How do you measure security culture?

A question we get asked a lot is: How do you measure security culture effectively?

Our answer is to deploy our comprehensive, tried and tested, assessment tool called SABR (Security Awareness and Behaviour Research). This is a ground-breaking tool designed to assess, analyse, and elevate your organisation's security culture by providing qualitative data to inform your cyber security decisions.

Understanding the significance of security culture

Before delving into the specifics of measuring security culture using the SABR survey, it is crucial to grasp why security culture matters in the first place.

• Human-centric approach: While advanced cyber security technologies are vital, the human element remains the weakest link in the security chain. A strong security culture empowers employees to become proactive defenders against cyber threats.
• Compliance and risk mitigation: Regulatory requirements demand not only robust cyber security measures but also a culture that values data protection and privacy compliance. A robust security culture helps organisations meet these obligations.
• Reduced incidents: A well-established security culture reduces the likelihood of security incidents, saving organisations from financial losses, reputational damage, and operational disruptions.
• Attracting and retaining talent: In a competitive job market, a strong security culture can be a key differentiator in attracting and retaining top talent who seek assurance that their data is handled responsibly.
• Adaptability: As cyber threats evolve, a culture of security ensures that employees remain adaptable, prepared, and vigilant in the face of emerging risks, innovative technology, and new wave cyber-attacks.

Introducing our SABR Survey

Our SABR survey is a comprehensive tool that measures and evaluates your organisation's security culture across five critical dimensions. Here is how it works:

1. Security engagement: This dimension assesses the level of engagement employees have with your organisation's security policies and practices. Are they actively participating in security initiatives and demonstrating a commitment to safeguarding sensitive data? Are they actively taking part in important training or are you seeing elevated levels of passive completion?
2. Authentication: Authentication is a cornerstone of cyber security. SABR examines whether employees are adhering to authentication protocols and using secure access methods consistently, thus highlighting security gaps, weak links and areas that need added focus.
3. Data privacy and information handling: Protecting sensitive data is paramount. This dimension evaluates how well employees understand and implement data privacy measures and how they handle sensitive information, illuminating security gaps and unsafe behaviours.
4. Physical security: Cyber security is not limited to the digital realm. Physical security measures are also crucial. The SABR survey assesses employee awareness and compliance with physical security protocols like tailgating and the importance of a clear desk.
5. Organisational culture: Culture shapes behaviour. This dimension explores the overall organisational culture as it pertains to security whilst highlighting areas where cultural shifts may be necessary.

The power of quantitative data

One of the strengths of the SABR survey is its ability to provide quantitative data on your organisation's security culture and maturity. By employing 80 carefully crafted questions, the survey provides a comprehensive and objective assessment.

• Objective benchmarking: The data generated by the SABR survey allows you to benchmark your organisation's security culture against industry standards and best practices, absent of internal biases and preconceived inclinations.
• Identifying weak points: With detailed insights, you can pinpoint specific areas where your organisation may be lacking in security culture and take targeted actions to address these weaknesses. You may find individual employees that need attention or even an entire department or a specific threat that needs focus – the light shone by SABR on the security infrastructure is wide and bright.
• Measuring progress: Over time, you can use the SABR survey to measure the impact of your security awareness and training initiatives and track improvements in your organisation's security culture. It can be used as a regular assessment tool to progress and build your security culture and maturity in a long-term initiative.
• Data-driven decision making: Armed with quantitative data, decision-makers can make informed choices regarding resource allocation and strategic planning to enhance security culture. Furthermore, after helping many security leaders in their pursuit of board engagement, we understand the power of data in manager masterclasses. The data you get from SABR will allow you to contextualise awareness and technical issues and distil them into information bites that board members can ingest, understand, and take on board.

Did you know SABR is available for smaller organisations as well?

There's no reason to hesitate, because no matter your size and scope ... we have the perfect solution for you.

Conclusion

The SABR survey offers a sophisticated and data-driven approach to measuring and improving your organisation's security culture. By assessing engagement, authentication practices, data privacy, physical security, and organisational culture, the SABR survey empowers cyber security decision-makers to take targeted actions that enhance security maturity. It is more than just a survey; it is a roadmap to a stronger, safer, and more resilient organisation in the face of today's cyber security challenges.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your organisation or if you would like to assess your organisation's security culture across five dimensions with SABR ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.