control)
  • meanings related to the risk source, people associated with the risk, and the conditions under which risk-taking occurs
  • trustworthiness and credibility of the actors participating in the risk discussion

A risk management system should include a broad stakeholder perspective, because this increases acceptance of risk management measures and strengthens the organization’s commitment to the chosen model. Elements of a successful risk management system include a close connection to daily operations and decision-making, and treating cyber risks as equally important as other risks (health, safety, finance, personnel,…). For example, when travelling abroad, employees always follow financial limits and organizational travel procedures. Cybersecurity should be viewed similarly—as a clear set of processes that reduce harm to individuals and companies. Everyone involved in an organization’s daily operations should understand security as part of everyday organizational culture; otherwise, security cannot be effectively achieved. A cyber risk management system is a key factor in forming and adopting a security culture.

Human Factors and Risk Communication (advanced)

Human factors can influence security management, as people may have difficulties, for example, in using security tools correctly; they may not understand the importance of data, software, and systems for the organization; they may not believe they are at risk or could be targets of an attack; or they may not realize that their own behavior places the system in danger. This means that risks cannot be reduced with technology alone. If an organization believes that being attacked is unlikely—even though statistics show that cybersecurity incidents increase year by year—the problem likely lies in the organization’s cybersecurity culture. Training people is essential to ensure that principles defined in risk management and security policies are adopted.

People generally follow the path of least effort in performing their work, and when they fail to comply with required security behaviors, it occurs for two reasons: 1) They cannot behave as required. For instance, the required behavior is not technically possible, or the security procedures and practices are disproportionate to the situation, too difficult to understand and adopt, or unclear. 2) They do not want to behave as required. For instance, they find an easier workaround for a low‑risk but time‑consuming security policy, or they disagree with the proposed policy. For this reasons, it is important to define responsibilities and consequences for violations of security policy.

Risk communication also plays an important role. It includes, for example, the following perspectives:

  • Training: especially risk awareness and daily handling of risks, including the assessment and management of risks and concerns.
  • Practice and encouragement for behavior change: adopting the information provided through training, and changing internal practices and processes to align with security policy.
  • Building trust: concerning both the organization’s risk management and key personnel, with the goal of developing long-term trust in risk management and maintaining it through successful actions.
  • Inclusion: especially in decision-making processes related to risks; stakeholders are given the opportunity to participate in assessing risks and concerns and in resolving disagreements.

Setting an example is an extremely important part of the risk communication process. Employees are likely to become irritated and careless themselves if it appears that senior management does not follow the same risk management rules and principles as employees. Visible leadership commitment is essential for a strong risk communication culture.

Security Culture (advanced)

In security matters, accountability should be tied to learning. This means, for example, that employees should feel safe reporting problems and concerns even if they believe they are at fault or have made a mistake. Accountability should be closely connected to helping the organization without fear of stigma or punishment. Sometimes those responsible for managing security have limited understanding of how security policies can realistically be implemented in practical operational work. It should be acknowledged that not all situations have a clear right or wrong answer, and poorly designed processes and practices have likely been the underlying cause of security breaches—not intentional malicious behavior by employees. Underlying causes should be investigated rather than engaging in a “search for the guilty.” The person who made an error may also need help and support to cope with feelings of guilt. An organization could, for example, have an independent team that handles security incident reports so employees do not have to discuss them with their direct supervisors. When employees understand how security breaches are handled and what follows from them, it reduces anxiety and leads to a more open security culture.

Implementation of Security Policy (advanced)

Effective cyber risk management systems are supported by clear and usable security policies. From the start of the risk assessment, it should be clear what the purpose and scope of the assessment are. At the same time, the objectives of the system being assessed should be identified. The objectives should be achievable and clearly related to the processes that support them. System risks must be formulated clearly so that they account for vulnerabilities, threats, probabilities, and outcomes (e.g., causes and consequences) included in the risk. Risk management decisions aim to mitigate the threats identified for these processes. Risk management decisions should be tied to security policies, which must clearly express the required actions and measures, as well as a clear timeline for reducing the risks. This should also include what is expected to happen if the risk materializes.

Posting submission...