Embedding a Security Culture
The 4Es of the process
First we have to shape the environment that will drive and facilitate the behaviors. A physical environment (Systems, Procedures, Activities) that will make the consolidation of the Security Culture easier. At this stage, we must also shape the social environment of change (Leadership by example, peer pressure, Norms)
Educate "Why"
We make employees aware of the threats and risks to the security of the organization.
We align security with key business objectives and express the importance and reasons why employees should care
Enable "How"
We explain the vital role that employees can play in mitigating the threat through their actions and behaviors. We communicate what good security behavior looks like. We develop the relevant skills and abilities in the workforce
Encourage the Action
We encourage the desired action through positive and negative reinforcement. We recognize and reward positive actions and behaviors and
we discourage negative actions and behaviors
Evaluate the Impact
We assess the impact and extent of the behavior change
We identify KPIs and success measures.
We measure the scale of change in them and adjust our program