Creating a Culture of Security

Creating a 

Culture of Security

Creating a Culture of of SeCurity 

ISACA ® 

With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider 

of knowledge, certifications, community, advocacy and education on information systems (IS) 

assurance and security, enterprise governance and management of IT, and IT-related risk and 

compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, 

publishes the ISACA ® Journal, and develops international IS auditing and control standards, 

which help its constituents ensure trust in, and value from, information systems. It also advances 

and attests IT skills and knowledge through the globally respected Certified Information Systems 

Auditor ® (CISA ® ), Certified Information Security Manager ® (CISM ® ), Certified in the Governance 

of Enterprise IT ® (CGEIT ® ) and Certified in Risk and Information Systems Control TM (CRISC TM ) 

designations. ISACA continually updates COBIT ® , which helps IT professionals and enterprise 

leaders fulfill their IT governance and management responsibilities, particularly in the areas of 

assurance, security, risk and control, and deliver value to the business. 

Disclaimer 

ISACA has designed and created Creating a Culture of Security (the “Work”) primarily as an 

educational resource for security professionals. ISACA makes no claim that use of any of the 

Work will assure a successful outcome. The Work should not be considered inclusive of any 

proper information, procedures and tests or exclusive of other information, procedures and tests 

that are reasonably directed to obtaining the same results. In determining the propriety of any 

specific information, procedure or test, security professionals should apply their own professional 

judgment to the specific circumstances presented by the particular systems or information 

technology environment. 

Reservation of Rights 

© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, 

modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any 

means (electronic, mechanical, photocopying, recording or otherwise) without the prior written 

authorization of ISACA. Reproduction and use of all or portions of this publication are permitted 

solely for academic, internal and noncommercial use and for consulting/advisory engagements and 

must include full attribution of the material’s source. No other right or permission is granted with 

respect to this work. 

ISACA 

3701 Algonquin Road, Suite 1010 

Rolling Meadows, IL 60008 USA 

Phone: +1.847.253.1545 

Fax: +1.847.253.1443 

E-mail: info@isaca.org 

Web site: www.isaca.org 

ISBN 978-1-60420-183-3 

Creating a Culture of Security 

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in 

countries throughout the world. 

2 

© 2 0 1 1 I S A C A . A l l R I g h t S R e S e R v e d .

ISACA wishes to recognize: 

ACknowledgmentS 

aCknowledgementS 

Development Team 

Steven J. Ross, CISA, CBCP, CISSP, Risk Masters, Inc., USA, Author 

Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia, Chair 

Christos Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece 

Wendy Goucher, Idrach Ltd., UK 

Norman Kromberg, CISA, CGEIT, Alliance Data, USA 

Finn Olav Sveen, Ph.D., Gjøvik University College, Norway 

Vernon Poole, CISM, CGEIT, Sapphire, UK 

Rinki Sethi, CISA, eBay, USA 

Expert Reviewers 

Sanjay Bahl, CISM, Microsoft Corp. (India) Pvt. Ltd., India 

Garry Barnes, CISA, CISM, CGEIT, Commonwealth Bank of Australia, Australia 

Krag Brotby, CISM, CGEIT, NextStepInfoSec, USA 

Meenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USA 

Mark Lobel, CISA, CISM, CISSP, PricewaterhouseCoopers LLP, USA 

Naiden Nedelchev, CISM, CGEIT, Mobiltel EAD, Bulgaria 

Ramesan Ramani, CISM, CGEIT, Paramount Computer Systems, UAE 

Christophe Veltsos, Ph.D., CISA, CIPP, CISSP, GCFA, Minnesota State University, Mankato, USA 

ISACA Board of Directors 

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President 

Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President 

Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President 

Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President 

Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President 

Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President 

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President 

Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President 

Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, 

Past International President 

Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President 

Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director 

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, 

Australia, Director 

Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director 

Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee 

Guidance and Practices Committee 

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair 

Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA 

Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland 

Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain 

Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA 

Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India 

Anthony P. Noble, CISA, CCP, Viacom Inc., USA 

Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico 

Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand 

© 2 0 1 1 I S A C A . A l l R I g h t S R e S e R v e d . 

3

4 

Creating a Culture of SeCurity 

ACknowledgmentS (cont.) 

ISACA and IT Governance Institute ® (ITGI ® ) Affiliates and Sponsors 

American Institute of Certified Public Accountants 

ASIS International 

The Center for Internet Security 

Commonwealth Association for Corporate Governance Inc. 

FIDA Inform 

Information Security Forum 

Information Systems Security Association 

Institut de la Gouvernance des Systèmes d’Information 

Institute of Management Accountants Inc. 

ISACA chapters 

ITGI Japan 

Norwich University 

Solvay Brussels School of Economics and Management 

University of Antwerp Management School 

ASI System Integration 

Hewlett-Packard 

IBM 

SOAProjects Inc. 

Symantec Corp. 

TruArx Inc. 


ContentS 

table of ContentS 

Preface .............................................................................................................................. 9 

Endnotes ...................................................................................................................... 9 

1.0 Introduction ............................................................................................................ 11 

1.1 Hard and Soft Security ...................................................................................... 13 

1.2 Whose Culture Is It? ............................................................................................ 15 

Endnotes .................................................................................................................... 15 

2.0 A Culture of Security in Context ........................................................................ 17 

2.1 Doing vs. Believing ........................................................................................... 17 

2.1.1 Ambiguity and Inconsistency.................................................................. 18 

2.2 Culture in Context ............................................................................................. 18 

2.2.1 Societal Culture and Security ................................................................ 20 

2.2.2 Organizational Culture and Security ...................................................... 21 

2.2.3 Personal Culture and Security ................................................................. 22 

2.3 Security in the Context of Culture ................................................................... 24 

2.3.1 Security as the Basis of Trust ................................................................. 26 

2.3.2 Security in the Prevention of Fraud and Misuse of 

Information Resources ..............................................................................28 

2.3.3 Security and Risk Mitigation .................................................................. 29 

2.3.4 Security as a Strategic Driver ................................................................. 32 

2.3.5 Security in Systemic Terms .................................................................... 34 

Endnotes .................................................................................................................... 35 

3.0 The Benefits of a Culture of Security................................................................. 39 

3.1 The Benefits of Trust ........................................................................................ 40 

3.1.1 Internal Trust ............................................................................................ 42 

3.1.2 External Trust ........................................................................................... 43 

3.2 The Benefits of Consistency ............................................................................. 45 

3.2.1 Valuing Information ................................................................................ 46 

3.2.2 Exception Processes ................................................................................. 47 

3.2.3 Risk Management .................................................................................... 47 

3.2.4 Predictability ............................................................................................. 48 

3.2.5 Standardization ......................................................................................... 49 

3.3 Improved Ability to Manage Risk ................................................................... 50 

3.4 Improved Return on Security Investment ....................................................... 51 

3.5 Compliance With Laws and Regulations ........................................................ 53 

3.6 Shareholder/Citizen Value ................................................................................ 54 

Endnotes .................................................................................................................... 55 

© 2 0 1 1 I S A C A . A l l R I g h t S R e S e R v e d . 5

6 


4.0 Inhibitors to a Culture of Security ..................................................................... 57 

4.1 Societal Culture ................................................................................................. 58 

4.2 Lack of Organizational Imperatives................................................................. 59 

4.3 Unclear Requirements ....................................................................................... 60 

4.4 Insufficiency of Awareness Alone ................................................................... 61 

4.4.1 Comprehension of Risk ........................................................................... 62 

4.4.2 The Personal Experience of Security ..................................................... 62 

4.5 Systemic Shortcomings ..................................................................................... 64 

4.5.1 Inability to Detect Variances From Policy and Culture ....................... 66 

4.5.2 Inability to Monitor and Enforce Compliance With the Culture ......... 67 

4.6 Lack of Rewards ................................................................................................ 68 

4.6.1 Security Professionals .............................................................................. 69 

4.6.2 Lack of Metrics ........................................................................................ 69 

4.6.3 Failure to Measure Risk .......................................................................... 70 

4.6.4 Lack of Incidents ...................................................................................... 71 

4.6.5 No Financial Connection ......................................................................... 71 

4.7 What Is in It for Me? ......................................................................................... 72 

4.7.1 Budget ....................................................................................................... 72 

4.7.2 Influence ................................................................................................... 73 

4.7.3 Management Attention ............................................................................ 73 

4.7.4 Personal Regard........................................................................................ 73 

Endnotes .................................................................................................................... 74 

5.0 Creating an Intentional Culture of Security ..................................................... 75 

5.1 Changing Perceptions of Security .................................................................... 76 

5.1.1 Branding Security .................................................................................... 77 

5.1.2 Educating About Security ....................................................................... 80 

5.2 The People Who Make the Culture ................................................................. 81 

5.2.1 Intentionality ............................................................................................. 82 

5.2.2 Finding the Champion ............................................................................. 83 

5.2.3 Objects of a Security Culture .................................................................. 84 

5.3 Attributes of a Security Culture ....................................................................... 85 

5.3.1 Security Champions ................................................................................. 85 

5.3.2 Budget for Security .................................................................................. 86 

5.3.3 Broad Accountability ............................................................................... 87 

5.3.4 Awareness and Education ....................................................................... 88 

5.3.5 Policies, Standards and Guidelines......................................................... 88 

5.3.6 Go/No-go Decisions ................................................................................ 89 

5.3.7 Rewards ..................................................................................................... 90 

5.3.8 Rigorous Response to Breaches .............................................................. 90 

5.3.9 Satisfied Customers ................................................................................. 91 

Endnotes .................................................................................................................... 92 


table of ContentS 

6.0 Positive Reinforcement ......................................................................................... 93 

6.1 Alignment of Information Security and Business Objectives ....................... 94 

6.1.1 Security as an Obstacle ............................................................................ 94 

6.1.2 Strategic Necessity ................................................................................... 95 

6.1.3 Risk Management .................................................................................... 96 

6.1.4 Security Procedures Embedded in Daily Operations ............................ 98 

6.1.5 Management Reward Structure............................................................... 99 

6.2 Balance ............................................................................................................. 100 

6.2.1 The Burden on Security Professionals ................................................ 100 

6.2.2 The Burden on the Enterprise ............................................................... 102 

6.3 Convergence of Security Roles ...................................................................... 103 

6.4 Automated Cultural Tools .............................................................................. 104 

6.4.1 An Architecture for a Security Culture ................................................ 106 

6.5 Stakeholder Feedback ..................................................................................... 109 

Endnotes .................................................................................................................. 110 

7.0 Negative Reinforcement ...................................................................................... 113 

7.1 Perverse Incentives .......................................................................................... 114 

7.2 Vigilance .......................................................................................................... 115 

7.2.1 What to Watch ........................................................................................ 115 

7.2.2 Who Should Watch ................................................................................ 117 

7.3 Automated Detection ....................................................................................... 118 

7.4 Alerts, Alarms and Triggers ........................................................................... 119 

7.4.1 Alerts ....................................................................................................... 119 

7.4.2 Alarms ..................................................................................................... 121 

7.4.3 Triggers .................................................................................................. 122 

7.5 When All Else Fails ........................................................................................ 123 

7.5.1 Penalties .................................................................................................. 125 

7.5.2 Defiance .................................................................................................. 126 

7.5.3 Career Impact ......................................................................................... 126 

Endnotes .................................................................................................................. 127 

8.0 How Good Is Good Enough? ............................................................................. 129 

8.1 Getting There ................................................................................................... 131 

8.1.1 Establish the Need for Change ............................................................. 132 

8.1.2 Communicate the Desired Vision ......................................................... 133 

8.1.3 Achieve Initial Objectives ..................................................................... 133 

8.1.4 Strike a Balance...................................................................................... 134 

8.1.5 Institutionalize the Intentional Security Culture ................................. 134 

8.1.6 Sustain the Intentional Security Culture .............................................. 134 

8.2 Conclusion ........................................................................................................ 135 

Endnotes .................................................................................................................. 136 

ISACA Professional Guidance Publications ......................................................... 137 


8 


Page intentionally left blank 


PRefACe 

PrefaCe 

In October 2010, ISACA published The Business Model for Information Security 

(BMIS). The model takes a business oriented approach to managing information 

security, building on the foundational concepts developed by the association. It 

utilizes systems thinking to clarify complex relationships within the enterprise and, 

thus, to more effectively manage security. 1 

One of the findings of the BMIS study was that an intentional culture of security 2 

was the primary objective for the model, as applied to information security. 3 The 

intentionality of security must be emphasized. Implicit in the use of “intentional” 

is that enterprises—companies in the private sector, agencies in the public 

sector—do not, for the most part, have an effective culture of security, one 

that supports the protection of information while also supporting the broader 

aims of the enterprise. They must take active, directed steps to improve it. All 

enterprises have a culture of security. In most cases, it lacks intentionality and is 

inconsistent to the extent that it exists at all; in others, it is robust and guides the 

daily activities of employees and others who come in contact with the enterprise. 

Most important, those enterprises with a stronger culture of security may not have 

created it purposefully; the existence of meaningful security is so clearly aligned 

with the mission of the business that management did not need to apply intentional 

measures. Understanding whether the culture was created in a purposeful manner or 

by “accident” is critical to sustaining the culture in the long run. 

This volume is dedicated to all those who recognize the importance of security 

and who strive to achieve it. They may feel that their enterprises have given lip 

service to security, but do not actually have the firmness and resolution of purpose 

to receive the full value of the investments made in security. The people they work 

with say the right things, often do the right things and even pay for the right things, 

but the information with which they carry out their responsibilities is not really 

secure. They want to achieve a meaningful, intentional security culture. It is the 

purpose of this volume to suggest the way to do it. 

Endnotes 

1 ISACA, The Business Model for Information Security (BMIS), USA, 2010 

2 Throughout this volume, it is assumed, but not stated, that “security” refers to the 

security of information resources. If a differentiation is required, it is specified, 

e.g., physical, personnel or operations security. 

3 ISACA, An Introduction to the Business Model for Information Security, 2009, p. 12 



10 



1.0 IntRoduCtIon 

My management just does not “get” information security! 

1.0 introduCtion 

Our information security department keeps getting more tools, but as a 

senior executive, I do not think we are any more secure. 

Security policy is one thing. Reality is another. 

Sure, I support security, but if there is going to be a company to secure, 

departments like mine need to make money. 

I am so overwhelmed with all the passwords I have to remember; I just 

write them down and leave them next to my computer. 

I know that I am not supposed to have access to this information, but 

I was granted authorization in my old position and just kept it when I 

was transferred. 

Management has authorized acquisition of monitoring tools, but they 

did not give me any budget for people to do the monitoring. 

All the information security people do is say “no.” They should learn 

the way this business really works. 

All of these comments, and many more like them, are heard in enterprise after 

enterprise around the world. Often enough, all of these statements may be heard 

in the same enterprise, although they do seem mutually contradictory. How can 

it be that senior management funds an information security function; provides it 

with the latest, most effective tools; and backs those tools with a definitive security 

policy, but still does not feel that the enterprise’s information is secure? In fact, 

there is sufficient evidence that it is not secure. Somewhere within the workings 

of the company or government agency, something that should be happening is not 

happening. Someone—or many people—is not effectively supporting security. 

The missing element is a culture of security, defined in BMIS as a pattern of 

behaviors, beliefs, assumptions, attitudes and ways of doing things. It is emergent 

and learned, and it creates a sense of comfort. Culture evolves as a type of shared 

history as a group goes through a set of common experiences. Those similar 

experiences cause certain responses, which become a set of expected and shared 

behaviors. These behaviors become unwritten rules that, in turn, become norms 

that are shared by all people who have that common history. It is important to 



understand the culture of the enterprise because it profoundly influences what 

information is considered, how it is interpreted and what will be done with it. 1 

Note the importance of the terms used in the definition from BMIS: 

• Pattern—Not just intermittent, but continuous 

• Behaviors—The way people act and not what they say they intend to do 

• Beliefs—The core principles that people bring to the world of business 

• Assumptions—The personal and societal expectations about information and its 

protection that binds belief and behaviors 

• Attitudes—The perspectives on security that are ingrained in people based on 

previous experience 

• Ways of doing things—The security procedures embedded in day-to-day 

operations 

A culture arises whenever two or more people are engaged in a common endeavor. 

In a business setting, there is a pattern of behaviors, beliefs, assumptions, attitudes 

and ways of doing things that constitute a corporate culture. To the extent that 

information is a part of that business, there is a component that is a security 

culture. It may be weak, ineffective, disorganized, contradictory, unrecognized and 

haphazard, but it exists. A security culture exists in every enterprise. It is preferable 

that a culture of security be strong, effective, well-organized, consistent and 

supportive of the intentions of those in an enterprise who recognize that security is 

a strategic attribute and contributes to the overall health of the enterprise. That is, 

supposedly, the intention of management. 

Even in enterprises in which there are many of the components of security—staff, 

software, hardware, procedures, policies and standards—without a culture to bind 

them to the overall corporate culture, the best that can be hoped for is mechanistic 

compliance with the routine requirements of protecting information. It will be 

the minimum security that the enterprise can tolerate—meaning it is something 

that must be endured or accepted grudgingly. It will not be the degree of security 

appropriate to that enterprise, in the context of the way it does business in its 

industry or with its customers or where it is located in the world. Security without 

culture is insufficient security. 

Achievement of that level of security will not happen by itself—self-generated 

and unsystematically. It requires people of good intent to take both positive and 

punitive measures to strengthen a security culture to a desired level, the level 

that management intends it to be or should be in the opinion of organizational 

leadership. For that reason, this volume is focused on the development of an 

intentional security culture. Yes, a culture of security always exists, but an 

intentionally strong, effective and resilient security culture requires work, both to 

build and maintain it. 

12 



An enterprise that recognizes that it does not operate with an effective culture of 

security, but that wishes to create one, must establish a systemic viewpoint across 

the enterprise with regard to the protection of information. It must reconcile all the 

contradictory impulses within the enterprise that inhibit the growth of security. A 

culture cannot be effected quickly, as may the mechanics of security. There is no 

appliance to install or software to implement. It involves the creation of a mindset 

among the people who make up the enterprise and among those with whom it 

comes in contact—vendors, customers, other stakeholders and the society at large. 

That mindset, the outlook and attitudes that drive behavior, is the substance of a 

culture, one that must be implanted, nurtured and accepted gradually. It cannot be 

imposed from above, although organizational leadership can lead the way. 

Once established, an intentional culture of security tends to be forgotten—not the 

culture itself, but the intentionality of it. At that point, certain behaviors are intrinsic 

to the enterprise’s way of doing business. For example, in the private sector, there 

is no need for an intentional culture of sales; sales teams sell products because that 

is what they do. It is simply recognized that, without sales, there is no business, 

and people act accordingly. An exaggerated sales culture can be disadvantageous to 

customer service, profit or security. In extreme cases, a sales culture can overwhelm 

ethics and legality. In the same way, a culture of security that is too heavy could 

be an impediment to growth or mission achievement. A heavy security culture 

could be a business disabler if not properly aligned with the organizational mission 

and business functions. It must fit comfortably within the overall culture of the 

enterprise and become so habitual that it is barely noticed. 

1.1 Hard and Soft Security 

It is a fallacy to consider the technology and mechanics of security as being hard, 

while considering those aspects that deal with human factors such as planning, 

management, motivation and reward as the soft side of security. The word “hard” 

has several connotations: impenetrability, difficulty, firmness, factuality, realism 

and strictness. In all these senses, it is the development of a culture of security that 

is hard: 

• To be impenetrable, a culture of security must adapt to changing environments 

and contexts as businesses expand or contract, personnel come and go, 

management organizes and reorganizes, and technologies foster and inhibit 

innovation. No technology is impenetrable, precisely because all technologies are 

implemented by people. The effectiveness of any implementation is based on the 

thoroughness and consistency of those who carry it out—in other words, by the 

culture in which they do so. 

• For those without it, technical skill can be hard to come by, but it can be taught 

and it can be learned. A culture must arise and be lived. The latter is far more 

difficult than the former. 



• Technology may seem firm and unbending: A software package will always do 

as it is told and a piece of equipment will always work the same way—until they 

do not. Software and hardware are engineered artifacts, all of which have defects. 

Of course, a culture may be defective as well, but it is much more likely to bend 

and adapt than to break. 

• Similarly, technology is not always factual. Just because a machine produces a 

result does not mean that it is the right result. A sound culture must be based on 

facts: the way people actually work, the value of the information with which they 

work and their contradictory impulses that must be accommodated. 

• It is odd to think of facts as hard and opinions and emotions as soft when the 

reality is that many, if not most, people act on the stimuli of their emotions and 

opinions and not of the harsh reality before them. A culture of security can be 

used to mold opinions across an enterprise much more realistically to the risks of 

their business and the environment in which they perform. 

• A culture of security is precisely as strict as a given enterprise wants it to be. 

There are some types of enterprises, such as national intelligence agencies or 

banks, in which security is strictly observed. This did not occur haphazardly, but 

was a natural consequence of business drivers that include profit and customer 

service, to be sure, but also managed risk, achievement of organizational mission 

and ethics. 

There are other meanings of security for which a culture must be established to 

counter. Security should not be oppressive, unrelenting, resentful or troublesome. 

Security must not be allowed to be considered adverse to mission achievement; 

where that is so, there is clear evidence that security is a weak part of the overall 

corporate culture. It has allowed security to be seen as prohibition rather than 

enablement. Among the rationales for a culture of security is the alignment of 

security with the business as a whole. The negativity often associated with 

security—locks, barricades, punishment, etc.—undermine its effectiveness. A 

culture of security is necessary to overcome obstacles of those sorts. 

A culture of security may be seen as soft because it is less tangible, but fuzziness 

should not be confused with inaccuracy. Culture deals with perceptions, estimations, 

preponderances and directions and not with the orderly array of numbers that is 

found, for example, in accounting or finance. However, perceptions and directions 

are often the indicators of reality, more so than the seemingly hard numbers that on 

closer inspection—or revelation—may be seen as a smokescreen designed to obscure 

reality. A culture determines what an enterprise actually does about security (or any 

other objective, for that matter) and not what it says that it intends to do. 

14 


1.2 Whose Culture Is It? 


A culture of security does not belong to an information security department any 

more than an ethical culture belongs to a legal department. A culture is generalized 

across an enterprise—among executive management and a board of directors; 

management and staff; revenue producers and their back office; and salespeople, 

computer operators, cleaning staff, etc. It is the organizational zeitgeist, the spirit of 

the times in which an enterprise operates. It is capable of change, and it is affected 

by the composition of the enterprise itself. 

Certain functions—such as information security, internal audit, risk management 

and corporate security, to name a few—may well have a more leading role in 

crafting the culture. These functions exist and are rewarded for being aware of the 

need for security and generally being favorable to stronger controls. There is a 

trap in perceiving these functions as the owners of a culture of security, as though 

excusing other personnel from having to pay attention to it. To the extent that some 

are more committed to security than others, a balance must be achieved. However, 

all who would wish to be part of an enterprise must adapt to its culture and no one 

can afford to stand apart and still thrive. A culture of security is and must be a 

joint endeavor. 

Endnotes 

1 Ibid., p. 16 



16 



2.0 a Culture of SeCurity in Context 

2.0 A CultuRe of SeCuRIty In Context 

A culture of security is a pattern of behaviors, beliefs, assumptions, attitudes and 

ways of doing things that promotes security. As enterprises operate across nations, 

they observe that there are multiple levels of culture—national culture, industry 

culture, organizational culture, functional and departmental culture, professional 

culture, and cliques and factions culture. What, then, is secure behavior? What does 

it mean to believe in security? What assumptions and attitudes lead to security, 

and which need to be suppressed if security is to be achieved? Is there a single, 

ordained way of doing things that promotes security, with all others undermining 

security to some greater or lesser degree? 

The answer to these and many more questions that are raised in this volume is 

context. A culture of security fits within a much broader context of how a society 

interacts; how an enterprise works; and the moral, ethical, political and economic 

belief systems of the individual who is a part of that culture. No one set of behaviors 

can be extracted from its context and shown to be secure, or insecure, for that 

matter. Even more bedeviling, certain patterns of behavior may be secure in routine 

circumstances, but become less so in times of crisis. For example, a help desk may 

usually respond to callers on a first-come, first-served basis, but needs to react 

aggressively without respect to the order of calls when a network is under attack. 

2.1 Doing vs. Believing 

Does a person have to believe in security to act securely? What, in fact, does it 

mean to believe in security? Security is not a religion, so where does belief enter the 

discussion? It may be fair to ask for two lists, one of secure practices and another of 

dangerous ones. If everyone followed the first and eschewed the second, would that 

not create security? Indeed, there is a place for those lists: They are called policy, 

standards, guidelines and procedures, which relate the way an enterprise is to go 

about its mission. Rules have exceptions, and the people who follow them are not 

robots. Judgment; comprehension; and, yes, beliefs enter into the way things actually 

work, as opposed to how they are supposed to work. 

It is insufficient simply to do what is required because those crafting the requirements 

are unable to foresee all of the situations in which they are to be applied and there 

are exceptions to the rules best left to those who apply them. There needs to be an 

understanding on the part of those acting on the policies as to why they were written, 

for whom they were intended and what the intent of the writers was at the time they 

were written. It is to be expected that those who issue the policies would be more 

conscious of and diligent in adhering to the policies than those who receive them. 

For the few to achieve their objectives through the efforts of many, they need to 

convey the rationale behind the policies to their constituencies. In short, they must 



communicate a systematic viewpoint that drives the policies and that, in turn, is so 

conditioned by the way the policy writers have internalized the need for security that 

it may accurately be described as a pattern of beliefs. 

2.1.1 Ambiguity and Inconsistency 

A simple, prescriptive model for developing a secure enterprise also breaks down 

in the face of the many ambiguities and inconsistencies inherent in the word 

“security.” Everyone wants to be secure, but not always at the cost of comfort, 

flexibility, efficiency or timeliness. Security is a desired state, but not at any 

price. It does not come risk-free. In fact, true security implies the acceptance of 

a reasonable level of risk, which only raises the importance of who determines 

the reasonability of any set of decisions or actions. No set of policies, standards, 

guidelines or procedures can foresee all the circumstances in which they are to be 

interpreted. At that point, it is the interpreter who is making the rules, and if that 

person is not grounded in a culture of security, the likelihood of acting in the proper 

manner is problematic. 

Moreover, there are inherent internal contradictions in the definition of “security” 

that defy easy interpretation. For example, access control and privacy are two 

aspects of security. Access control demands that the attributes and actions of 

each user be known, while privacy demands that these be obscured. 1 The balance 

between these conflicting imperatives is an essential part of a security culture. 

Frustrating as it may be, there will always be ambiguity in any culture, including 

one of security. It must deal with the contradictions, shortcomings and just plain 

silliness that are a part of the human condition. In attempting to overcome this 

ambiguity, many turn to automation. If security is needed, at least in part, to control 

technology, what better tool than technology to achieve the objective? Sadly, this is 

circular reasoning; philosophers and mathematicians have shown that no system can 

be validated within itself. 2 In other words, technology will always reach a point at 

which it cannot secure itself. 

Thus, a culture of security does not guarantee an absence of breaches nor freedom 

from error. It is not the cause of security, but rather a necessary context in which 

security can be fostered and accepted. It is foundational to the achievement of 

security without any preceding understanding of what security is or demands. The 

culture does not create security, but true security cannot be created in the absence 

of a supportive culture. 

2.2 Culture in Context 

Enterprises are organic. That is, all enterprises, beyond the most rudimentary, are 

a systematic coordination of many discrete and interacting parts. For example, in a 

commercial business, there are those who create a product, those who sell it, those 

18 



who record and administer the money made, those who control the process, and 

those who manage the enterprise as a whole. Each is driven by its own dynamics; 

all are working together toward a common goal—or at least should be doing so. 

The values, assumptions and attitudes that underlie those goals are referred to as the 

“corporate culture” that forms a unifying whole for the enterprise and provides the 

context within which events are viewed and understood. 

Unfortunately, each part of an enterprise sometimes becomes so captivated by its 

own imperatives, direction, rewards and penalties that the enterprise’s common, 

unitary culture becomes submerged beneath the siloed cultures of departments, 

locations, functions or professions. In some cases, the competing cultures create 

tensions that pull on each individual within the enterprise. Some functions may 

have a sales culture in which anything done to make a sale is rewarded. Others may 

be profit-oriented, with drivers to both high-margin sales and reduced costs. Still 

others may participate in a culture of customer service, ethics or growth. Some may 

live in a culture of security. 

All of these cultures have a place in any enterprise; they need not be contradictory 

to one another. They need to be balanced. Selling is good, but not at all costs. 

Customer service is good, but not to the exclusion of profit. Growth is good, but 

not if existing customers are dissatisfied and take their business elsewhere. Recent 

news has shown that when a company allows one aspect of its culture to become so 

dominant that others are crowded out, bad results follow. Unbalanced companies 

face devastated morale among employees; poor financial results; mass exodus of 

staff; and, ultimately, the extinction of a company. 

The culture of security is the focus of this volume not because it should be 

dominant, but because it appears that, in many enterprises, it is unnecessarily 

overlooked. Many enterprises today have a function that oversees security. In 

fact, they have many such functions, each one focused on the security of physical 

assets; personnel; operational processes; personal information; data; or, indeed, 

information in all its forms. Collectively, they may foster a culture of security, but 

without active, deliberate, intentional management support, that culture can be so 

fractionalized that it is ineffective in the broader enterprise. These functions may 

not even recognize that their competing perspectives on security are undermining 

the very culture of which they would want to be a part. This, in turn, makes it 

difficult for those supportive of security to balance it with competing cultures. 

There are some enterprises in which security, in one form or another, is of 

paramount concern and in which a culture of security is dominant. Among these 

are national intelligence agencies; the military; and, in a different manner, prisons 

and gold repositories. For most other enterprises, it would be distortive if security 

were the dominant culture. The intent within BMIS is not for security to dominate, 



but for it to be integrated into a unifying whole within the corporate culture. An 

intentional culture of security does not create values, but heightens them among the 

tensions that act on each individual who lives within it. 

2.2.1 Societal Culture and Security 

It is questionable whether any culture—or, for that matter, any concept of 

security—is applicable to all enterprises in all corners of the world, without 

consideration of national and regional differences. 3 Are the perceptions and the 

realities of security the same in urban, industrialized societies and those in rural, 

agricultural ones? Are they the same in countries thoroughly embedded in global 

commercial processes and those with struggling, self-sufficient economies or for 

those at war and those enjoying the blessings of peace? It is not that there are 

national attributes that would affect security in any nation. Characterizing people 

from certain places as unethical, sly or lazy is reprehensible, but clearly, there are 

differences of custom, law, communications, politics and history that make the 

realization of a Platonic ideal 4 of information security unachievable. 

There are international standards for security. Most notably, the 27000 series from the 

International Organization for Standardization (ISO) 5 is the DNA, style guide, metric 

system and scoreboard of security 6 and is generally accepted to be definitive about its 

management. Even in this case, there is a caveat to universality: “within the context 

of the organization’s overall business risks.” 7 What, then, of the context of societal 

norms and expectations that differ from nation to nation and region to region? For 

example, the primary control statement for Data protection and privacy of personal 

information is “Data protection and privacy shall be ensured as required in relevant 

legislation, regulations, and, if applicable, contractual clauses.” 8 Thus, explicitly, 

there is no universal meaning for privacy—and, by extension, for confidentiality and 

the rest of security—but rather reliance on necessarily local laws, regulations and 

contracts. The comparison is very clear, for example, across the Atlantic. In the US, 

privacy is limited to industry verticals, primarily financial services 9 and health care. 10 

In most of Europe, privacy is a clearly stated fundamental right across society. 11 

Multinational companies and those enterprises that do business internationally 

cannot presume that dictates for the security of information resources will be 

perceived or interpreted in the same way in all locations in which they have 

interests. The burden is on the management of those enterprises to create their 

own cultures of security, while respecting the differences of milieu in which 

they will operate. A Londoner (UK) and a New Yorker (USA) may work for 

the same company and adhere to the same corporate goals, but when confronted 

with a matter that affects or is affected by considerations of security, they very 

well may not understand the same words the same way. How much higher would 

these societal barriers be in countries that do not share the same language, history 

20 



and heritage? A culture of security cannot be imposed; it must be created on the 

substrate of the culture of the societies within which it is. Given differences in law, 

regulation and national outlook, it is possible that there may be several subcultures 

of security within one enterprise. 

2.2.2 Organizational Culture and Security 

Just as culture differs across geographic locations, so a culture of security is 

profoundly affected by the industry or industries in which an enterprise operates. 

Within industries, there are differences in corporate (and often divisional) cultures. 

In a positive sense, differentiating security along organizational lines is a strength 

of a security culture. It indicates a balance that reflects the differing needs of each 

enterprise’s business. A stronger organizational security culture arises when there 

is a common security purpose tied to shared beliefs, values and assumptions. For 

example, all pharmaceutical companies have concern for the security of their 

formulas and their clinical research data. Some of this is driven by the commercial 

need to protect the companies’ intellectual property and, to a different degree, 

by the ethical consideration of the health and privacy of test subjects. Most 

drug manufacturers are less focused on security than are, for example, mining 

companies, in which the major focus of security is on the safety of personnel, not 

information. How much less powerful is a culture of security for a manufacturer of 

commodity products? 

Every enterprise has a culture of security. The security needs of commodity 

manufacturing pale beside those of developing a cancer therapy, and those of large 

corporations are greater than those of a start-up business. In both cases, though, 

there is a culture at work. It may be more robust and accepted in one enterprise 

than another, without regard to size or the nature of the work. An effective security 

culture is simply adapted to the circumstances in which an enterprise finds itself. 

In no case is the security culture totally absent; no business accepts an open-door 

policy toward its information resources. However, some may not protect the door 

very well or even perceive that the door needs to be locked. 

This is, again, the concept of a culture of security in context. If there are no 

universals in security, who is to say that one culture is superior to another, or is it 

true that there are no universals at all? At some elemental level, there are things 

that must be achieved or there is no security: access to resources restricted to 

authorized people, breaches detected and repaired, data backed up, and people 

held accountable for their actions with regard to information. The thoroughness 

with which these are accomplished rests, in part, within an enterprise’s culture of 

security, but not entirely so. Even the best intentioned and motivated employees 

may make mistakes, and these, on occasion, have disastrous security consequences. 



An organizational culture sets the limits of acceptable behavior within that entity. 

It may be said that policy, not culture, is the driving force for establishing those 

boundaries, but conceptually and legally, what an enterprise does is its policy, 

not what its management claims that the company does. Policy is a reflection of 

aspirational goals; in the case of security, it describes security as management 

wants security to be. The way with which people actually work and protect 

information (i.e., the culture of security) is reality, and absent any explicit moves 

by management to provide disincentives (i.e., punishment) for policy breaches, the 

culture of security is, in actuality, policy as well. 

In some industries, there are regulatory requirements for security that, in a broad 

manner, set the context of a culture of security. That does not mean that all banks, 

insurers, brokerages or hospitals have internalized security in the same way or to the 

same extent. To much the same degree as unregulated companies, the extent and impact 

of a culture of security is dependent on management’s perception of the risk to the 

enterprise’s information resources and its willingness (or ability) to fund initiatives that 

would strengthen either the culture or specific security measures—or both. 

It is possible to achieve a level of security appropriate for a given enterprise without 

explicit measures to create a culture of security because that culture is already there. 

In many enterprises, such as in financial institutions, intelligence services and the 

military, security is so embedded in management’s perception of business risk that 

the intentionality of the culture is self-evident. It has provided the context in which 

an enterprise makes decisions and allocates budgets. The same cannot be said in 

reverse. The level of security cannot exceed the degree to which an enterprise 

embeds security into its culture. In that case, rules will be broken and unenforced, 

tools will not be applied, and management will not take action against those who 

undermine security. 

2.2.3 Personal Culture and Security 

Ultimately, all enterprises are made up of people. Many, but not by any means 

all, of the people are employees. Perhaps there was a time when a company or 

government agency was solely comprised of those on the payroll, but if so, that 

time is past. Too many enterprises use contractors, outsourcers, service providers 

and temporary staff to accept that only personnel are the people who constitute its 

human resources. When discussing the security of information, there is a tendency 

to think in terms of the number of servers, terabytes of data or breadth of the 

network. All of those are under the control of people, and it is people who are the 

carriers of the “behaviors, beliefs, assumptions, attitudes and ways of doing things” 

that are the corporate culture. 

People are not tabulae rasae (blank slates). As they enter an enterprise and become 

a part of its culture, they bring their own set of cultural expectations derived from 

22 



their parents, siblings, schools and houses of worship, friends and relations, and 

companies for which they worked previously. It is fair to say that some are affected 

with a deep respect for security and that others are not. The reason for this is a 

subject for sociologists, psychologists and anthropologists; for most others, it is 

sufficient to accept and recognize differences of outlook and to find the ways to 

incorporate them all under the cultural tent. 

People can and do change their cultural perceptions, even if they do not realize it 

or even realize that they have cultural perceptions. The accepted norms of behavior 

are transmitted by many means, and not all of them are intentional. Rules of 

confidentiality, for instance, may be documented, but a disapproving glance when 

a customer’s name is mentioned can communicate more effectively than an entire 

volume of policies. It is less clear how a weak culture affects a person whose mores 

are more supportive of security than those of the enterprise. Does someone who is 

inclined to respect access rights become unconcerned simply because others do not 

share that outlook? 

If culture cannot be imposed organizationally, neither can it be achieved by 

dictating to individuals against their beliefs. Fortunately, it is the rare soul who is 

outright opposed to security. Most of the principles of security are derived from 

precepts that are shared across religions and belief systems around the world: Do 

unto others as you would have them do unto you; above all, do no harm; mind 

your own business; and do not run with scissors. Deep down, everyone (perhaps 

excluding the pathologically dishonest) brings these principles to the business. If 

they are not always adhered to in the workplace, as they are not always followed in 

the world at large, it is because they come into contention with other core concepts: 

Get your work done, a penny saved is a penny earned, or let nothing stand in your 

way. Somehow, these latter values seem less virtuous, but virtue, too, is a mindset, 

an artifact of a culture. 

If no one is opposed to security, it is equally true that there are many who are not 

vocal in its support. A culture of security needs its evangelists and champions, those 

who are eager to speak up and set examples for others. True, there are always going 

to be those whose moral outlook is clouded by pride, avarice and sloth, to say nothing 

of stupidity. However, if people are rational actors, they will do the right thing—or at 

least the most utilitarian thing—most of the time. People hold their beliefs privately, 

whether they concern religion, morals or politics. When individuals encounter what 

they see (or think they see) as a majority holding different viewpoints, they descend 

into a “spiral of silence,” becoming less and less likely to speak up for their beliefs 

and, thus, reinforcing their minority status and giving credence to the majority. This 

is how culture is formed. 12 Only those willing to break out of the spiral are able 

to change culture; only those committed to secure behavior are able to drive the 

transformation toward a culture of security. 



2.3 Security in the Context of Culture 

The meaning of a “culture of security” is not intuitively obvious. Perhaps “culture” 

is a hazy concept, but surely “security,” here understood to be “information 

security,” is a hard and fast, well-understood term, or perhaps, in the so-called 

“information age,” the terms “information” and “security” are so widely used 

that a consensus has arisen regarding the connotations of these words, separately 

and together. In fact, there is lively discussion in both technical and management 

circles about the meanings of the words and about their application in diverse 

environments, such as the military, civilian government agencies and private 

companies, and in everyday usage by ordinary citizens. It is clear that the terms do 

not mean the same things in all contexts. 

For example, the international standards on information security define “security” 

and “information” very broadly. 13 Evidently, the very resource to be secured is 

thought to be so well understood as not to need a more thorough definition, and 

yet, the dictionary offers shadings of meaning. “Information” is facts; in this sense, 

information is made up of things that are known. It is also whatever is conveyed 

by a particular sequence of symbols, impulses, etc. 14 Thus, information is made 

up of words, bits and bytes. Information is also the communication of knowledge, 

which incorporates documents, conversations and networks. Additionally, it is the 

sequence of bits that produce specific effects, in other words, the programs that 

manipulate data. 15 So, information can be both signifier and signified, subject and 

object, and data and the people who and machines that manipulate them. 

Information may be represented in “digital form (e.g., data files stored on electronic 

or optical media), material form (e.g., on paper) and “unrepresented” in the form of 

employee knowledge. Information may be transmitted by various means including: 

courier, electronic or verbal communication. “Whatever form information takes, 

or the means by which the information is transmitted, it always needs appropriate 

protection” (emphasis added). 16 The quote makes a broad statement that all 

information always needs protection, albeit at an appropriate level. Security, in 

the context of culture, cannot be so dogmatic. It is fair to question, first, whether 

all information requires protection and, second, how appropriateness is to be 

determined. In practice, security is whatever level of protection the culture will 

allow with cognizance of differences in approach dependent on the risk related to 

different forms, representations, communications, storage and disposal of varying 

sorts of information. 

Security may be (and often is) defined solely as confidentiality, integrity and 

availability (CIA). Without diminishing these characteristics, security may also be 

understood to include privacy (different than confidentiality), authenticity, accuracy, 

completeness, recoverability (different than availability) and currency. Yet, this is 

24 



not the view of security in the popular imagination. When (or if) the public at large 

thinks of security, it is in terms of preventing computer hacking and viruses. From 

War Games in 1983 to The Taking of Pelham 123 in 2009, it is always the bad guys 

hacking the system who are stopped, always at the last moment, by the student; 

simple, but honest worker; or old codger relying on the tried–and-true methods. 

These popular entertainments are not important in themselves, but they mightily 

affect the perception of those who make up the populations of enterprises. The less 

these people understand the reality of either computers or security, the higher the 

barrier to achieving a culture of security. In short, the culture of security is affected 

by the overall culture. 

Prevention of malicious attacks and malware are indeed a part, but only a part, of 

security, and much, but not all, information is stored and manipulated on computer 

systems. For the purposes of creating a culture of security, information must be 

addressed in all its forms and secured against all its risks, in context. Inherent in 

such a culture is the recognition of value in the information. It is value that is the 

limiting factor for the appropriate level of protection. The cost of security cannot 

exceed the value of the information to be protected; do not build a $20 fence for a 

$10 horse. 

However, it is precisely the looseness of the definition of information that makes it so 

difficult to assign value to it. A database may be evaluated as the cost of recreating 

the data contained within it, which is the general means of valuation for insurance 

purposes. However, that does not account for the value inherent in the use of the 

information nor the costs incurred if the data are not secure. Does information lose 

value as it is transformed from electronic bits to printed records, and what is the value 

of a conversation or an image? 

There may be good operational reasons, or even organizational benefits, for treating 

some data as of a higher value than is apparent. For example, sometimes the 

economies of scale, especially from a medium-size business that deals with data 

with a range of security classifications, can be found best by treating the security 

of all of it in the same way—either all high or all low, but without any particular 

thought given to the matter. 

These questions of valuation do not need to be answered with precision, and 

culture is too blunt of a tool to be precise. However, a culture can encapsulate 

what “everybody” knows. One’s values do impact one’s conception of value. 

Unless and until information is understood to have value that can be eroded by 

disclosure, unauthorized change, destruction or error, a culture of security cannot 

arise, nor, for that matter, can security be applied to information consistent with the 

repercussions of inadequate security. Unprotected information will not suddenly 

lose confidentiality, integrity, availability or the other attributes of security until 



and unless it is confronted with an unintentional or malicious threat. Even unlikely 

breaches have a definable probability. Probability is the number of events over 

time and recognizes that the time of attack may be well in the future … or today. 

Allowing probability into the determination of the appropriate level of security 

distorts the decision. In most cases, it should not factor into the level of security 

unless extremely unlikely (such as a comet strike) if there is no practical approach 

to addressing a risk or the cost is too high. It is invalid to reduce security because 

a negative event is unlikely; the value of a resource and of the cost of harm to that 

resource have to be the decisive factors. 

Thus, the value of information is driven by its use, not by threats that may afflict 

it. The same information encapsulated in bits on magnetic storage may require 

more security than that same information printed on a piece of paper because 

the electronic form is used in more processes than the written. Contrarily, the 

printed report may be more valuable if it is used for strategic decisions, not routine 

transactions. It is the people who are using the information, holding it in custody 

or acting as its owner who must make the decisions about its value and, thus, its 

security, and those people both make up and are affected by a culture of security. 

2.3.1 Security as the Basis of Trust 

ISACA’s motto is “Trust in, and value from, information systems.” It is not 

coincidental that the terms “trust,” “value” and “information” appear in the same 

phrase. The value of information can only be established and retained if the 

information is trusted, and trust is established by security and control. The broad 

topic of a system of internal control is beyond the scope of this volume, but security 

is at its heart. 

Trust is necessary in a functional workplace, but for the most part, it is something 

that develops slowly. Its necessity is best illustrated by an environment in which 

trust is absent: a prison. In a prison, no one trusts anyone, so there are locked 

cells within locked cell blocks within locked subsections within locked prison 

doors. There are armed guards and rigorously enforced procedures to restrict freedom 

of movement. No business could work effectively in that manner. The 

heavy-handedness of prison security must be transformed to a structure in which trust 

is rewarded. Security is the catalyst of reliability. It evolves over time from repeated 

displays of consistency between words (e.g., policies, standards, management 

pronouncements) and behavior (e.g., access privileges, rewards, punishments). It 

also comes about when all the participants in an enterprise who share resources, 

such as information, have an accurate perception of one another’s interests. One 

hopes that all those interests align to the benefit of the enterprise as a whole. 17 

26 



US President Ronald Reagan was noted for saying, “Trust, but verify.” Trust alone 

is insufficient; it must be accompanied by controls, among which is verification, 

the underpinning of security. A security system should provide the means to verify 

the authenticity of information so that all parties using it can assume that it has 

not been modified, destroyed or disclosed except by those with the authorization 

to do so. It removes the burden of validating each item of information by placing 

reliance—that is to say, trust—on the security system that protects it. That reliance is 

not necessary only because dishonest people may try to steal, manipulate or destroy 

information. No matter what processes are established, what values are instilled, 

or how open and transparent management practices are, people will make mistakes 

and do things that are not right. 18 Security is just as necessary to protect information 

against people who are well intentioned, but overzealous, lazy, sloppy or just plain 

stupid as from those who are dishonest. 

There is more to trust and security than the exchange of information within an 

enterprise. Enterprises and government agencies need security to establish trust with 

their customers and citizens. Good security is perceived by many enterprises as a 

prerequisite for doing business. They must ensure service availability, protection 

of customer information and the secure operation of systems that manage customer 

information. Without the basic ingredient of trust, founded on security, customers 

would simply turn to competitors. Those enterprises that provide goods and 

services on the World Wide Web have perhaps the purest vision of the relationship 

between trust and security. If the information on a site or the processes by which it 

got there is not trusted, the enterprise will probably lose more than a sale—it will 

lose a customer. Where trust is strategic, as in these online companies (or in any 

business), security becomes a strategic necessity as well. 

Security may be seen as a competitive advantage if the enterprise has a high degree 

of trust in its information systems. It would drive customer acquisition and retention 

and the preservation of the value in a brand. However, enterprises are, in the main, 

loath to trumpet their security because they do not want to publicize their protective 

measures, they do not want their reputations to be hostage to criminals or they have 

not been able to sufficiently verify the integrity of their security systems to publicly 

base customer trust on them. 

Among the elements leading to trust between enterprises and their customers 

is effective management communication of security goals and objectives. 

Management must make customers aware that, within its enterprise, there are 

incentives for awareness and reporting of security incidents, a broad understanding 

that identification of security problems will be dealt with openly and without 

retribution, and personal recognition for those who act supportively of security. 



Trust is not an absolute; it changes and grows (or diminishes) over time. 

Unfortunately, trust can be destroyed far more quickly than it can be established 

or repaired. As enterprises themselves grow and change, the basis for trust must 

be restated and proven anew. Every security incident that attracts public notice 

undermines trust, but if management is shown to be nimble, sensitive, compassionate, 

honest and courageous, it can often manage to overcome the negative impact caused 

by a seemingly random event. 19 Of course, the requirement of honesty calls for 

immediate acceptance of a security-related problem and its rapid repair. 

There is another facet of trust based on security that is between enterprises that 

do business jointly. Each is a separate entity with its own proprietary information 

and information systems. In some cases, they are even competitors (so-called 

“coopetition”). They need to share some information for their joint ventures, but 

more important, they need to protect most information from their partners. They 

cannot do business together without trust, and they can only base that trust on 

security and, to a great extent, on mutual respect for ethical behavior. Of course, 

ethics is a part of security as well. 

Trust is a shared cultural experience. To the extent that enterprises are able to create 

a culture of security, they will be able to enjoy the benefits of trust with their staff 

and customers and with other enterprises. Those benefits mostly accrue in the form 

of smooth working relationships, respect and a certain naiveté that allows managers 

to proceed with their business without constantly having to check and recheck the 

validity of the information with which they work. These “soft” benefits manifest 

themselves, over time, in reduced costs and increased profits. 

2.3.2 Security in the Prevention of Fraud and Misuse of Information Resources 

In the earliest times that information security was applied to business computer 

systems (approximately the 1970s), the focus was on the prevention of fraud. 

Business computing was exclusively performed on large (for that day), centralized 

mainframe computers with little or no online activity. The Internet was unknown. 

The role of information systems was primarily for recording and reporting 

transactions that had taken place externally from the systems, but not for the active 

execution of transactions themselves. The ledger books and paper forms were fast 

disappearing into electronic files, and entire systems of internal control based on 

the movement of paper no longer had any validity. Computers were the province 

of a small coterie of specialists who seemed divorced from the business as a whole. 

Many managers realized that, if records could be manipulated, it was possible 

for people (in almost all cases insiders) to take money and cover their tracks. 

Most security, such as it was, was performed within applications. After-the-fact 

assessment and rather rudimentary control of computer use were the substance of 

the customary practice of data security. 

28 



The focus was subsequently enlarged to the prevention of misuse of data resources, 

which includes fraud, but also includes a variety of other concerns such as the 

disclosure of secret information (a major concern of governments), unauthorized 

manipulation of data (more of a commercial concern) 20 and destruction of 

computing capacity. As noted, confidentiality, integrity and availability (CIA) 

has become, for many, the basic definition of security itself. The purpose of 

such elemental features of security as encryption and access control was to 

prevent unauthorized and, therefore, potentially malign use of information. 21 Both 

encryption and access controls were the development of methods of information 

protection that had preexisted computer systems. As such, when computers began 

to emerge in the business world, these concepts were not unknown and, therefore, 

were more readily accepted. 

Fraud prevention is still an element of security, at least in environments in which 

information has intrinsic monetary value. More broadly, security will always be the 

bulwark against misuse of information, but today, it is widely recognized that the 

importance of security lies in the preservation of the value of information and the 

utility of information as a strategic asset. Nonetheless, for many people, the purpose 

of security is only to stop bad things from happening or at least to meet regulatory 

requirements. Thus, security is seen by some as essentially negative and reactive. 

This perspective, seeing security as a policeman or enforcer rather than as a positive 

force for enablement of organizational initiatives, has been one of the major 

inhibiting factors against creating a culture of security. 

Fraud and misuse of information are indicators of the shortcomings of security. It 

is very difficult to establish a positive image of security when the best that can be 

said is that there have been no failures (recently). A culture of security must rest on 

an understanding of the contributions that security makes to an enterprise’s strategic 

objectives. If the only interaction people have with police is when a crime occurs or 

when they are caught speeding, they will have little appreciation for the necessity of 

the rule of law for an ordered and prosperous society. Similarly, if the only encounter 

people have with information security within their enterprises and society at large 

comes when a rule is broken, they will view security as an impediment rather than a 

support to their daily activities. 

Security will always have fraud and misuse as parts of its domain. Until and unless 

that domain is seen as having greater application and value, a culture of security 

will be difficult to create. 

2.3.3 Security and Risk Mitigation 

The current, more enlightened view of security is that it is part of the organizational 

imperative to manage risk. This is made explicit in ISO 27001, in which it is stated 

that the general requirements for an information security management system call 



for the establishment, implementation, operation, monitoring, review, maintenance 

and improvement of security “within the context of the enterprise’s overall 

business activities and the risks it faces.” 22 Moreover, in 2008, ISO published ISO 

27005, Information technology—Security techniques—Information security risk 

management, which highlights that: 

30 

A systematic approach to information security risk management is 

necessary to identify organizational needs regarding information 

security requirements and to create an effective information security 

management system (ISMS). 23 

What are the risks that security is able to manage, and for that matter, what is 

“risk”? While one definition of “risk” is that it is the “potential that a given threat 

will exploit vulnerabilities of an asset or group of assets and thereby cause harm to 

the organization,” 24 others define it as the “uncertainty of harm to an asset or group 

of assets.” 25 The common element is that there is an asset that is subject to harm. 

Implicitly, the asset must have value or it would not be an asset. Thus, the harm in 

question is the loss of value. The risk is often stated in terms of the causes of the 

harm, but this only states threats, not risks. There are indeed threats to information 

such as disclosure, manipulation and destruction. The risks arise from the business 

of which that information is a part. 

Confidentiality Risks 

It is true that computerization has changed the nature of information. Information is 

hidden from view, and it is in a form that is unintelligible to human beings without 

the aid of technical devices. To that extent, it is a great deal easier to prevent the 

dissemination of information to unauthorized recipients. At the same time, it is so 

compact that vast amounts of information can be stored in very small spaces. It is 

easily copied and transmitted, and the copies are very difficult to control. When 

information was primarily in printed or written form and stored in bulky containers, 

it was relatively easy for someone to gain access to a small amount of information 

and, for example, photograph or steal a few sheets of paper. Now, access is 

invisible and entire files can be falsely obtained. Hence, the scale of unauthorized 

disclosure has been enlarged exponentially. 

In some cases, the results for an enterprise whose information was disclosed or 

stolen have been quite onerous. For example, a US pharmaceutical manufacturer 

sent an e-mail to all participants in an online service for users of certain drugs, 

inadvertently disclosing all the names of the people using the service. As a result, 

regulatory authorities forced the company to incur the costs for establishing and 

maintaining a security program for the protection of its collected personally 

identifiable information (PII). The company was further required to perform an 

annual third-party audit of its program and have external oversight of the relevant 



record keeping. 26 In another case, a US-based retailer was hacked and the credit 

card information of more than 45.7 million individuals was stolen. As a result, the 

retailer paid credit card companies tens of millions of dollars to cover the cost of 

the fraud and faced extensive expense to improve its security systems. 27 

Availability Risks 

The same factors that make it easier to steal information also raise the risk of 

destruction of information. In electronic form, information does not need to 

be destroyed to be made unavailable. The fact that electronic equipment and 

information systems are required to read the information means that any failure 

of those devices or systems renders information as useless as if it were physically 

destroyed. For enterprises dependent on information to function (perhaps a 

majority of businesses in the world today), the absence of current information is 

tantamount to a cessation of operations. It is no longer possible to go back to the 

older, nonautomated way of doing things; the information in file cabinets no longer 

exists—indeed, neither do the file cabinets. 

Hence, plans and preparations for conducting affairs in the absence of current 

information are a necessary part of security. It is a broader question as to whether 

interruptions to business caused by factors other than information unavailability are 

equally a part of information security. The important point is that an enterprise’s 

tolerance for information loss must be gauged and preparations put in place either 

to recover the data in a predetermined length of time or to replicate the data at 

regular (perhaps instantaneous) intervals so that they will never be lost at all. 

Integrity Risks 

One of the more significant risks inherent in information is that decisions may be 

made on the basis of erroneous information. There are numerous causes and effects. 

If someone changes information so that actions will be taken to that person’s 

benefit, it is termed fraud. If the same thing happens because of inadvertent or 

foolish mistakes, then it is error, but in either case, the value of the information in 

question has been diminished. That is the harm; that is the risk. 

Data do not need to be manipulated to be false or erroneous. Information may be 

out of date, even if only by seconds. Information may come from the wrong source 

and be inauthentic. Information may be incomplete. It may be inaccurate. It may 

even be meaningless. In every case, the information in question is supposed to have 

a certain value that it does not have. The value comes not from the information 

itself, but from the lost utility of that information. 

Risks to Information Not in Electronic Form 

There is a tendency to think of all information as electronic, in part, because such 

information is so internalized in society. People in many places are paid with 



electronic information, buy products and services with electronic information, 

communicate, and are entertained electronically. However, there is still cash in 

society, more widely used in some places than others. People still talk with one 

another. They still write things down and print reports. While the nature of the risk 

differs depending on the medium—a conversation cannot be stolen or destroyed, 

but it can be overheard or based on false assumptions—the effect is the same. The 

information in question loses value if it is haphazardly communicated, erroneously 

stated or simply misplaced. 

It is important to remember that risk is unpredictable. To a certain degree, with a 

given amount of information and a given number of people who have access to 

it, it may be possible to extrapolate how much of it will be misused or lost. It is 

equatable to the concept of “shrinkage” in warehousing and retail. The risk is that 

the consequential harm caused by misuse or loss cannot be stated with the same 

precision. There are no computers powerful enough or algorithms subtle enough to 

untangle all the files, records, fields, users, applications and uses of information to 

know, in advance, what the harm will be or how much value will be lost. 

The risk management decisions that must be made can be reduced to assuming the 

worst case, the most likely case or differential cases based on the perceived value of 

the information. Assuming the worse case leads to the application of the highest level 

of security to all information, which is extremely secure, but difficult to cost justify. 

Either of the other two approaches opens the door to an unpredictable level of harm, 

the very definition of risk. Information thought to be of low value may be extremely 

important in the wrong hands or when combined with other, seemingly unimportant 

information. The event thought to be unlikely may just happen. Security “within the 

context of the enterprise’s overall business activities” is the answer to risk, but the 

context also establishes the fact that some harm will occur. Intolerance for harm that 

is greater than expected is a foundation of a culture of security. 

2.3.4 Security as a Strategic Driver 

The way in which security is perceived is a determinant of the effectiveness 

of security within an enterprise. In some cases, security is seen as a roadblock 

to valuable, or at least convenient, activities by personnel. In such instances, 

a culture arises that is characterized by efforts to bypass security or to wink at 

circumvention. (Again, there is always a culture of security, but sometimes, it is not 

a good one.) More commonly, security is seen as a necessary tactical supplement 

to the primary activities of an enterprise. A company that makes widgets sees all 

of the processes involved in widget manufacturing, delivery and sales as its core 

mission, and everything else is understood to be secondary and supportive to the 

primary functions of the company. In this case, security is not ignored; it is simply 

downplayed. The result is a culture in which security is set at the minimum level 

consistent with prudence. 

32 



It is important to realize that the creation of a culture of security does not imply 

that security must be a primary concern for an enterprise. Rather, the objective of 

a culture of security is to ensure that security is set at an appropriate level in the 

context of an enterprise’s overall operations. In some cases, the minimum level 

may be both prudent and appropriate. It is certainly appropriate if organizational 

management, in possession of all the relevant facts, makes a conscious decision that 

no more than the minimum is required. However, for many industries and for the 

information-intensive activities of all, the minimum is insufficient. 

Levels of Security 

Figure 1 illustrates varying levels of security that may be encountered in an enterprise. 

Low Minimum High Extreme 

Figure 1—Examples of Enterprise Security Levels 

People Process Technology Organization 

Deep background 

checks are 

conducted for 

all personnel. 

Security checks 

are conducted for 

all personnel. 

Security checks 

are conducted for 

critical personnel. 

There is no 

personnel checking 

or security 

oversight. 

The security 

policy is central to 

the organizational 

mission. 

Security policies 

and standards 

are enforced. 

Security policies 

exist, but are 

not enforced. 

No security 

policies or 

procedures exist. 

There is advanced 

screening and tight 

supervision of 

information use. 

Passwords, virus 

protection, 

firewalls, data 

leakage prevention, 

intrusion detection, 

identity 

management, etc., 

are utilized. 

Passwords, 

virus protection 

and firewalls are 

utilized. 

There is minimal 

or no security 

technology. 

Security is a 

senior 

management 

role. 

Security is a 

part of many 

functions. 

A security 

function exists. 

No security 

function exists. 

It is important to understand that figure 1 is illustrative and not necessarily definitive 

of the levels of security that may be found in all enterprises. The terms “low,” 

“minimum,” “appropriate” and “extreme” are meaningful only in the context of a 

specific enterprise. For example, what is considered extreme for a manufacturer may 

be barely the minimum requirements for an intelligence agency. 

An enterprise should be conscious of its own strategic requirements, and then, the 

appropriate level of security should be incorporated in them. To the degree that 

the confidentiality, integrity and trustworthiness of information are necessities 

for the success of an enterprise, the enterprise will find that security is a strategic 



requirement. This is particularly evident for enterprises that trade in information, 

such as an aforementioned intelligence agency, but also for news sources, online 

vendors and movie studios. What is video piracy, after all, but theft of information? 

If the information purveyed by such an enterprise is not felt to be correct, authentic 

or complete, that enterprise will soon not be in business. Thus, secure information 

can be more than the basis for an enterprise’s reliability, but also of the quality of 

its goods and services. 

To be sure, some enterprises have lower security requirements than others. One 

whose products are material goods needs to focus on production and sale, but even 

within these enterprises, there are functions that require secure information. If 

financial information is not secure, there may be compliance violations. If formulas 

are not kept secret, competitive advantage may be lost. If orders are changed or 

manipulated, profits may be undermined. If senior management does not receive 

accurate information, initiatives may be stunted. Thought of in these terms, security 

may be considered as much of a strategic driver for a manufacturer as for an 

online service. 

Security may be one of many strategic drivers, but only rarely the primary one. 

The achievement of the others may be enabled by the effective implementation of 

security. It allows management and staff to focus on the business without constant 

concern for the possibility of negative events and security incidents. Such a state 

must come from intentional acts by management, but once established, security can 

be transparent and implicit. 

2.3.5 Security in Systemic Terms 

BMIS emphasizes that security must be established systemically. The system of 

security must be viewed holistically, as a complete, functioning unit in which one 

part of the system enables understanding of other parts of the system. 

34 

“Systems thinking” is now a widely recognized term that refers to the 

examination of how systems interact, how complex systems work and 

why “the whole is more than the sum of its parts.” 28 

In practical terms, this implies a balance within security in parallel with the balance 

of security among other strategic drivers. An enterprise cannot feel secure simply 

because it enforces so-called “hard” passwords, has a security policy manual or 

filters viruses. All the pieces of an information security management system need 

to be addressed—if not equally, at least to the extent that no link is so weak as to 



invalidate the integrity of the chain, i.e., the security program. This requires not 

only that security be a system, but that the approach to security be thought 

of systemically: 

[I]t is important to note that the Business Model for Information 

Security, which is based on systems theory, should be treated as part 

of the strategic plan for the information security program, not as a 

quick-fix solution for a broken program. Systems thinking should be 

seen as a long-term exercise that will ultimately aid the enterprise in 

achieving business goals. In fact, it may help to think of it as a key 

to organizational maturity. The maturity of the information security 

program is often related to the maturity of the enterprise, which is 

linked to the degree systemic thinking is used in the enterprise. Systemic 

thinking paves the way for systemic processes. 29 

As noted, enterprises are organic wholes that are the amalgamation of interacting 

systems and are, thus, supersystems in themselves. It would be erroneous and 

fruitless to think of security in isolation from other aspects of an enterprise’s 

systems, just as it would be fallacious to think of each individual characteristic of 

security without reference to the others. In the absence of a holistic understanding 

of security, enterprises see either the absence or duplication of security efforts, the 

emergence of silos of responsibility for security, and difficulty in restraining costs. 

It leads to deviations from accepted practice and, ultimately, to breaches of security. 

For example, some enterprises invest disproportionally in incident response and not 

enough in policy or prevention. Thus, they invite the very penetrations they would 

presumably prefer not to encounter. 

In many cases, breaches of security occur not when management perceived 

weakness, but when it thought, erroneously in the event, that security was 

sufficient or when management was aware of weakness, but prioritized in such 

a way that it “bet” the wrong way. The inability to see security systemically 

introduces the possibility, perhaps the likelihood, that one or another aspect of 

security will be downplayed because reliance will be placed on others. The concept 

of compensating controls in security would pertain to only parts of security 

requirements. Security measures are either effective or not. Recognizing the need 

for a totality of security is a prerequisite for the creation of a culture of security. 

Indeed, this systemic viewpoint is one of the characteristics of such a culture. 

Endnotes 

1 “The Security—Privacy Paradox: Issues, Misconceptions, and Strategies; A Joint 

Report by The Information and Privacy Commissioner/Ontario and Deloitte & 

Touche,” Canada, August 2003, p. 7 



2 This is an evocation of Goedel’s Second Incompleteness Theorem, which has 

been summarized as “in any consistent axiomatizable theory (“axiomatizable” 

means the axioms can be computably generated), which can encode sequences 

of numbers (and, thus, the syntactic notions of “formula,” “sentence” and 

“proof ”), the consistency of the system is not provable in the system,” 

www.math.hawaii.edu/~dale/godel/godel.html#SecondIncompleteness. See also 

Hofstader, Douglas F.; Escher Godel; Bach: An Eternal Golden Braid, Basic 

Books, USA, 1979 

3 Much in this section is derived from Ross, Steven; “Information Security Matters: 

Boston, Berlin, Baghdad and Bora Bora,” ISACA Journal, vol. 4, USA, 2010. 

4 The Greek philosopher Plato described a dual reality, that of the material world and 

the transcendent realm of forms. Thus, for the purposes of information security, 

there is security as we find it in the world we perceive and an ultimate, universal 

expression of security. This duality has been argued through the centuries. The 

philosophic issue is whether a universally applicable concept of information 

security can be separated from the world as we experience it. 

5 International Organization for Standardization (ISO), ISO/International 

Electrotechnical Commission (IEC) 27000:2009 through (currently) 

ISO/IEC 27005:2008, Switzerland 

6 Ross, Steven; “IS Security Matters: Frameworkers of the World, Unite,” 

Information Systems Control Journal, vol. 6, USA, 2004 

7 ISO, ISO/IEC 27001, Switzerland, p. 1 

8 ISO, ISO/IEC 27002:2005 Information technology—Security techniques— 

Information security management systems—Requirements, Switzerland, p. 102 

9 US Financial Services Modernization Act of 1999, better known as the 

Gramm-Leach-Bliley Act (GLBA) 

10 US Health Insurance Portability and Accountability Act (HIPAA) of 1996 

11 Directive 95/46/EC of the European Parliament and of the Council, 1995, better 

known as the European Privacy Directive 

12 Watts, Duncan J.; Six Degrees: The Science of a Connected Age, Norton, USA, 

2003, p. 213 

13 See ISO/IEC 27000:2009, in which “information asset” is defined as “knowledge or 

data that has value to the organization.” 

14 Ibid. 

15 Merriam-Webster Online, www.merriam-webster.com/dictionary/information 

16 ISO, ISO/IEC 27000:2009, Switzerland, p. 7 

17 Thompson, L.; R. Hastie; Judgement Tasks and Biases in Negotiation, 1990. 

Sheppard, B.H.; M.H. Bazerman; R.J. Lewicki (eds), Research in Negotiation in 

Oganisations. See also Goucher, Wendy; “The Reality of Trust,” Computer Fraud 

& Security, vol. 2009, issue 3, The Netherlands, March 2009, p. 14-15. 

18 IBM Corp., “Culture of Trust,” Corporate Trust and Compliance, 

www.ibm.com/ibm/responsibility/trust.shtml, 2008 

36 



19 Knight, Rory; Deborah Pretty; “Protecting Value in the Face of Mass Fatality 

Events,” Oxford Metrica, Oxford, UK, 2005. This document is a bit off-topic, 

but a mass-fatality event is the ultimate security crisis and Knight and Pretty’s 

observations have broader applicability. 

20 In the US, the Department of Defense published a series of papers with covers 

of various colors that became known, subsequently, as the Rainbow Series. The 

first, Trusted Computer Security Evaluation Criteria (CSC-STD-001-83, 1983) 

placed the emphasis of security squarely on confidentiality. In 1989, David Clark 

of Ernst & Whinney (now Ernst & Young) and David Wilson of the Massachusetts 

Institute of Technology (US) published “A Comparison of Commercial and 

Military Computer Security Policies” (http://groups.csail.mit.edu/ana/Publications/ 

PubPDFs/A%20Comparison%20of%20Commercial%20and%20Military%20 

Computer%20Security%20Policies.pdf), subsequently known as the Clark-Wilson 

Model, which placed the emphasis in the commercial sphere of data integrity. 

21 Ross, Steven J.; “IS Security Matters?,” ISACA Journal, vol. 2, USA, 2010, p. 4 

22 ISO, ISO/IEC 27001:2005, op.cit., p. 3 

23 ISO, ISO/IEC 27005, op.cit., p. 3. There is considerable debate about the 

importance or even the relevance of the ISO 27000 standards. It is even more 

debatable whether what ISO describes as an Information Security Management 

System (ISMS) is equivalent to a culture of information security. Nonetheless, the 

standards do represent a framework and a lexicon for security that are accepted 

internationally and must be respected if not always observed. 

24 Ibid., p. 1 

25 Ross, Steven J.; “Four Little Words,” ISACA Journal, vol. 1, 2009. See also Taleb, 

Nassim Nicholas; The Black Swan, Random House, USA, 2007, p. xvii-xviv, passim. 

26 Eisenhauer, Margaret P.; The Privacy Case Book: A Global Survey of Privacy 

and Security Enforcement Actions with Recommendations for Reducing Risks, 

PrivacyStudio.com, www.privacystudio.com/Links%20posted%20to%20web/ 

Casebook%20Ch%202.pdf, p. 28-30 

27 Abelson, Jenn; “Hackers Stole 45.7 million Credit Card Numbers from TJX,” 

New York Times, USA, 29 March 2007, and “Swiped, Stolen and Sold,” 

New York Times (online edition), USA, 6 August 2008, 

http://topics.blogs.nytimes.com/2008/08/06/swiped-stolen-and-sold/ 

28 ISACA, An Introduction to BMIS, op. cit., p. 10 

29 Ibid., p. 11 



38 



3.0 the benefitS of a Culture of SeCurity 

3.0 the BenefItS of A CultuRe of SeCuRIty 

One of the differentiating factors of BMIS “is the importance it places on 

organizational culture. Creating an intentional security culture is a primary 

objective for the model, as applied to information security” (emphasis added). 1 The 

intentionality of the culture reflects the notion that cultures are not self-generating. 

They require active steps by people in positions of influence, if not authority, to adapt 

certain norms of behavior and to encourage others to do so as well. The people in 

question may well be the senior executives of an enterprise (the so-called “tone at 

the top”), but they may also be further down in the hierarchy if they are committed 

enough to champion the cause of the values that culture supports. For that reason, 

they are often called “champions,” a word with a pleasant dual connotation. 

If a culture of security does not, by itself, create greater security, then why should 

anyone champion it? The answer is that a culture is a necessary precondition in 

which to establish an appropriate level of security. By analogy, good soil and 

climate, the terroir, do not make great wine, but without a fine terroir, the best 

grape clones, skilled winemakers and the latest equipment will, at best, result in 

mediocre wine. In the same way, without a culture of security, the most advanced 

techniques, dedicated security professionals and the finest technology will lead 

to a middling level of security, at best. Some security practices may exist, 

perhaps supported by technology, but “weaknesses that result from inappropriate 

governance, inadequate management, a dysfunctional culture or unready staff 

cannot be fixed with technology.” 2 

Thus, a culture of security is not an end in itself, but a pathway to achieve and 

maintain other objectives. In one sense, the primary objective is assurance that 

information will not be misused. This assumes that there is consensus on the 

appropriate use of information, with everything else being misuse. This sort of 

consensus is hard to come by and is the reason why the implementation of security 

can be contentious. A culture of security will not eliminate discord, but it will 

establish a basis on which accord can be reached. 

There can be security in the absence of a robust culture supporting it. It may even 

be appropriate to the needs of the enterprise and a rational understanding of the 

information in question, if only by happenstance. However, security without culture 

cannot be sustained over time. All of the other organizational dynamics will distort 

security to the point that it is unrecognizable. Tough economic times will lead to 

crippling budget cuts. Competitive pressures will dissipate access controls and 

separation of duties. Otherwise benign motivations to serve customers will become 

the pretext to lower barriers, and as the enterprise morphs and changes, security 

will fall to the wayside. In the same manner, a security culture itself needs to be 

sustained over time. Creating it is one thing, strengthening it another, and keeping 



it going and growing is definitely a third. Cultures, too, morph as the people who 

constitute them come and go. There need to be self-sustaining elements to a culture 

or the same security battles will be fought over and over again. 

The greatest benefit of a culture of security is the effect it has on other dynamic 

interconnections within an enterprise. It leads to greater internal and external trust, 

consistency of results, easier compliance with laws and regulations and greater 

value in the enterprise as whole. In short, a secure enterprise—one that is as secure 

as it needs to be—is a better enterprise. The payoff comes from all the areas 

in an enterprise where reliability, open communication and cooperation among 

individuals and departments work smoothly together to achieve overall goals. 

All that is required is a common commitment to values and behaviors that enable 

mutual trust. (See section 6.1.) 

As is often the case, the presence of an intentional security culture is harder to discern 

than is its absence. The most common indicators of a weak culture of security are an 

information security function (if one exists) that is underfunded, demoralized and 

so far down the chain of command that it is unlikely to have any influence on 

organizational decision making. At the same time, it is common for security 

professionals, in their zeal to protect everything as much as possible, to feel that 

they never have a large enough budget, are never fully appreciated and are always 

overruled on important business decisions. The fact that an information security 

function exists does not, in itself, indicate a robust, effective security culture. 

It is said that if something cannot be measured, it cannot be managed. So, if a 

culture of security is difficult even to discern, it is extremely difficult to manage. 

However, it is also not clear that a culture needs managing or whether it can be 

managed at all. It is the collective perception among many people, best driven by its 

champions. A culture has no direct metrics. Its benefits are best perceived through 

the accomplishment of other objectives. In the case of security, these would be an 

enterprisewide consensus that the risks to information are well understood, that 

information resources are adequately protected, that security enables rather than 

inhibits the attainment of business objectives and that the investment in security is 

well spent. Note that these are fuzzy and indirect metrics, but they are metrics 

nonetheless. Systems of belief are real even though they cannot be seen. When groups 

of people within an enterprise behave in a consistent and constructive manner, it is 

certain that there is a culture at work. When they accept and promote an appropriate 

level of protection for information resources, there is a culture of security. 

3.1 The Benefits of Trust 

Security is the basis for trust, as stated previously. At the same time, there is the 

sign often encountered in American diners: “In God we trust. All others pay cash.” 

40 



If one of the benefits of a culture of security is trust, then what is so beneficial 

about trust? Put another way, if trust is beneficial, what is it about a culture of 

security that creates it? 

First, in a business context, trust, is an ingrained assuredness that a person/thing 

is what he/she/it purports to be. In many cases, the initial encounter a person has 

with an enterprise is an exchange of information: a résumé, a letter of introduction, 

a phone call, etc. One of the tenets of security is that a person’s bona fides are to 

be validated. The level and thoroughness of verification depends on the business 

requirements of the position, the classification of the information to be accessed and 

the perceived risks. 3 Once this is done, those working with a new employee have 

an expectation that the person is capable of performing the assigned tasks, but this 

is not security. What is relevant is that, based on prior experience, coworkers can 

expect the new hire to use information honestly and as authorized. This expectation 

persists throughout and beyond the early period of employment, growing over time 

as experience buttresses initial anticipation. 

Absent security, there is little or no way to know whether a person has manipulated, 

disclosed or destroyed information without authorization to do so. Thus, security 

fosters trust by providing assurance that information is being used as allowed or 

else that misuse would be noted. Security does not engender trust of others. It 

only allows each person to have confidence in the information being used. The 

degree of trust should not be overstated; one of the parties may use the information 

to undermine a colleague, spread rumors or make silly mistakes. However, the 

information that is used to do so can be trusted. 

There is a chain of causation here: A culture fosters security, which, in turn, leads 

to trust. In turn, trust leads to reliable expectations in the decisions and actions 

made on the basis of the information in question. Ultimately, reliability is a benefit 

that a culture of security provides. This is true in the workplace, but also in the 

home. Spouses must trust the word of spouses and children that of parents. Readers 

must trust their press or the advantages of an informed citizenry are lost. Citizens 

must be able to trust the information provided to them by their governments or 

there is chaos, despotism or both. There is an appropriate, wonderful feedback loop: 

Where security fosters trust, it also increases the strength of the culture. Forced 

security, as in a prison, may protect resources, but it will not create trust. 

Perhaps the benefits of trust as engendered by a culture of security are best 

understood by its opposite. Where there is no culture of security, information will, 

over time, be shown to be less than reliable. Poor decisions will be made on the 

basis of incorrect, incomplete or fallacious information. These decisions will lead 

to loss of money; reputation; market share; confidence; credit; and, if taken to 

extremes, the viability of an enterprise. All others pay cash, indeed. 



3.1.1 Internal Trust 

Trust is the lubricant that makes enterprises run smoothly. In a large, widely 

dispersed enterprise, a culture of security is essential for individuals, who may 

not know or see one another, to pass information between each other and act on 

it in the expectation that it has not been manipulated. In enterprises of this sort, 

security must be assumed or nothing can be accomplished. This is an effective 

security culture only to the extent that this assumption is based on reality. 

Information systems exist to manage the content and flow of information among 

people within departments that are part of the divisions that make up the enterprise 

as a whole. Events will conspire to reveal failures of security that, in time, will 

manifest themselves in a lack of trust in the information systems and, ultimately, 

the information itself. Where people do not trust information, they create parallel 

systems that they do trust—hence, the card file in the desk drawer and the 

spreadsheet on the hard drive and, hence, the breakdown of any semblance of 

managed processes within the enterprise. 

How, then, does trust manifest itself in a supportive culture? It shows up in speed. 

Where the recipient or user of information trusts it, there is no need for repetitive 

checking and verification. Thus, transactions move through a system quickly and 

decisions can be made rapidly (or even be automated based on a reliable set of 

rules). In physics, motion is a function of velocity and time. The forward motion 

of an enterprise is a recurring function of speed and time—in other words, of 

organizational nimbleness. 

Nimbleness is the ability to adapt speedily and easily to changing conditions and 

continue to perform at a high level. It is characterized by, among other things, quick 

and effective decision making, a marked degree of autonomy among the employees 

and managers, high-performing teams, and an ability to work through ambiguity 

quickly and correctly. 4 All of these are enabled by trusted information or, viewed 

the other way round, are impossible without trusted information. 

There are varying levels of trust within an enterprise. Departments may share 

information freely without a need for independent validation until certain decision 

points are reached. For example, all the information needed to construct a purchase 

order (PO) can be gained from a variety of sources, such as a vendor database, 

contracts and procurement policies. However, at the point that a PO is to be issued, 

it is prudent to have someone, usually the department head who will have to pay for 

it, review and validate all the information. 

In another sense of varying levels of trust, the confidence that can be applied to 

information in normal conditions is sharply different than that needed in periods of 

change, disruption or chaos. As information moves through an enterprise, there are 

systems—information systems—that preserve its integrity as it moves from process 

42 



to process. Thus, an order becomes an inventory selection that becomes a sale that 

becomes a delivery that becomes a payment. The information must stay unchanged, 

except through authorized modification procedures, throughout the journey. 

However, in challenging times, there is a need to recognize and react to the 

possibility of less reliable information. For example, if there is evidence of an 

active penetration attempt, information might have been changed. A disaster in a 

datacenter can wipe out enormous amounts of information in a very short amount 

of time. It is at points such as these that the quality of trust takes on new meaning. 

Can security technology be trusted to identify penetration attempts and to isolate 

possibly affected records and databases? Can disaster recovery plans be executed 

in such a way that the recovered information is current and accurate, at least within 

preestablished parameters for currency and accuracy? The answer is yes, if: 

• Security has been tested under circumstances similar to that of the event 

in question. 

• Mechanisms are in place while executing security and recovery measures to 

validate the resulting information. 

• Leadership exhibits confidence in security as it uses the information in question. 

These attributes may be stated in terms of organizational variables such as context, 

supportiveness and leadership. These can only be established on the basis of 

practices and behaviors put in place long before a crisis. They are the product of 

deliberate effort and unremitting hard labor. Leadership, in context, is a hallmark 

of a culture; leadership’s trust in information in a crisis is a hallmark of a culture 

of security. There is a need for balance among the variables. Maximizing any one 

component of a system pressures the whole. Strong leadership is essential, but 

disregarding context and culture can lead to over-reliance on leaders in routine 

times 5 that disappears in crises. 

3.1.2 External Trust 

The need for trusted information does not stop at an enterprise’s front door. Trust 

is essential among business partners, contractors, vendors and customers. The 

concept of security’s being erected at the perimeter of an enterprise’s information 

systems has long been outmoded. 6 Thus, the internal-external distinction has, to a 

large extent, become blurred, but it is meaningful nonetheless. There is a basis for 

trusting those who work together for a common purpose, with jointly held values 

and attitudes about the security of information resources (i.e., a culture of security) 

and those who may share some of the same incentives, but whose motivations 

ultimately diverge. 

While customers and suppliers have a mutuality of interest, there is an inherent 

adversarial relationship with regard to information. In many enterprises, there 

are entire departments checking invoices against POs to make sure that there 



are no overcharges. However, an excessive bill is not indicative of a problem 

with security. The good faith in an enterprise’s security is most tested where one 

enterprise holds information regarding another (or of individuals). The issue is most 

starkly presented where the privacy of PII is concerned, but it is just as valid where 

the relationship is a business-to-business one. For example, a company would not 

want its buying patterns revealed lest its business strategy be made public as well, 

which necessitates that purchasing information must be kept secure, and sellers do 

not want to have any tampering with customer orders. Thus, the trust necessary 

to enlarge business relationships rests on good products and services, to be sure, 

but also on contracts, nondisclosure agreements and a general understanding that 

information will be secured diligently by both parties. 

The Banking Example 

To an extent, a culture of security also accommodates reduced levels of security if 

the reduction is attuned to risk and value. A classic example is a bank’s approach 

to verifying customer identity with regard to checks. By custom as well as law, a 

signature is sufficient authorization to make a payment based on a draft against an 

account. At one time, banks would match customers’ signatures on checks against 

those on cards filed at the time an account was opened. Over time, banks realized 

that the vast majority of checks were not counterfeit or forged, so they stopped the 

practice of verification. The cost of risk acceptance was shown to be far less than 

the cost of increased security. Thus, the banking culture, always attuned to security, 

adapted to a more appropriate level of integrity checking. 

The exceptions in check payment are as instructive as the reduced level of 

checking. In some countries, banks still verify each signature. In section 2.2.1, 

Societal Culture and Security, it was shown that different societies have varying 

levels of expectation of trust and honesty, based on economics, language, history 

and heritage. Thus, in some nations, the level of confidence in the authenticity of 

checks and customer signatures does not permit the same practices as in banks 

where validation is not required. (It also limits the number of potential customers.) 

Prudence wins out over cost reduction. 

Moreover, even banks that do not routinely verify signatures do so when the value 

of a check passes a certain threshold. Viewed systemically, the level of security 

required increases in a direct relationship with the value of the information. The 

heritage of banking is such that trust of customers is only slowly gained; a long 

history of timely payments and large deposits has been the basis of lending in the 

past. With the vast expansion of banking activity following World War II, it was 

necessary for financial institutions to broaden their “know your customer” policies 

and introduce automation of the information in banking transactions, notably 

including checks. Interestingly, in 1998, “know your customer” rules were proposed 

44 



as addenda to bank regulations in the US, but they were withdrawn because of 

privacy concerns—yet another example of level setting within the broader culture 

of security affecting businesses. 

Trust Defined or Earned 

As noted previously, a very low level of trust was assumed between enterprises 

and their customers in the past. This proved to be a brake on business growth, and 

information systems were introduced to speed and standardize the processes of 

managing customer information. In parallel (or, in fact, slightly lagging), security 

systems arose to protect the information. The reliance within an enterprise on its 

security systems allowed business expansion to deal with customers the enterprise 

did not know and may never have met. The current state of electronic commerce 

(e-commerce), in which customers are geographically dispersed and anonymous, is 

the logical extension of that trend. 7 Where once trust needed to be earned over time, 

it is now more routine to assume that a customer can be trusted until demonstrated 

otherwise. The movement from “know before trusting” to “trust, but verify” is a 

significant cultural shift across many societies, abetted by cultures of security being 

established in enterprise after enterprise. 

As information, especially in electronic form, becomes increasingly pervasive in 

all aspects of culture, both the scale and inherent value of such information drives 

a need for a more pronounced culture of security. The culture must take into 

account many contending internal and external forces, but in the context of current 

business conditions, the result must include at least a reasonable level of trust. 

Setting the bar of reasonableness requires an understanding of the relevant risks, the 

effectiveness of security measures and management’s tolerance for losses. In other 

words, reasonability is a part of a culture of security and a culture of security is 

established in the context of reasonability. This may be viewed as circular logic or, 

preferably, as a virtuous cycle that refines a culture over time. 

3.2 The Benefits of Consistency 

Security should be boring. House keys are boring. Smoke detectors are boring. 

When security is working, it is unobtrusive, functional and pervasive. Security is 

noticeable only when it is not there when needed. It becomes quite exciting when 

there is a security breach: People scramble to find every copy of a report; computer 

emergency response teams (CERTs) mobilize to restore systems and networks; 

datacenter staff travel to distant recovery sites; etc. Good security is virtually 

invisible. Poor security is very evident indeed. 

The essence of boredom is repetitiveness and continuity. The same key unlocks 

the same door every time. A smoke detector sits in place, with a small light always 

glowing. When information is secure, only authorized people have access to 



it—always. It is always encrypted in storage, always kept in locked file cabinets, 

never spoken of in public places and never left behind after a meeting. Security 

is continually, constantly in place; working as expected; and clearly understood, 

controlled, monitored and observed. 

At least, that is the goal. 

Security is derived from a combination of policy, technical and procedural 

measures. Consistent security is a result of a culture that applies the same measures 

in the same way all the time to all assets of similar value. Implicitly, the culture 

must also support clear, well-communicated methods for determining the value of 

information and for allowing exceptions to security processes on a controlled 

basis. In this way, security can be well understood by all those who encounter 

information. Moreover, organizational management can have a rational basis for 

relying on the security measures in place and for recognizing the extent to which 

security cannot be depended. 

3.2.1 Valuing Information 

Not all information is of equal value, nor is a given item of information of the 

same value all the time. For example, some information is of little or no value at 

all to an enterprise (e.g., the bowling league scores). Other information may have 

great short-term value, such as the price of a commodity or a stock, that diminishes 

rapidly as it is made public. Some is transactional, with minor individual worth, but 

great value in the aggregate. Some is strategic, with substantial impact if it were to 

be lost, disclosed or manipulated. The test is to determine the: 

46 

Potential impact on an enterprise should certain events occur which 

jeopardize the information and information systems needed by the 

enterprise to accomplish its assigned mission, protect its assets, 

fulfill its legal responsibilities, maintain its day-to-day functions, 

and protect individuals. 8 

The potential impact of a lack of security is determined through a risk assessment 

process, based on the classification or categorization of the information in question. 

The means of classifying information, i.e., setting its value, are a part of a culture of 

security. There is considerable debate as to the gradations of value, the metrics for 

classification, the frequency and rigor with which information should be categorized, 

who should perform the classification, etc. In terms of a culture of security, the 

determination of these matters is unimportant as long as information is valued the 

same way at all times by all those involved. This consistency reduces the chances of 

introducing a security gap if the same information is felt to have different value by 

different analysts. If consistently applied, it provides a realistic basis for management 

to gauge the investment necessary for the appropriate level of security. 



3.2.2 Exception Processes 

Security can be undermined if it is too rigid. Standards may be set to govern a broad 

range of uses of information, specifying what is and is not permissible for certain 

categories and uses. It is impossible to foresee all conditions in which every sort 

of information will be used. Inevitably, there are circumstances in which a valid 

business case can be made for less (or more) security. If the rules are seen to be blind 

to the context in which information is to be used, people will find a way around the 

prescribed security measures. In such a case, the culture is typified not by what the 

enterprise may expect it to be, but by the craftiness of those who would circumvent it. 

The culture of a successful enterprise must recognize that there are exceptions to 

every rule. If there is a standard procedure for adjudicating differences between 

those responsible for security and those with a legitimate business need to deviate 

from prescribed measure, that enterprise’s culture of security is typified by 

flexibility and reasonableness. It may seem paradoxical, but consistent application 

of exception processes actually creates a more effective culture of security than one 

that is authoritarian and unbending. 

Of course, it is possible to have too many exceptions, thereby invalidating the rules. 

In such a case, the security culture becomes one typified by a “whatever you can 

get away with” outlook. This is one instance in which there are metrics for security. 

If a given enterprise’s security is based on all exceptions and no application of 

standards, then the exception is the rule. 

3.2.3 Risk Management 

One of the logical outcomes of an exception process is the decision to determine 

that a risk is not credible and, thus, to accept it. Some security specialists find it 

difficult to acknowledge that, at some point, it is more prudent not to secure an 

asset than to do so. That may be because the asset in question is not considered 

sufficiently valuable or because the cost of protecting it is seen as being too 

high. Security professionals can enter into this decision, but their bias in favor 

of protection, perhaps at all costs, renders them unable to be the final arbiter. 

Sometimes, enterprises can justifiably accept a risk of misuse of some information. 

Again, the determinant in terms of a culture of security is consistency. It is 

unacceptable to simply take a risk without an agreed-on process to make and 

validate risk acceptance decisions. There are three aspects, or domains, of risk as 

the term applies to information: governance, evaluation and response. A 

standardized governance of risk (i.e., of deciding whether to mitigate, transfer 

or accept risks) is a distinct part of a culture of security. If a culture allows any 

manager to blindly evaluate and accept the risk of information misuse, then it is one 

of permissiveness—not of protection and certainly not of prudence. Moreover, once 

a determination has been made concerning the appropriate response, an enterprise 



with a viable security culture is more likely to see the necessary actions followed 

through. The benefit of consistency in risk management is that all participants can 

respect the decisions made, even if they disagree with them. 9 

Risk management is not a democratic process. Some stakeholders weigh in more 

heavily than others in making risk-related decisions. However, if the methods are 

consistent and the information on which the decisions are made is trustworthy, then 

the integrity of a culture of security is preserved. 

3.2.4 Predictability 

One of the byproducts of consistency is a reasonable expectation that the same 

process, tool or procedure will render the same results, time after time. This may 

be particularly important for security purposes. If security is operative today, 

all involved have a right to anticipate that it will work the same way tomorrow, 

i.e., that permissible access will be allowed, with all others denied. Information 

systems need to be built in the expectation of a certain level of overall security 

so that developers can accurately gauge on what their systems can rely outside 

an application and what they must build into it. Without predictability, each new 

application development would require revisiting security from the top. 

An advantage of a predictable security culture is that it is measurable, albeit 

indirectly. A computer program can be tested to ensure that it works as specified. 

Except for the simplest programs, it is not possible to test all possible logical 

permutations to prove that a program is correct. Likewise, information security 

cannot be proven to work all of the time, that is, predictably, 10 but to the degree 

that security does operate as expected, it is an indicator of the vitality of a culture. 

Security incidents may be indicators of weakness in a culture of security. However, 

if an enterprise responds promptly and effectively to an incident and, in particular, 

uses it to strengthen protection, it may also be indicative that a culture of security 

exists and is functioning well. 

There is another aspect of predictability that bears on a culture of security: the 

ability of an enterprise to foresee the risks it will face and to implement measures 

proactively to deter them. In numerous instances in recent years, from terrorist 

attacks to financial failures to hurricanes, there is a reaction by those who should 

have known better that “no one could have anticipated this.” Often, there was 

willful ignorance of the potential for harm and preventive or responsive measures 

could have been put in place. Foresight is an essential cultural artifact of a 

predictable culture attuned to risks and their reduction. 

48 



3.2.5 Standardization 

If consistency requires security to do the same things time and again, then it ought 

to do them the same way. To that end, enterprises settle on standard operating 

procedures (SOPs); standard tools; and, well, standards. An important benefit of 

standardization is that doing anything in a standardized manner leads not only 

to effectiveness, but also efficiency. People within an enterprise do not have to 

reinvent methods and practices, but can simply apply those that have worked in the 

past to future endeavors. (There is a risk that should not be overlooked, of standards 

becoming hidebound and restricting progress.) 

There are two types of standards that contribute to a culture of security. Some are 

internal to an enterprise, and others are generalized across an industry (e.g., the PCI 

Data Security Standards [PCI DSS]), a nation (e.g., those of the American National 

Standards Institute [ANSI] or British Standards Institute [BSI]) or the globe (e.g., 

the ISO standards referred to previously). The benefit of external standards is that 

they lend themselves to certification, as is the case with ISO 27001 11 for security 

generally or British Standard (BS) 25999 12 for business continuity management 

(BCM). Certification itself has two benefits: It promotes a culture of security 

and builds internal support for it. Within an enterprise, who would want to be the 

cause of it losing its certification? Moreover, certification inspires trust among 

business partners. If unable to look deeply into one another’s security practices, 

they can place reliance on an independent third-party’s assurance that, at minimum, 

a publicly described standard of security has been attained. Certification is a 

benchmark of trustworthiness that may be a part of the glue that holds an extended 

enterprise together. By the same token, certification is not an unbounded assurance 

of security or recoverability. Any individual or enterprise wishing to place reliance 

on an associated business’s certificate must understand exactly what is certified. 13 

Internal organizational standards are the codification of an intentional culture of 

security. It is important to remember that standards are prescriptive and aspirational. 

They state what management in a given enterprise believes security should be (as 

opposed to external standards, which capture generally accepted best practices). 

Yet another metric of a culture of security is the comparison of internal and 

external standards to see how close management’s intentions are to best practices. 

The adherence of an enterprise to its own standards is then subject to audit. The 

links—strong, weak or broken—among actual practice, management’s expectations 

and globally stated norms are accurate indicators of how entrenched a culture of 

security is within an enterprise. 



3.3 Improved Ability to Manage Risk 

There is risk in every enterprise. Some of it is evident and is addressed through a 

risk management process. In some enterprises, risk management is robust and 

deals thoroughly with all aspects of strategic, compliance, financial and operational 

risk. 14 There is a widespread understanding that risk management requires a central 

coordinator or champion. Within certain industries, the position of the chief risk 

officer (CRO) fulfills this role. The CRO is given the task of coordinating and 

overseeing the enterprise’s risk at an enterprise level and reports to a high level 

of management. 15 

In other enterprises, the risk management function is little more than buying 

insurance. It is true that risk transfer is one acceptable response to risk; nonetheless, 

where risk management is thought of as purely insurance, it fails in its overall 

responsibility to the enterprise also to mitigate, control or formally accept risk. 

Risk management and security are—or should be—partners in mitigating and 

controlling risk within an enterprise. This is very apparent in information-intensive 

businesses whose stock in trade is not tangible goods, but data. These would 

include financial services 16 and many enterprises that sell information, such as 

photographs or music, over the Internet. It is unclear whether a culture of security 

leads to formal recognition of the importance of risk management or vice versa. 

It really is not important. What is clear is that a culture of security creates an 

environment that is receptive to understanding and dealing with risk in all forms, 

not least those related to information. 

Some of these risks are stated in standards and textbooks. Focusing on those risks 

results in standard, textbook responses. Risk management has the greatest benefit 

in dealing with evident, but unexpected, possibilities, so-called “black swans.” 

Both the term and the concept were popularized by Nasim Nicholas Taleb, 17 and 

these sorts of risks are very much in the consciousness of many risk managers 

today. Black swans are credible risks that are so far out of common experience 

that they are not given the credence they deserve. Recently, the new term “white 

swans” has arisen and means, in general, the ability to see and respond to risks 

that are before everyone’s eyes and to take action against them with a view beyond 

short-term financial interests. The economy of an enterprise whose business is 

based on a sound understanding of the value of its resources will be significantly 

healthier than the economy of an enterprise whose business lacks a strong, 

value-based approach. 18 A value-based approach to risk is more than a white swan; 

in the context of information, it is a distinct part of a culture of security. 

A culture of security does not, in itself, result in lower risk, although it should 

contribute to lowering it. Where such a culture exists, personnel will be more 

50 



attuned to risk, better able to see the risks in the way that information is managed 

and more likely to use information securely because they comprehend the risks to 

themselves and to the enterprise if they do not. 

3.4 Improved Return on Security Investment 

Perhaps one of the reasons that a culture of security is thought of as the “soft” side 

of security is that there is nothing to go out and buy. A pattern of behaviors, beliefs, 

assumptions, attitudes and ways of doing things does not show up in a box, but that 

does not mean that such a culture is free. It costs money to instill attitudes, change 

behaviors and operating procedures, and instill a sense within an enterprise that 

security adds value to an enterprise that supports it. 

Of course, the software and hardware needed to implement much of security, 

especially over electronic information, do come in a box and also cost money. 

There are many questions confronting management in many enterprises regarding 

how much security is required, what the ratio is between the money spent and the 

security obtained, what the long-term total cost of security is, and how the return on 

investment (ROI) can be measured and justified. The answers to these questions are 

generally encompassed in the term “return on security investment” (ROSI). ISACA 

has long understood the importance of ROSI: 

Clearly defining ROSI is critical for enterprises to attain business 

objectives. To obtain a reasonably accurate estimation of ROSI, 

the enterprise needs to determine its security requirements and the 

most appropriate measure of ROSI, and establish metrics to collect 

information to measure ROSI. Business operations today recognise the 

significance of security measures as well as the risks and consequences 

involved in ignoring the impact of security to business operations. 

Decision makers are required to quantify, review and modify security 

metrics periodically to ensure effectiveness of the security measure. 19 

This subject is too dense and too well explored to be expanded on further here. The 

relevant matter is whether a culture of security affects ROSI and whether the impact 

is positive or negative. On the surface, it would seem that an enterprise with a more 

pronounced culture of security would invest more in security than one without such 

a culture. It would buy more security products, hire more security professionals, 

and have more complex procedures for implementing and maintaining security. 

However, that only looks at one side of the ledger. It does not factor in the expected 

returns from the expenditures, the net present value of information resources 

over time, annual loss expectations or the cost of recovery if security is breached. 

Indeed, there are many ways of calculating ROSI, each with inherent biases in 

favor of maximizing security or minimizing the effect of breaches. 20 These are 



not necessarily the opposite sides of the same coin, inasmuch as the reputational, 

social, moral and professional value of security cannot always be stated in purely 

monetary terms. There is no way to balance the recognized cost of prevention with 

the unrecognizable savings from events that do not happen because the preventive 

measures are in place. 

Implicitly, then, an enterprise with a culture of security places a value on the frauds 

that do not occur, the audit reports that do not need responses, the remediation and 

recovery costs that do not have to be incurred, or the disaster that did not disrupt 

business operations. The question is whether the ROSI attributable to a culture 

of security is an article of faith or whether it can be demonstrated. There are 

calculations intended to optimize the investment in security, 21 but it remains to be 

seen whether they can be tied to a cultural impetus. 

One of the difficulties in linking ROSI and culture is that there are many 

investments in security that are nondiscretionary. They are mandated by laws 

and regulations, so even the most risk-tolerant, security-averse management must 

implement some level of security. For example, privacy is required across the board 

in some areas of the world and is specified by law in certain industries in other 

nations. Additionally, there is a level of prudence that leads to expenditures that no 

sensible manager would dispute. For example, who today would operate without 

virus filters or firewalls? 

The intersection of a culture of security and the investment in protection is in how 

much and how well the security will be applied. For instance, a law may call for a 

chief security officer (CSO), but it does not say how much the person ought to be 

paid, how large a staff there must be or with which software tools the function must 

be equipped. There is an implied rule of reason, 22 a context that is an essential part 

of a culture. It is not so much that a culture of security increases or decreases ROSI, 

but that it contributes to reaching the appropriate balance. 

The ROSI benefit of a culture of security is that it creates an environment in 

which an enterprise can determine the right mix of investments: security products, 

insurance and acceptance of the costs of security-related incidents. With explicit 

and consistently applied processes for evaluating risk, enterprises are more likely 

to fund the most effective means of securing their information. If pure operating 

expenses were the only determinant of ROSI, then enterprises should implement 

only the minimum amount of security and obtain insurance to recoup the cost of 

the inevitable incidents. As stated, this does not take into account the many impacts 

on an enterprise that are not measured monetarily or, at least, the cases in which 

financial impact is felt only over time and indirectly by diminished reputation and 

lost market share. It must also be remembered that incidents still occur, no matter 

how great the expenditure on security. 

52 



A culture of security comes into play in the middle ground between required security 

and clearly excessive spending. These categories are not clearly defined, but fuzzy sets 

of values lend themselves to conveying a large amount of information with a very few 

words. They make it possible for people to manage uncertainty as characterized by 

structures that lack sharp, well-defined boundaries. To that extent, a culture of security 

is rightly “soft” in the sense of a soft focus, one that provides a fuzzy, nondiscrete, 

poorly defined view of the requirements for security. It is better to be approximately 

right than to be wrong with mathematical precision. Numbers, after all, are as subject to 

(mis)interpretation as are behaviors. Those looking for “hard” facts and figures would 

do well to look elsewhere than into the culture of an enterprise, but they would fail to 

take advantage of real forces that guide, steer and push enterprises to the right decisions. 

3.5 Compliance With Laws and Regulations 

It is fair to say that regulations encapsulate good practice—various measures 

that enterprises should be implementing anyway. To the degree that this is so, a 

supportive culture makes compliance easier, if not easy. No one can say that a 

culture of security enables compliance with a particular law or regulation. Rather, a 

culture of security makes an enterprise more amenable to complying with laws and 

regulations generally and makes compliance a routine part of operations. A defining 

characteristic of a security culture may be that an enterprise always seeks to be in 

compliance with the laws and regulations of the area in which it operates. Doing 

otherwise could possibly endanger its survival, as has happened to several failed 

companies in recent years. 

There are three competing views of regulation. Regulation is: 

• An unnecessary intrusion into management’s discretion in running its business 

• A necessary contributor to an orderly society. Some countries exercise regulation 

lightly while others are more authoritarian and dictatorial. 

• The basis for competitive advantage 23 

Whichever the view, enterprises comply unless they deliberately court penalties 

with disobedience. Some do so grudgingly, to the least extent possible, while 

others embrace the framework that regulations imply. It is not necessary to say 

that enterprises with strong security cultures are compliant to recognize that those 

without such a culture are more likely to find regulations burdensome. 

Those seeking to build a culture of security can use laws and regulations to their 

advantage. Where security is legally mandated, external rules can be used to force 

internal action. However, imposing a culture in the name of compliance may 

change behaviors, but it also hardens negative attitudes about security. Moreover, 

those enterprises that operate globally must meet so many regulations that all 

investments in security may seem arduous. 



A more beneficial approach is to use required security as a baseline for 

discretionary measures. The security measures needed to comply with regulations 

have a price. Those may prove sufficient to meet the security needs of an enterprise, 

with or without regulatory pressure. If additional security is felt to be necessary, 

given the risks an enterprise faces, the cost for additional measures is easier to 

justify. (If the cost of compliance is x, then, for just a relatively marginal amount, 

even better security can be achieved.) However, using regulation as a basis for a 

security program is merely a diversion from the basic requirement to observe legal 

and regulatory requirements. 

The benefit of a culture of security is that it fosters proactivity, which enables an 

enterprise to position itself in front of externalities and base its security profile 

on its own needs rather than those imposed by laws and regulations. In the long 

run, there are savings to be achieved by anticipating problems rather than reacting 

to them when they arrive. In many, if not most, cases, the steps taken to meet 

perceived organizational security needs may be sufficient to satisfy regulatory 

bodies as well, and when they are not, the cost of compliance may be subsumed 

into that of security itself. The price will be paid regardless, but where there is 

a culture of security, the price may be seen not as an additional burden on the 

enterprise, but as a part of the investment in overall organizational growth. 

3.6 Shareholder/Citizen Value 

The greatest benefit of a culture of security is that those enterprises that have 

one are simply better enterprises than those that do not. Private companies with a 

culture of security create greater value for their shareholders. Government agencies 

deliver greater value to their citizens. Real value is derived from profits and mission 

accomplishment in the short term. The ability to continue to create value is based in 

an enterprise’s culture. 

It is perhaps easier to see that a culture of service pleases customers, a culture of 

growth pleases investors and a culture of productivity pleases employees. However, 

who derives pleasure from security? As long as security is viewed as a negative, 

restrictive factor within an enterprise, it is hard to see who gains benefit from it. 

Security professionals are often heard to say that security is an enabler, 24 not an 

inhibitor. This means that secure information is a baseline requirement for any 

enterprise to prosper. If the information that flows through an enterprise cannot be 

trusted, then that enterprise will be unable to compete effectively. 

As noted previously, this is all the more the case for those enterprises whose 

business is the provision of information. For these businesses, service, growth and 

productivity—to say nothing of profitability—are directly linked to the quality 

of the information provided, and security is an attribute of quality. A culture 

54 



of security allows all stakeholders, from the lowest-paid employee to the chief 

executive officer (CEO) to the investors, to see the alignment of business and 

security objectives. 

Even in enterprises whose products are tangible goods, there is valuable information 

behind the products. Recipes, formulas, production processes, research, etc., are all 

information that leads to the items such companies sell. They cannot take or satisfy 

an order, find a product in a warehouse, or track delivery and payment without 

information. Again, the quality of the information is a major contributing factor in 

the success of the products. 

A culture of security in concert with other aspects of a corporate culture is the 

foundation of organizational continuity. To the extent that an enterprise experiences 

the shocks of catastrophic events, its disaster recovery planning is certainly the 

basis for ongoing success. A culture that values information and supports the 

measures to preserve it and use it correctly is also more likely to be a continuing 

institution than one that does not. A culture of security permits management to see 

the benefits of security and not just the costs. More important, it leads an enterprise 

to the appropriate level of security given the context of its business. 

The words “context,” “appropriate,” “alignment” and “value” recur frequently in a 

discussion of any culture. Where a culture is, is a question of security. Sadly, there 

is an obstacle of ingrained negativity to be overcome in establishing what should 

be a natural extension of any enterprise’s foundational principals: Do not betray 

confidences, always live with integrity, prepare for the worst while expecting the 

best, etc. In other words, integrity, confidentiality and availability are not addenda 

to a corporate culture. They are always there. 

Endnotes 

1 Ibid., p. 12 

2 Ibid., p. 8 

3 ISO, ISO/IEC 27002, op.cit. p. 23 

4 Powers, Burke; “Strategic Nimbleness as a Business Culture,” 2 August 2005, 

http://strategicchange.blogspot.com/2005/08/strategic-nimbleness-as-business.html 

5 Connor, Darryl R.; How to Create the Nimble Organization, John Wiley & Sons, 

USA, 1998, p. 68-69. Note that Connor is referring to a culture of nimbleness, not 

security. The point here is that one cannot exist without the other. 

6 Ross, Steven J.; “The Vanished Perimeter,” Information Systems Control Journal, 

vol. 5, USA, 2003. See also van Wyk, Kenneth; “How to Protect a Vanishing 

Perimeter,” eSecurity Planet, 4 April 2005, www.esecurityplanet.com/views/ 

article.php/3494991/How-to-Protect-a-Vanishing-Perimeter.htm. 



7 ISACA, e-Commerce Security: A Global Status Report, USA, 2000, p. 59-62, passim. 

8 US National Institute for Standards and Technology (NIST), Standards for 

Security Categorization of Federal Information and Information Systems, 

(FIPS 199), USA, February 2004 

9 ISACA, The Risk IT Framework, USA, 2009, passim. 

10 The unprovability of programs is a concept associated with Edgar Dijkstra and is 

also known as formal verification. There have been a number of academic studies of 

formal verification as applied to security. For example, see Taha, Ahmed H.; “Formal 

Verification of IEEE 802.16 Security Sublayer Using Scyther Tool,” Concordia 

University, USA, 2009, http://hvg.ece.concordia.ca/Publications/Confrences/ 

N2S09.pdf. See also University of Birmingham, USA, www.cs.bham.ac.uk/research/ 

groupings/formal_verification_and_security/, and Research Center for Information 

Security (Japan), www.rcis.aist.go.jp/project/softverification-en.html. 

11 Op. cit, ISO, ISO/IEC 27001 

12 British Standards Institute (BSI), “Business Continuity Management—Part 2: 

Specification,” UK, 2007 

13 Ross, Steven J.; “Certification and the Disappearing Perimeter,” Information 

Systems Control Journal, vol. 6, USA, 2008 

14 Institute of Risk Management, et al., “A Risk Management Standard,” UK, 2002, p. 2 

15 Conference Board of Canada, et al., “A Composite Sketch of a Chief Risk Officer,” 

Canada, 2001, p. 1 

16 Ibid., p. 2. In this report, 45 percent of the respondents were in financial services. 

Therefore, notably, 55 percent were in other industries. 

17 Taleb, op. cit. 

18 Featherby, James; “The White Swan Formula,” London Institute for 

Contemporary Christianity, UK, 2009, p. 6 

19 ISACA, “IT Audit and Assurance Guideline G4, Return on Security Investment 

(ROSI),” USA, 2010, p. 2 

20 Ibid., p. 4-6, passim 

21 Ibid., p. 6-7 

22 Ross, Steven J.; “ROSI Scenarios,” Information Systems Control Journal, vol. 3, 

USA, 2002 

23 Sethuraman, Sekar; “Turning a Security Compliance Program Into a Competitive 

Business Advantage,” Information Systems Control Journal, vol. 5, USA, 2007 

24 Just two of many applicable references are: Bardin, Jeff; “Security as an 

Enabler,” 2007, http://blogs.csoonline.com/security_as_an_enabler, and 

Thompson, David (chief information officer [CIO] of Symantec); “Security as an 

Enabler” (podcast), http://blogs.csoonline.com/security_as_an_enabler. 

56 


4.0 inhibitorS to a Culture of SeCurity 

4.0 InhIBItoRS to A CultuRe of SeCuRIty 

If a culture of security is as beneficial as described in the previous chapter, why do 

enterprises not have the culture they need relative to the context of their operations? 

The answer lies at the heart of security, which is intended to prevent negative 

events from occurring. Does that make security itself an inhibitor of other gainful 

activities within an enterprise or their enabler? The fact that there is discussion at 

all of creating a culture of security is indicative that there is a widespread view of 

security in the former light and a belief that steps can—and should—be taken to 

move the viewpoint toward the latter. 

In some societies, little children are taught that the police officer is their friend. 1 

Why is that message even necessary? Is it globally true? The message perhaps 

unintentionally transmitted is that there is a reason to consider the police officer not 

to be a friend. At best, the police officer is a crime fighter—at worst, someone who 

is menacing to average citizens. If the imagery of policing is dominant in portraying 

security of any sort, no less information security, it brings out the thought processes 

imparted directly and indirectly from a very young age. The police officer is your 

friend … and so is the information security officer. 

The negativity toward security manifests itself in a number of ways. Rarely is 

anyone opposed to security; who could favor insecurity? The antithetical viewpoints 

arise over the extent, cost, reach, enforcement and application of security. There is 

a legitimate point of view that security should be no more than the minimum 

consistent with due diligence, that anything more creates an imposition on an 

enterprise. This may be true enough, but it invites discussion and dissension on 

what is the minimum; what is prudent; and, not the least of which, who is going to 

pay for it. 

To overcome the inhibitors to a culture of security, they must be understood and, 

if they cannot be eradicated, at least neutralized. It is insufficient to simply insist 

on security as a directive imposed from above. That approach may or may not 

lead to security, but it certainly dampens any enthusiasm for a culture of security. 

Successful creation of such a culture depends on all or at least most stakeholders 

accepting and promoting security as something of benefit to themselves. It 

necessitates creating an image of security to compete with the police officer, locked 

safe, chains, etc. Security must be seen as an essential contributor to business and 

not a necessary, but unwelcome, burden for an enterprise to carry. 



4.1 Societal Culture 

As noted in section 2.2.1, a culture of security is conditional to the culture within 

the enterprise and even more so by the cultural assumptions of the broader 

society within which an enterprise exists. The term “secure” may evoke different 

images around the world, including the assurance that comes from believing that 

no harm will come to individuals, homes, families and populations. With only a 

little thought given to the matter, it is clear that those assumptions are not always 

supported: Bad things do happen, all the time and in the least expected ways. 

Where there is a long history of peace, prosperity and comfort, the expectation of 

security, while unfounded, is, in actuality, supported by experience. Lives are led 

securely because negative events of a serious magnitude happen rarely enough that 

sanity allows people to live in blithesome ignorance of the threats around them. 

The security of information within an enterprise is similarly conditioned by the 

sense that its information is not under attack. Information resources are used 

routinely by many people without incident. Much of the information would 

seemingly be of little interest to anyone outside the enterprise. Sadly, many people 

have had brushes with insecurity. Their personal computers acquired a virus, they 

left a report on the bus, their networks were brought down by denial of service 

(DoS) attacks, documents were taken from their desks, etc. At that point, their 

happy illusions of security were shattered and they became aware of the need for 

more exacting measures to protect their information. The seeds of a culture of 

security may have been planted, but once the particular event was past, it was easy 

to slip back into comfortable complacency. 

Complacent forgetfulness leaves an opening for thought patterns that are perhaps 

the most destructive to a culture of security, one that is, to a degree, prevalent 

in many societies: Information wants to be free. 2 People in many societies have 

become used to having the greatest compendium of information ever assembled 

available to them only a few keystrokes away. That expectation may be extended 

in their mind to all information on the Internet and everywhere. Of course, all 

societies keep a great deal of information secret and inaccessible. In dictatorial 

nations, much political and economic content is censored and constrained. Even 

in more liberal countries, information needed for national security is kept closely 

guarded. If every country has the government it deserves, 3 then those governments 

impose security on the information they do not want their people and enemies to see. 

If the government’s or the corporation’s leadership is understood to be repressive, 

there is a powerful incentive to bypass any protection and controls that seem to get 

in the way of whatever people want to do with the information they seek. 

58 



Where security is seen as the instrument of repression, there will indeed be a culture 

of security, but that culture will be seen as a malignant one. Security in a society that 

values freedom is not the enemy, but where the institutions of society are perceived 

as existing for the purpose of limiting freedom, it is very difficult to build the trust 

that a culture of security is supposed to nurture. The values of a society may propel 

or inhibit the development of a culture of security as a positive contributor to an 

enterprise’s success. Where security is viewed with suspicion in everyday life, it may 

well be contrary to self-interest to assume that security is beneficial. 

4.2 Lack of Organizational Imperatives 

Just as the values of a society affect its culture of security, so do the values of an 

enterprise influence its perspective on security. Commercial companies succeed 

in the marketplace based on one or several strategies, such as better products, 

lower price, greater customer service or higher fashionableness. Organizational 

imperatives follow from these strategies: Make it better, cut costs, be more nimble 

or get ahead of the curve. There have been numerous cases reported in recent years 

in which “make it safer” has been an imperative, often after a product has been 

shown to be unsafe. 

When an enterprise’s product is information, security is understood to be a 

strategic attribute of success, but it is difficult to obtain a consensus on the 

relative importance of various aspects of security. Is it more important to 

protect information resources from misuse or unavailability, from disclosure or 

manipulation, or from privacy breaches or regulatory criticism? It is insufficient to 

say “all the above” because security budgets are not infinite nor can all threats be 

treated as equally credible. 

For companies whose primary products are tangible and personally delivered 

services, not information itself, the arguments for security become more tenuous. 

Every investment in the security of information is one not made in new production 

facilities, training or personnel. Even if information is intrinsic to making money, 

it is often difficult to see how securing information is connected to the money 

that is made. Where that connection is unclear, there is unlikely to be any clear 

organizational priority for the security of information. In part, the purpose of a 

culture of security is to make the identification of security with success more 

evident. With perfect circular reasoning, there can be no culture of security where 

security’s relationship with organizational success cannot be readily demonstrated 

and understood, while the demonstrability and understanding of the link depends on 

there being a culture of security. 

Cutting through this dilemma necessitates clear imperatives for security. In 

regulated industries, those obligations are externally imposed, although regulated 



companies may differ on how far their requirements must take them. In all 

enterprises—regulated or not, public or private, or profit-making or charitable— 

there must be an executive commitment that necessitates the protection of 

information by everyone if there is to be a culture of security. 

It is easy to demonstrate the dedication to security in a negative sense. If someone 

misuses information, there are penalties that may result in termination or 

prosecution. However, it is harder to show in a positive fashion that acting securely, 

much less believing in security, is personally beneficial to the individual. It is hard 

to connect secure behavior to raises and promotions. Acting securely is a basic 

assumption of employment, or so it may be believed. It is no more necessary to 

emphasize keeping information secure than it is to prohibit breaking the furniture, 

but it is evident when furniture is broken. There are metrics for sales, profitability 

and service that are not available for security. 

Therefore, the need for security is left unspoken in many instances. Silence is not 

motivational. A culture would make explicit what is often assumed, but in the 

absence of a vocal, compelling imperative for security from the top, it is difficult to 

mobilize the enthusiasm and support of people throughout an enterprise. A culture 

of security cannot grow in quiet darkness. 

4.3 Unclear Requirements 

Even if the overall imperative for security were distinctly understood within an 

enterprise, the specific requirements to fulfill the implied obligations are often 

unclear, at least to those who must articulate them, to say nothing of those who must 

carry them out. In part, this is because the only clear “owner” of security is the head 

of the information security department, often called the chief information security 

officer (CISO). This individual may be responsible for the security of all information 

in whatever form it may be, but in practice, the CISO focuses on information only in 

electronic form. In most instances, the CISO reports within the business group of the 

chief information officer (CIO) and is often oriented toward protective mechanisms 

such as firewalls and virus filters, identity management software, encryption, and 

access control. These are unquestionably important tools for data security, but 

paradoxically, they may stand in the way of a culture of security. 

The role of the CISO and all the measures put in place by the CISO to protect 

information on computer systems and networks create the impression, in some 

quarters, that security is the domain of the CISO and that no others need concern 

themselves about it. The focus on the CISO security role is so intense that others 

have no clarity about their participation and contributions to it. The users of 

information look to the CISO to protect their information, as do executives, 

operators, clerks, staff personnel, salespeople and the janitor. Security becomes 

60 



invisible because someone else, i.e., the CISO, is taking care of it. In the immortal 

words of Douglas Adams, the way to make something disappear is to declare it to 

be someone else’s problem (SEP). “An SEP is something we can’t see, or don’t see, 

or our brain doesn’t let us see, because we think that it’s somebody else’s problem. ... 

The brain just edits it out, it’s like a blind spot.” 4 This, specifically, is a major 

inhibitor to a culture of security. 

Rarely will an executive make clear what is required of all parties within an 

enterprise to protect its information. At best, there may be a broad goal, often stated 

as “security is everyone’s job.” If it is everyone’s job, it is no one’s in particular. 

Worse, “everyone” has no tasks assigned, no product to deliver and no metrics to 

achieve. General business users of information may comprehend their roles and 

keep their passwords secret, desks clean and lips shut, but most people simply 

trust their fellow workers to use information responsibly. As previously stated, a 

culture of security fosters trust, but trust, in the absence of a culture that would 

produce adequate security, is simply blind faith. Faith has its place in the world, but 

information security is not that place. 

In an ideal culture of security, all personnel in an enterprise would understand the 

value of the information they use and make their contribution to security to the 

fullest extent required. Alas, such perfection is beyond mere mortals, but it is an 

approachable, if not attainable, goal. This is an important point: A culture of security 

is unlikely to produce perfection. Nothing can do that. However, a thorough culture 

can make security as good as it can be—and, one hopes, as good as it should be. 

4.4 Insufficiency of Awareness Alone 

Much of the literature regarding a culture of security spotlights awareness as a 

vital component of the culture. It is undoubtedly true that ignorance of security 

will impede a security culture, but being conscious of security, by itself, is hardly 

sufficient to propel such a culture. In fact, security awareness is actually more 

nuanced. The term is generally used to mean an understanding of the: 

• Fact that risk exists 

• Threats that contribute to that risk 

• Available countermeasures 

• Individual’s role in exercising those countermeasures 

Finally, and perhaps most important for the development of a culture, security 

awareness implies a political argument: that security is actually a good thing for 

the individual, an enterprise and society as a whole. For those already attuned to 

security, it may be difficult not to see the validity of all these points. The challenge 

in developing a culture of security is to communicate all of the concepts raised here 

to people who actually do not comprehend any or all of them. 



4.4.1 Comprehension of Risk 

Most people who live in cities are aware that they face certain urban risks, and so, 

at a minimum, they lock their doors. They believe that if they were to leave their 

doors open, someone may steal their possessions (or worse). A door lock may not be 

sufficient to stop a determined thief, but it is a prudent security measure. Therefore, 

locking their doors becomes a routine part of going out and coming in. These people 

know that keeping their possessions is good for them and have internalized at least 

this simple measure of security. 

There are places in the world where people do not lock their doors—they may not 

even have locks—and only in exceptional circumstances do they feel unsafe. Outside 

of the exceptions, they are right. They are not unaware of security; they feel secure 

in the context of their own environments. Heightening their awareness of potential 

threats—far away—would do little or nothing to alter their beliefs or behaviors. 

Many enterprises feel like small villages to those who work there—where everyone 

knows everyone; desks are left unlocked with papers strewn atop them; and no one 

looks at other people’s computer screens, much less impersonate others by using 

their passwords. Management encourages a sense of common purpose, togetherness 

and trust. The cafeteria, company basketball team and holiday party all conspire to 

make business feel like high school. It is not that people are unaware of threats to 

the security of information; it is just that they cannot internalize a belief that they 

themselves are at risk. A culture of security will not arise by raising their security 

awareness. Their everyday experience will tell them that the person trying to do so 

is a mad “Cassandra” (even if Cassandra was right). 5 

Security awareness does have a place within a culture of security, but reliance 

on awareness to create such a culture is misplaced. It may be that an appropriate 

security culture can be maintained by a good awareness program, but to change 

a culture, all existing cultural measures must be reengineered. 6 Thus, reliance on 

security alone to create a culture of security results in inhibiting the very culture 

desired. To return to the village where people do not lock their doors, the likeliest 

reaction to a threat that affects the community would be to seize pitchforks and 

torches and hunt the monster down. Once that particular threat is taken care of, the 

villagers can return to their peaceful, trusting lives. 

4.4.2 The Personal Experience of Security 

In the context of information security, there have been repeated waves of just the 

sort of reaction as exhibited by the previously mentioned villagers. Computer 

viruses were seen as a deadly threat to information systems. Then, antivirus filters 

were made available and people trusted these to protect them. Hackers were going 

to bring enterprises to their knees, but intrusion detection systems and firewalls 

reduced the sense of menace and again trust reigned. Over and over, awareness of a 

62 



particular hazard overwhelmed the general understanding that information resources 

are perpetually at risk. Awareness of a threat may initiate action against it, but does 

not, by itself, change the culture. 

On the other hand, where there is a culture of security, appropriate action will 

generally be taken against the most relevant risks, not just specific threats at a 

particular moment. That is because the people who are the vessels for the culture 

take risk seriously and internalize it into a system of behavior, not just a reaction to 

individual perceived threats. There is no conscious decision on the city-dweller’s 

part as to whether to lock the door. It is an ingrained action because the possibility 

of harm is (or so it seems) self-evident. The countryside is not crime-free nor is 

every building in every city under siege, but the rural and urban cultures form 

attitudes and behaviors that, over time, prove themselves. People who live in rural 

areas are often shocked when crime occurs; urban folk may live without crimes 

affecting their own lives for years. Neither unexpected crime nor unanticipated 

safety change attitudes and cultures, at least not in the short term. 

There may be misuse of information resources occurring all around, but it is 

invisible. No one takes information off a desktop, discloses private data or hacks a 

web site in front of an audience. One of the great dilemmas of information security 

is that, unlike tangible possessions, information can be stolen and not be gone. Only 

when information that should have been kept confidential or private is known to 

have been disclosed are people aware that it has been misused. Data may have been 

leaking for months, but the victim recognizes the loss all at once. An internalized 

understanding of the ongoing risk may lead to a change of culture; short-term 

awareness of an event perceived as a singularity will not. 

Even where a threat is well documented and apparent to all—such as with computer 

viruses—awareness, by itself, does not lead to routine action. Antivirus filters 

must be continually enhanced to recognize and erase new variants, but experience 

has shown that people do not regularly download updates by themselves. They 

know that they should back up their files in case a virus does strike, but that, too, 

occurs only irregularly. They are not acculturated to the risk, even if they are aware 

of it. Thus, modern antivirus filters update themselves automatically, and many 

enterprises choose to employ systems to back up hard drives whenever users log on 

to their central networks, without the intervention of the information owner or user. 

The inhibition that awareness places on the creation of a culture is often caused 

by the way in which the need for security is communicated. If the insecurity of 

information is seen as harming the enterprise, then it would seem sensible that 

members of the enterprise should take responsibility for it. However, when security 

becomes the domain of the IT function and the CISO (SEP), others feel absolved 

of responsibility. Security is not seen as something that should be addressed by 



the individuals because they are not the ones who will suffer the harm, or so 

individuals can come to believe. In fact, each staff member faces the possibility 

of considerable personal damage, ranging from the disdain of colleagues through 

career limitation to loss of employment (or worse). The punishment would be 

justified, it may be thought, if the misuse of information were intentional, but errors 

and omissions—“I lost my laptop” or “I left the disk on the plane”—while scary, 

are not seen as necessitating the same drastic responses. A culture of security has 

been created when people say “I need to protect the information I have” instead of 

“IT needs to protect the information I use.” 

To get to that point, people must see the personal benefit of security, that security 

has a personal payback. Unfortunately, many people’s experience with security, 

in the broader sense, may lead them to believe that security is not good for them. 

If people’s only interaction with security is having someone on the CISO’s staff 

tell them that they cannot do something they want to do, they start to see security 

as a problem for them to overcome. If the process for gaining access privileges is 

cumbersome and bureaucratic, they will look for ways to circumvent the system. 

In short, if the interactions people have with the CISO and the information security 

function is, in general, a negative one, then it is doubtful that they will accept an 

awareness program from that same source. They will not participate in a culture 

that imposes the burden for security on themselves rather than on the security staff 

that is paid to build security. 

It is important to reemphasize that all the foregoing does not mean that there is no 

place for awareness of security in a culture of security; in fact, it is an attribute of 

such a culture. However, mere awareness is not the same as a culture, and reliance 

on it alone will simply stand in the way of creating one. It is necessary to bridge the 

gap between perception of the problem of security and acceptance that the problem 

is a personal one that requires personal action and involvement in the solutions. 

4.5 Systemic Shortcomings 

One of the great inhibitors to a culture of security is the nature of information 

systems themselves. In the broadest sense, such a system is the means and methods 

for acquiring and using information. In actual practice, for many people, it is the 

combination of computer hardware, storage and communications that are used 

to gather, process, store, disseminate and share information. Emphasis should be 

placed on the sharing of information. The great advantage of information kept on 

electronic systems is precisely that it can be obtained and stored one time, but used 

many times by many people. Systems of physical assets do not work the same way; 

if one person uses a tangible object, then another cannot do so at the same time. 

Thus, if one wishes to retain sole usage of an asset, it must be protected for private 

64 



use. In information systems, security consists of safely allowing, not preventing, 

many people and processes to use the same asset simultaneously. The paradigms of 

security are completely reversed. 

Of course, the security of the information comes from preventing those unauthorized 

to see it or change it from doing so. However, a system is incapable of distinguishing 

who is authorized to see and use what items of information. A system is established 

as a means of carrying out specific operations according to specified rules. A 

system does not have the capacity to know the value of the information or the 

authority of a would-be user to access it. The system only “knows” that there is 

data within it that can be transformed into other data in different forms by means of 

prescribed processes. To people, the data may be transformed into information; the 

transformative processes are transactions and programs. A system may be the means 

of imposing security over the information by equating users with identifiers and the 

ability to use information with access control lists. 

It is people, though, who create the lists, and the lists are (or should be) consistent 

with rules as to how the system works. A system is a mindless, mechanical 

vehicle to store and transport information until and unless people are involved. 

People are a part of information systems, whether they recognize and accept this 

fact or not. To the extent that people conceive of themselves as distinct from an 

information system, they will not be able to see themselves as a part of securing it. 

In short, there must be an equation among users, usages and resources used for an 

information system to have coherence. 

Unfortunately, enterprises do not foster such comprehensive systems. Instead, 

enterprises are divided in many ways: by their functions (divisions and departments), 

financial relationships (profit and cost centers), hierarchy (management and staff) 

and relationship with technology (technicians and users). These separations creep 

into the very essence of information systems and into the definitions of “information 

ownership,” “access privileges” and “information security.” 

The semiotics of identity take on a generally unexpected reality. Public and private 

sector institutions implement identity management as a way to bridge the gaps 

among the users and the resources used. It is a way of controlling the interests of 

the enterprise above those of the individual who may be trusted most of the time, 

but not always, to use the information as intended. The seemingly dispassionate 

granting or denying access to an information resource underscores the authority of 

someone—who?—to make the decision. Where identity management is thus 

pursued within a security matrix of controlled process and property, essentially, it is 

even identical to access control. 7 The control remains with the enterprises, and the 

individual remains detached from the system. A culture of security cannot grow out 

of such detachment. 



4.5.1 Inability to Detect Variances From Policy and Culture 

The enterprise asserting its ability to control access does so through the means of 

policy. As stated in section 2.2.2, the rules may be formally documented, but the 

actual behavior of an enterprise is its real policy. Once again, there is a gap that 

is filled one way or another. The narrower the gap between the desired and actual 

states of security-related policy, the likelier it is that a culture of security may arise. 

Conversely, “do as I say, not as I do” is, in fact, a policy, but it is a destructive one 

that leads to a culture of cynicism and disdain for security rules. There is always a 

culture of security, but not always a good one. 

The prescriptions of policy are easily seen. They are printed in manuals, displayed 

on login screens and reinforced by management briefings. The gap between aspired 

security and reality is less easily observed. Those who bypass the rules (that is, 

those who violate stated policy) are, in fact, expressing their disaffection with the 

authority of an enterprise to serve their interests. It does not seem to matter 

whether the disparity of interests is factually supported; the tension occurs from 

complexity, i.e., a lack of transparency. In defiance, some individuals “solve” 

this by taking control of their personal identifier(s) and the identification of 

what they “own” themselves. However much an enterprise wishes to state its 

ownership of information and the importance of securing it, it is nonetheless stating 

a relationship: The enterprise not only owns the information, but owns those 

who would use it. The one-sidedness of rule making, i.e., an enterprise’s formal 

domination of the relationship with correspondingly biased rules for identification 

and access, undermines a healthy culture of security. 8 

In these circumstances, people would be foolhardy to make their enterprises aware 

of the rules they are bypassing. Everyday behavior becomes so routine that it is 

increasingly difficult to detect that policy is not being observed. In theory, the 

disparity between policy and reality should be detectable by third parties such as 

auditors and security professionals. However, there are no totally independent 

observers; the mere fact that they are called on to examine the security of an 

information system makes them a part of the system. In a social application of the 

Heisenberg Uncertainty Principal, 9 the act of observation changes whatever it is that 

is being observed. This is not to fault auditors, but to recognize the nature of the 

system itself. 

If an enterprise’s culture is forgiving of policy violations, very bad results can 

occur. Every business scandal is a reflection that formal posturing has separated 

from reality. If the policy violations that pass unnoticed relate to security, then it is 

highly likely that security incidents will occur over time. Everyone will point to the 

policy and express shock that such a thing could have occurred, but it should have 

been predictable. 

66 



The failure to detect policy variances is insidious to a culture of security. It allows 

misappropriation of resources to become the norm within an enterprise. The 

resources may be inappropriately, but benignly, used for a time, but experience has 

shown that, inevitably, someone with more nefarious purposes will slip into the gap 

and do something harmful. This is also part of a culture; one of the objectives of a 

culture of security is to bring practice into alignment with proclamations. 

4.5.2 Inability to Monitor and Enforce Compliance With the Culture 

There is a more subtle variant on the problems of detecting failure to comply with 

policy. There are rules of behavior in a culture that are rarely, if ever, written down 

and are often not even recognized as being there. In a way, they are the same as 

the culture of a social club. Members of a club are supposed to be cordial with one 

another, respect one another’s property, not eavesdrop on private conversations and 

dress well. In other words, the club culture is one of well-dressed mutual respect (if 

not trust). Information learned at the club is intended to stay at the club. Members 

should not take business advantage of information and relationships gained there. 

Rarely are these rules documented, but they are real nonetheless, or at least real 

in theory. In many cases, some members do not get along with others, use one 

another’s golf balls and join the club only to further business relationships. 

The club culture is, to a degree, self-enforcing. Even though the culture is not always 

observed, there is tolerance for unacceptable behavior if it is discrete. Those who are 

blatant in breaking the unspoken code can be frozen out of social circles or asked to 

leave the club. Business enterprises are similar in that if people truly do not fit into a 

culture, they may be fired or more likely encouraged to quit beforehand. 

Where the culture in question is one of security, it is very clear that people can 

suffer penalties for flagrant disregard if a security incident causing harm to an 

enterprise can be traced to them. Is that really a culture of security, though? Surely, 

actively harmful activities lead to explicit sanctions. Can the same be said for 

giving insufficient consideration to security when the emphasis is placed on sales, 

profit or growth instead? 

An inhibitor to a culture of security is the lack of effective means to enforce 

compliance with it, short of the drastic measures applied after a breach. It is nearly 

impossible to tell if a person is committed to security, especially if that person 

avows the importance of it. Being security-conscious is a habit of mind, and it is 

very difficult to determine what is in another person’s mind. The subtle penalties for 

violating the culture of a club do not apply. Whispered conversations and averted 

glances are unlikely results from falling short of a culture of security. There are no 

metrics for the amount of attention that should be given to security, especially in 

comparison with other drivers. It is possible to show that someone is practicing 

insecure behavior, but nearly impossible to prove the reverse. 



Thus, in the absence of truly blatant failings, a culture of security is unenforceable. 

It is obvious when sales, profit or growth have not been achieved, but not if security 

is weak, unless there is a breach. It is a great deal more difficult to demonstrate 

that a culture of security is in place and functioning well because it is so difficult to 

show the reverse. 

A culture cannot be enforced in the same way that a policy is enforced. Culture is 

not a law, but a shared way of behaving based on assumptions, expectations, 

attitudes and beliefs. Therefore, it must be self-enforcing. If one does not behave as 

expected, it will be clear that that person is not part of the group. The individual’s 

thinking and behavior will be seen as different from what is expected by the group. 

Enforcement of a security culture is dependent on how important that aspect of the 

culture is. If a culture says to do what has to be done to close deals and also says to 

follow security rules, sales may win out because it is perceived to be more strongly 

valued within the culture. All elements of culture are not weighed the same. 

The value of powerful champions for security (other than the security professionals) 

is that they provide the background for enforcement of a culture. There need not 

be a valid, intellectualized rationale for heightened security if one can say, “Do it 

because the boss wants it this way.” However, the personal perspective of a senior 

manager is a weak method for enforcing a culture, especially if the champion does 

not have the support of peers or leaves an enterprise. 

4.6 Lack of Rewards 

One of the aspects of a culture of security is informed risk acceptance. On the other 

hand, uninformed risk acceptance—in actuality, intentional ignorance of risk—can be 

used to justify any security shortcoming in advance of a loss. Worse for the culture, 

it is impossible to prove that risk was imprudently accepted when a security breach 

occurs. Thus, those who favor a strong security posture must justify investments in 

countermeasures by demonstrating risk avoidance. Those who blindly and 

thoughtlessly accept risk rarely have to justify their decision—after all, they have 

accepted not only, risk but accountability—and they do not incur any costs. Their 

bottom lines look better (until an incident occurs, which may be years later). The 

security-conscious take all the personal risk up front. A culture of security is difficult 

to build when people perceive that they can lose, but cannot win. 

It is clear that those who bring in more sales or greater profit can be rewarded in 

higher pay and bonuses, but what accolades and benefits come to the person whose 

actions prevent an otherwise undetected security flaw from turning into a breach? It 

can be shown that certain heroic efforts repelled an explicit attack, but not that regular 

vigilance prevented that attack from occurring in the first place. 10 

68 



The rewards of security for an enterprise can be more readily demonstrated in 

reduced operating costs, elimination of redundant risk management activities and 

resources freed up for more strategic initiatives, 11 but what rewards come to the 

individual who lives within a culture of security and whose attitudes, beliefs and 

working methods are supportive of security? Perhaps more than any other factor, 

the lack of a rewards structure for behaving securely inhibits the growth of a culture 

of security. 

There are a number of related reasons why it is so difficult to compensate people 

for security. Each of them would be a significant impediment to building a culture 

of security. Together, they constitute a barrier that must be overcome for such a 

culture to flourish. 

4.6.1 Security Professionals 

It is not quite true that no one is rewarded for security. As previously noted in 

section 4.3, many enterprises have CISOs and their staff who are dedicated to 

security. Others have areas that perform some specific security functions such as 

personnel screening, facilities management, compliance or investigations. They are 

paid for doing their jobs and receive bonuses and promotions for doing them well. 

(It should be noted that these professionals also have difficulty in demonstrating 

the value of their contributions to their enterprises, but these problems are common 

to all staff functions.) It is indicative that a certain level of functional security does 

exist in these enterprises that such departments have been staffed and are relatively 

protected. Security activities are rarely eliminated, but they may be curtailed in 

adverse economic times. It is also significant that dedicated security professionals 

are rarely promoted to the ranks of executive management; advancement in security 

is not limitless. 

To the degree that security professionals receive the credit for an enterprise’s 

overall security posture, there is less incentive available for others who are focused 

on operations, sales, production, distribution, etc., to act in a secure manner. To be 

sure, there are penalties for insecure behavior, but the best that most personnel can 

expect is that they break even with security. 

4.6.2 Lack of Metrics 

In large measure, the lack of obvious metrics for security deters a rewards structure. 

“If it cannot be measured, it cannot be managed,” so without a solid way to 

measure a culture of security, it is difficult to manage one into existence. This is 

actually a second-order problem: It is difficult enough to measure the effectiveness 

of security measures themselves and even more so to evaluate the underlying 

culture. However, that does not mean that cultures cannot be measured. 



Determining the key indicators of success, what to measure, how to measure it 

and when certain levels of progress will be noted is a crucial part changing any 

organizational culture, not least a culture of security. The inhibiting factor is 

the neglect of hard measures of achievement and progress, which require the 

identification of indicators of success in culture change and interim progress 

indicators. “A data gathering system needs to be designed as does a time frame for 

assessing the results. What gets measured gets attention, so the key initiatives and 

outcomes must have metrics and measuring processes associated with them.” 12 

One solid example of a means of measuring a culture is the Organizational Culture 

Assessment Instrument (OCAI). 13 It offers a useful framework and a common 

vocabulary that can be used as a starting point for discussions about organizational 

cultures. For example, the OCAI examines attitudes concerning strategic emphases, 

criteria for success and the “organizational glue.” 14 These are not well adapted as 

metrics for a security culture, but provide evidence that such an instrument could be 

developed. 

4.6.3 Failure to Measure Risk 

The difficulty in applying metrics to the risks an enterprise faces is another aspect 

of the measurement issue that inhibits a culture of security. It is intuitive that 

security decreases risk, but it is far less clear by how much or what the actual level 

of risk was in the beginning. Again, those who would advocate for security are left 

without the tools to justify investments in security. It is fair to say that a culture of 

security is measured by for what an enterprise is willing to pay and that without 

metrics for the impact of investment on risk (ROSI), it is difficult to propel the 

culture forward. 

70 

Unfortunately, the most common approaches to measuring continuity 

risk are vague, subjective and difficult to use for guiding management 

in budgeting for controls and countermeasures. Almost all are based on 

the classic but simplistic formula: 

Risk = Impact x Probability 

… [which] is meaningful for those disruptions for which likelihood and 

effects are known, or at least are predictable. As Taleb demonstrates, 

it is specifically the rare, unforeseeable incidents that cause the 

most damage. 15 

In effect, the most widely accepted method for measuring risk multiplies the 

unknown (probability) times the unknowable (impact). Why multiplication and 

not, say, exponentiation? Why omit other factors, such as credibility, resources, 

scale, duration, mean time to repair or mean time to recurrence? In short, current 



techniques for risk measurement strain credulity, which, in turn, undermines a 

culture of security built on reduction of risk. Those who would support such a 

culture have no demonstrable way of being rewarded for doing so, either. 

4.6.4 Lack of Incidents 

The one widely accepted indicator of a successful culture of security, or at least 

of security controls, is a lack of incidents. This negative metric is ultimately 

self-defeating because it lays the burden of proof on the miscreants of the world. 

There are too many people in the world—hackers, crackers, virus writers, fraudsters 

and script kiddies—who are trying to undermine the security of any enterprise 

that lowers its barriers sufficiently to let the bad guys in. With modern tools and 

perpetual vigilance, many, but not all, attacks can be successfully repelled. 

If, over a period of time, there are no penetrations of an enterprise’s security 

barriers, then its security professionals must have been doing a good job, or so it 

would seem. However, if one attempt gets through, does that mean that they were 

not doing a good job? A lack of incidents does not equate with the presence of 

security, so it is a very poor way to justify security and a weak foundation on which 

to base a culture. 

If an enterprise accepts some degree of risk, then it is implicitly accepting that 

the risk in question will in time be actualized. This may be combined with the 

understanding that no security is foolproof and that there is a point of diminishing 

returns in investing in security. As a result, depending on being rewarded for a lack 

of incidents is a very poor wager indeed. What constitutes success: 1,000 repelled 

attacks before one get through, or is it 10,000 or a million? 

4.6.5 No Financial Connection 

The converse of the number and associated cost of incidents that will occur is the 

number and demonstrated savings of those that do not. It would be quite a trick to 

show how much money an enterprise did not spend last year because of things that 

did not occur. Salespeople can be compensated for their contributions to the bottom 

line, but there is no basis for paying anyone for being secure. The lack of financial 

incentive is a distinct inhibitor to creating a culture of security, even more so when 

people seek positive rewards for negative achievements. 

This is the metrics issue in another guise, but it does raise a specific dilemma. 

Security can be justified not only on pure cost avoidance, but on the basis of 

prudence and due diligence. However, prudence and diligence are baseline 

objectives, the bare minimum of security. A culture of security is, in great measure, 

an unwillingness to settle for just the minimum, but, instead, the appropriate level 

of security. The baseline may not need justification, but everything beyond it does. 

Marketing personnel can conduct studies to show that an increase in price will not 



significantly reduce sales and, therefore, that the increase will go to the bottom line. 

The champions of security cannot demonstrate that an investment of x will bring y 

security, much less that spending 2x will bring 3y security. 

4.7 What Is in It for Me? 

The foregoing section dealt with the rewards to the individuals who may support 

a culture of security, with the focus on monetary compensation. There are other 

sorts of rewards that an enterprise can bestow that are important to the creation 

of a security culture. These do not directly involve money that goes to the 

individual, but rather organizational advancement in the form of budget, influence, 

management attention and the regard of one’s fellow staff members. Some people 

are motivated solely by their remuneration, but others also find incentive in these 

other sorts of rewards. When someone asks of a champion of security, “What is in 

it for me?” (WIFM), that individual asks a core cultural question that may entail 

seeking monetary compensation, but may also may be much more. 

4.7.1 Budget 

In many enterprises, security is an unfunded mandate. It is simply assumed that all 

personnel will conduct themselves and their business activities in a secure manner. 

Where the work performed or the resources used are considered sensitive or at risk, 

the workplace may be specially protected (as in a datacenter or a vault). Managers 

may have offices and file cabinets so that they can conduct their activities literally 

behind closed doors. However, many people who come in routine contact with 

information resources work in open areas or cubicles or do not work in a business 

environment at all. 

There is a cost for the tools and techniques to allow them all to work securely, such 

as virtual private networks (VPNs), remote access devices, encrypted hard drives, 

privacy screens and content filters. Generally, these tools are purchased centrally 

and distributed to all relevant personnel. The costs are often charged back. Even if 

they are absorbed as a corporate expense, line management has little involvement in 

the selection of products or their applicability to each manager’s business function. 

If one size does not fit all, managers must either use the tools selected for them or 

find budget to obtain better tools. 

It is not unusual for a manager to ask WIFM when budget for security must be 

balanced with money for salaries, business equipment or travel. The manager’s 

department must bear the additional cost without seeing the direct benefit to the 

department’s function. 

72 



4.7.2 Influence 

The most important characteristic of cultural champions is their ability to influence 

the decisions of their enterprises. Implicitly, the cause that they advocate for is one 

that they believe is not appropriately valued. They put their political capital behind 

something—in this case, security—to achieve an objective that they consider worth 

backing. They do so in an environment in which many people may be championing 

many causes, such as new products, higher pay, environmental protection or social 

consciousness, all of which have merit. 

Potential champions of security may well ask WIFM if the effort to build a culture 

of security entails a cost that would reduce their influence on other matters. There 

is a payback in prestige both within and outside enterprises for those who promote 

good causes, which can expand a person’s influence. The proponents of security 

rarely get hearty congratulations for a security breach that does not occur. No 

matter how important security may be, it requires an investment in personal clout. 

4.7.3 Management Attention 

It is often said that security is a thankless task. That means that those who consider 

security highly rarely hear their managers say “thank you” for it. To an extent not 

frequently mentioned, gratitude from one’s peers and superiors is a major motivator 

in the workplace. In many instances, secure behavior and attitudes are looked on as 

evidence that a person does not “get it.” If an enterprise sees itself as a go-go, 

make-the-sale culture, the person who counsels restraint and protectiveness is likely to 

appear out of step and may receive attention from management, but not of the positive 

sort. That person has reason to ask WIFM and not be vocal in support of security. 

It takes a degree of political courage to try to alter the flow of an enterprise’s 

culture, if not to stem the tide altogether. It is easy to wait for someone in a more 

senior position to be the champion for security, but it is more challenging to be the 

champion oneself. 

4.7.4 Personal Regard 

A person’s self-esteem is drawn from many psychological sources, one of which 

is the respect of others. The regard of others surely flows to the people who are 

good at their job, but may also stem from personality, helpfulness or even minor 

achievements like hitting the winning home run in the company softball game. 

Those who adopt a culture of security are rarely congratulated by their peers for 

doing so. There may be an inner glow that one gets from doing the right thing, but 

that may be all. 

Worse, they may see the accolades bestowed on someone who achieved a short-term 

goal by circumventing security. At that moment, WIFM is a very human attitude. 



Endnotes 

1 http://politedissent.com/images/jul08/policeman.html 

2 Attributed originally to Stewart Brand. See Clark, Roger; “Information 

Wants to Be Free…,” 24 February 2000, www.rogerclarke.com/II/IWtbF.html. 

The complete quote attributed to Brand is more nuanced: “On the one hand 

information wants to be expensive, because it’s so valuable. The right information 

in the right place just changes your life. On the other hand, information wants to 

be free, because the cost of getting it out is getting lower and lower all the time. 

So you have these two fighting against each other.” Recognizing the value of 

information and using “free” as “without cost” rather than as “liberated” is quite 

different from the context in which the expression is usually used. 

3 Joseph Marie de Maistre (French diplomat, writer, philosopher and politician, 

1753-1821) 

4 Adams, Douglas; Life, the Universe and Everything, UK, 1982, p. 29 

5 A prophet in Greek mythology who was cursed so that her prophecies, though 

true, were never to be believed 

6 Schlienger, Thomas; Stephanie Teufel; “Information Security Culture— 

From Analysis to Change,” International Institute of Management in 

Telecommunications, University of Fribourg, Germany, 2003 

7 Wiesse, Pieter; “Semiotics of Identity Management,” Sprouts Working Papers on 

Information Systems, http://sprouts.aisnet.org/81/1/2006-02.pdf. , 2006, p. 4 

8 Ibid., p. 33 

9 The uncertainty principle in quantum mechanics, formulated by Heisenberg, that 

the accurate measurement of one of two related, observable quantities, as position 

and momentum or energy and time, produce uncertainties in the measurement of 

the other, such that the product of the uncertainties of both quantities is equal or 

greater than h/2∏, where h equals Planck’s constant. 

10 See Taleb, op. cit., p. xxii – xxiv 

11 Peacock, Marissa; “GRC Roll-up: The Mistakes and Rewards of IT Security 

Compliance,” CMS Wire, 10 February 2010, www.cmswire.com/cms/enterprisecms/grc-rollup-the-mistakes-and-rewards-of-it-security-compliance-006652.php 

12 Cameron, Kim; “A Process for Changing Organizational Culture,” 

University of Michigan, USA, 2004, p. 9 

13 www.hpcnet.org/cgi-bin/global/a_bus_card.cgi?SiteID=410037#x 

14 Ibid. 

15 Ross, Steven; “Effective Techniques for Risk Measurement,” SearchCompliance. 

com, 22 July 2009, http://searchcompliance.techtarget.com/tip/0,289483,sid195_ 

gci1362498_mem1,00.html 

74 


5.0 Creating an intentional Culture of SeCurity 

5.0 CReAtIng An IntentIonAl 

CultuRe of SeCuRIty 

In a very real sense, a culture cannot be created; it just is. Although it cannot be 

created, it can be intentionally shaped and directed. This existentialist statement 

summons Sartre’s observation that “existence precedes essence.” 1 Wherever people 

gather in a common enterprise, there is a culture. Two people working together 

toward a mutual objective necessarily have a culture between them of cooperation, 

if not trust. They may cooperate poorly, indicating that their small culture is not a 

good one, but the bond between them exists as a function of them “pulling on the 

same rope,” so to speak. Their cooperative enterprise creates a “pattern of 

behaviors, beliefs, assumptions, attitudes and ways of doing things” at least for the 

interaction between the two of them. 

Of course, a large enterprise that comprises many people in some sort of hierarchy 

has a much more complex, nuanced culture than one between two individuals. 

They do not create the culture in which they operate; it exists as a function of them 

coming together with a shared (or overlapping) purpose. The existence of a culture 

precedes a determination of whether it is strong or weak, beneficial or malign, or 

good or bad. Therefore, a culture of security exists. The objective of those who 

support it is not to create it, but to strengthen it within the broader confines of an 

enterprise’s corporate culture. 

Developing a strong culture is not a project. There is no distinct beginning, middle or 

end. Indeed it is a never-ending process as various cultures clank and collide within 

an enterprise. Nonetheless, there are discrete activities that can be carried out by those 

who would enhance the security culture within their enterprises. The first is a 

clear-eyed assessment of the current state of a security culture in parallel with gaining 

an understanding of the intentions of management with regard to security. On this 

basis, the gaps between expectation and reality can be observed, analyzed and 

repaired. Of course, the reality may not lie in the words of management, but in their 

actions when faced with security-related decisions. “Security is a strategic necessity 

for the enterprise …” is an important statement, but less important than the “… but” 

that follows it. By understanding where an enterprise’s leadership is willing to cut 

back on security, one will find the path to improving a security culture. 

It must be emphasized constantly that the decision not to make a resource— 

information in this case—more secure is not of itself an indication of a weak 

culture. The objective of a culture is not to maximize security, but to optimize it; 

there are valid reasons to draw the line at a certain level of security, in keeping with 

an enterprise’s needs, the sensitivity of its information and the size of its budget. 

There are reasons to question where that line is drawn, and moving it upward is a 



probable result—perhaps the benefit—of a culture of security. It is acceptable to 

tie an enterprise’s security to its leadership’s appetite for risk, but not when that 

appetite ventures into voraciousness. 

The question remains as to how, once the deficiencies of a culture are known, to change 

it in a positive direction. This not so much a matter of piling on more safeguards as of 

changing minds, outlooks, attitudes and beliefs. Influencing decision making is one 

thing; altering the framework of the decisions is quite another. The creation, if that is the 

word, of a culture of security is to accomplish the latter. 

5.1 Changing Perceptions of Security 

The first and perhaps most important step in strengthening a culture of security is to 

erase the negativism often associated with the subject. Security is often thought of, 

at best, as the prevention of the occurrence of bad things such as fraud, disclosure 

of private information or viruses. The imagery is of a police officer, a guard or a 

locked door. Unfortunately, in many societies police officers, guards and locked 

doors are emblems of repression and not very likely to inspire support for a culture 

enshrining these images. Even in freer societies, the only contact most people 

have with the police is when a crime occurs or when they are pulled over for 

speeding. Guards and locked doors may keep valuable things safe, but they also are 

impediments to free access. Most people do not enjoy being told what they cannot 

do, even if they know they should not do some things. 

To a degree, the proponents of security have brought this negativism on 

themselves. 2 When challenged as to the value of security, all too often, the specter 

of evil hackers and determined fraudsters is brought out to frighten the questioner 

into submission. The problem, of course, is that, after a while, scare tactics lose 

effect. The incidence of security threats is not as prevalent as some security 

professionals would like others to believe. In some part, the invocation of terrible 

outcomes is a way of justifying a security person’s job. To a greater extent, the 

possibility of security breaches becomes so real to some that it overcomes their 

improbability. It is true that some very bad things could happen to information if 

it were even briefly interrupted; that is why firewalls and virus filters are always 

on. However, most people only rarely, or never, experience a security breach and 

the endless repetition of what could happen, what did happen or what happened to 

someone else wears thin. 

Success in creating a security culture begins with altering the perception that 

security is about negative events and, instead, associating it with the benefits to 

people of moving freely, having access to everything they should have and knowing 

(or having the ability to know) all that they would have a right to know. Security is 

a positive attribute to those living without it. Security of information is also quite 

76 



positive for its owners; they care about who sees it and what is done with it. The 

boundary between positive and negative is the decisions on who should and should 

not do what. In information terms, those decisions are termed “access control,” 

living by the rules of what information one can see or use. 

Part of the difficulty with the perception of security, of living by the rules, is that the 

rule breaker is often romanticized as a rebel, a pirate or even as an outlaw. These may 

seem like dashing figures on the silver screen, but people are not nearly so impressed 

by rebels, pirates and outlaws when they actually encounter them. The challenge is 

to marshal the positive reality of security in support of a culture that values it. When 

security is framed as trust, consistency, reliability, predictability and productivity, it 

becomes easier to enlist others in a culture-strengthening exercise. 

5.1.1 Branding Security 

In many ways, altering the perception of security is a public relations campaign 

and nothing is so valuable in such a campaign as a brand. It is a way of creating 

an identity and establishing expectations as to the value of a product or service. 

Brands and the way that they are portrayed have become so routine in 21 st century 

existence that they are hardly noticed. Their invisibility adds to their power; if 

they are not consciously seen, it means that the message has become embedded 

in people’s minds. Merely to mention a brand summons images: Coca-Cola ® , 

Mercedes-Benz, Apple ® , Sony ® , Microsoft ® , Rolls-Royce, Louis Vuitton and 

many other companies have been successful in creating names that are instantly 

recognizable and trademarks that are a part of the popular culture not only in their 

own lands, but around the world. They have meaning, and they make a promise to 

the buyers of the products these companies make. Woe to the company that fails to 

honor those promises. 

As stated, security has established a very negative brand, which is not effective in 

developing a positive identity for security. However, here have been successful 

efforts to rebrand security as a friendly if ever-vigilant force for good. In the US, 

the National Crime Prevention Council has adopted a hound dog dressed up like a 

detective as their logo. His name is McGruff the Crime Dog ® , famous for his advice 

on how to stop crime before it happens and for his great sense of humor, as his 

web site 3 proclaims. The marketing of crime prevention is intentionally made 

people-friendly to take the harshness away from this form of security. 

The McGruff public education campaign is an example of what can be 

accomplished with positive branding. It involves more than a cuddly logo. The 

choice of words, the explicit and implicit promises made, and the value proposition 

all contribute to security’s brand. So, in strengthening a culture of security, it is 

advisable to take the steps involved in a branding campaign. 



Determine the Message to Be Conveyed 

It is critical that the message be well defined at the outset. The precise nature of the 

message differs from industry to industry and enterprise to enterprise. Some general 

guidelines can be applied universally—security: 

• Adds value 

• Enables activities 

• Benefits both the enterprise and the individual 

• Will help when things go wrong, but will not interfere when everyone is doing 

what they are supposed to do 

• Is fair to all 

What should be avoided is any communication of the consequences of not 

having security. That has been tried for years and has so dulled the senses of 

those who have heard it that it is no longer useful, but, in fact, is deleterious to a 

security culture. 

Understand the Audience and Tailor Messages to Each Market Segment 

There are different ways to communicate with senior management than with staff 

or customers. It is important to differentiate to whom a brand must have meaning 

and how that meaning is to be conveyed. For example, security should be portrayed 

as supportive of organizational strategic goals for one group and as an aid to 

getting work done effectively to another. In general, the guidelines shown in 

figure 2 are applicable. 

Audience 

Figure 2—Message Format by Audience 

Security Message Format 

Senior management Brief, to-the-point, strategic, graphic supported by some explanation 

IT staff Thorough, tactical, showing benefits to a project or application 

End users Graphic, personal, needing little explanation 

New hires Welcoming, explanatory, sufficiently verbal to be clear 

Create an Image for the Message 

The image of security should portray a concept and definitely should not be 

associated with the mission of a department or function, which would put distance 

between that department and all others who may participate in a culture of security. 

It should also express the meaning, value and sentiment of a message of assistance 

and benefit. Again, there is no single image that is right for all circumstances, but 

figure 3 provides some examples of positive and negative images. 

78 



Figure 3—Security Message Images 

Positive Images to Consider Negative Images to Avoid 

Keys, especially house or car keys Locks, safes 

Hound dog, collie Bulldog, German shepherd 

School crossing guard Police officer 

Emergency worker Soldier 

Shield Weapons 

Clear, sunny weather Clouds, storms 

Construction Destruction 

Money gained Money lost 

Flowers, fruit Creeping ivy, vegetables 

Establish a Vocabulary for the Message 

The terminology of security should be closely observed. When speaking of security, 

it is far preferable to accentuate the positive aspects, minimizing if not eliminating 

the negative. Certain terms should be avoided because they create a set of 

assumptions that cannot always be satisfied. If security cannot be all-encompassing, 

then it is foolish to promise, ensure or guarantee anything. Figure 4 details terms to 

be used and avoided. 

Figure 4—Security Message Terms 

Terms to Use Terms to Avoid 

Enable Forbid 

Protect, protection Prohibit, prohibition 

Allow, grant Deny, revoke, disallow 

Value, value added Cost, costly 

Access, accessible Prevent, prevention 

Benefit Risk 

Effective, efficient Permitted 

Entitled Authorized 

Capability, capable Limitation, limited 

Advisory Warning 

Open Risky, dangerous 

Vigilance Monitoring 



Invoke the Brand Repeatedly 

Once the message has been crafted and the terminology refined, it should be 

reinforced as regularly as possible, until it enters the corporate culture. It can be 

distributed on correspondence, screen savers, posters, e-mails and conversation. 

Security should be omnipresent, protective, safe and friendly. 

5.1.2 Educating About Security 

There is more to changing perceptions about security than creating a positive brand. 

Personnel, particularly in management positions, need to understand security, not 

just feel secure. Awareness programs have their place, but as stated in section 4.4, 

they are insufficient by themselves. Many security awareness programs begin by 

emphasizing threats and risks and then show how effective security can overcome 

them. As stated previously, starting with the negative and moving toward the 

positive works at the outset, but then becomes dulled over time. As an example of 

emphasizing the negative, one well-known company has published guidance and a 

tool kit for developing a security awareness program. Early in a sample presentation 

offered, there is a slide that highlights crime statistics, thus starting off on the 

wrong foot. 

People need to be educated about security and their role in it, which is a great deal 

more than being aware. However, education does not come simply in a classroom. 

In fact, classroom training is useful for transferring skills, but not attitudes. People 

may be educated in meetings, especially one-on-one, face-to-face meetings. It is 

clearly infeasible to have personal meetings with every employee of a large 

enterprise; what is necessary is to have such educational sessions with those who 

show evidence of being potential champions and those whose positions should 

require them to champion security. 

One reason to educate people about security, rather than simply make them aware 

of it, is that security awareness programs are unprovable. It cannot be shown 

that awareness reduces the incidence of security breaches or lowers the cost of 

countermeasures. So, when the inevitable attack does occur, some may feel that 

the promise of security was not kept, which undermines security’s brand. It may be 

expected that, after people have been educated (with regular reinforcement), they 

should know about security, what its objectives and tools are, and what should be 

their own responsibilities. 

Those who would improve an enterprise’s culture of security should choose a 

limited number of people to educate and then do so wisely and with many 

overlapping techniques, including holding formal sessions; talking informally; 

sending news items, articles and informal correspondence; and generally working 

with them to improve the security culture. The latter technique is particularly 

important. It has been shown that adults learn differently from children. Adults 

80 



must be motivated. In an organizational setting, they must be comfortable that the 

learning experience will be a positive one for them. Thus, it is important to teach 

the would-be champions about security because they are already felt to be well 

dispposed to it. They must see the information they receive about security to have 

value to them in their personal and professional lives and feel that they have control 

over the learning experience—that it was their idea to seek out training rather 

than having it imposed on them. In sum, they must see value in the education. 4 If 

security is portrayed positively, showing the value in the subject, it is easier to teach 

people about their roles. 

5.2 The People Who Make the Culture 

The people in an enterprise make the culture, and hence, there is a need for strong 

human resource practices and management. Enterprises should be able to attract 

and train the right people, develop them, engage them and help them perform, 

inspire them, and ensure that they are committed. As stated in the beginning of 

this volume, a culture, in general, has been defined to include shared attitudes 

and beliefs and a way of doing things that is common within an enterprise. In 

particular, a culture of security is shown in BMIS to be transformational, a shift 

from functional security (what people do) to intentional security (how people think 

and behave). The transformation has four primary areas of application: technology, 

process, people and enterprise. In one case study, the movement toward an 

intentional security culture was shown in figure 5. 



82 

Figure 5—Shifting From a Functional to an Intentional Security Culture 5 

From Functional To Intentional 

• Level of security provided by the technology 

unclear 

• Security-related technology seen as disruptive 

and cumbersome to use 

• Security brought in when there is a suspected 

breach 

• Security maintaining expert knowledge 

• Security seen as an entity that enforces 

compliance 

• Security seen as a functional expert 

• Limited visibility or awareness of security 

issues 

• Security structure focusing on technical 

expertise 

Technology 

Process 

• Technology used based on an assessment of 

the risk 

• New security technology seen as a means to 

enhance the sales process 

• Security involvement in the earliest planning 

phases of campaigns 

• Security sharing its knowledge and expertise, 

developing broader security awareness across 

the enterprise 

People 

• Security seen as a partner that creates 

awareness and commitment 

• Security seen as a partner that transfers 

security knowledge and expertise to its sales 

customers 

Organization 

• Regular updates about potential risk 

• Security structure supporting customer 

processes 

5.2.1 Intentionality 

The defining factor in the transformation is that it is intentional. The term raises 

the question whether the holder of the intent is the subject or the object. In the 

first connotation, the intent is on the part of those who would create or strengthen 

a security culture. In the other, it implies that the result will be to turn individuals 

into the participants in the culture. The distinction may seem to be unimportant and 

unnecessary in that both are required not only to create a culture of security, but to 

see it take root. However, it does point the way as to who should champion an 

intentional security culture and who should be involved in the transformation to it. 

The problem with the first sense of intentionality is that it implies an actor, 

someone who has an intention and acts on it. The act and the consequences are 

closely tied. Something occurs because someone made it so. However, what 

someone intends to do may not always work out as planned; a program to make 

security more comprehensive may become so structured and bureaucratic that it 

frustrates the original objective. On the other hand, it is impossible for the result of 

an action to be intentional without the initial cause being intentional as well. Pulled 



together, as was first seen by the British philosopher Jeremy Bentham, 6 the intent 

must be to produce something utilitarian—in this case, an enterprise that is and 

behaves securely in a self-sustaining manner. 

5.2.2 Finding the Champion 

Someone must be intent on security if a security culture is to be strengthened, if 

not created from whole cloth. In a typical enterprise, who shall the champion be? 

There are a number of candidates including auditors, risk managers and security 

professionals. Each has strengths and limitations as the prime mover for a culture 

of security: 

• Auditors (usually internal auditors, but not necessarily so) have a mandate to assess 

a system of internal control. Managed access to resources, protection of information, 

accountability and continuity are certainly features of internal control, so auditors 

usually issue opinions urging improvements in security. However concerned they 

may be, auditors are bound by independence from being active participants in the 

development and operation of controls, but is a security culture, in itself, a control? 

Put another way, is a culture something that can be audited? No matter how 

supportive of a security culture, auditors are in ambiguous positions. 

• Risk managers are attuned to the potential harm that a lack of security may 

cause their enterprises. Some are primarily insurance buyers and seek only to 

transfer risk, but more advanced risk managers look for a complete package of 

risk transfer, acceptance and control. The controls in question for them, as for 

auditors, include security. In fact, security may rank higher for risk managers than 

auditors because risk managers focus on the sorts of high-impact, low-frequency 

events that are typified by disasters or breaches of security. 

In some enterprises, risk managers are among the foremost champions of a 

security culture. However, some risk managers have difficulty seeing how 

investments in appropriate security (as opposed to a minimum level) can reduce 

the long-term cost to an enterprise. They think primarily of insurance premiums 

and the cost that an enterprise incurs whether there is a security breach or not. 

It seems self-evident that security breaches can cause significant financial 

harm, but it is not proven that the cost of an incident is greater than years of 

premiums without compensating claims. Again, contemporary risk managers see 

the issue more broadly to include reputational harm and customer or employee 

dissatisfaction, which they consider just as important as pure financial losses. 

• Security professionals, especially CISOs, seem like the natural champions for a 

culture of security. However, as discussed in section 4.3, the very effectiveness 

of an information security department may be an inhibitor to the desired culture. 

Moreover, the natural inclination of professionals to focus on the subject of their 

discipline renders them somewhat partial in the eyes of those who may participate 

in a culture of security. Surely, security professionals have a role to play, but it 

is more likely to be in effecting changes in security processes to fit an emerging 

security culture than leading the effort to strengthen one. 



Thus, while these three candidates may have supporting roles in developing a 

culture, they need others at a senior level to be the focal point. There is no one 

position that is able to claim the mantle of security champion apart from those 

mentioned previously. Much depends on the personality, seniority, political skill 

and professional concern among those in the executive suite. Depending on the 

enterprise, the champion may be the chief operating officer (COO), chief financial 

officer (CFO), CIO, general counsel, or even the head of human resources (HR). Of 

course, if several of these are already vying to drive their enterprise into a culture of 

security, then much progress has been made already. 

5.2.3 Objects of a Security Culture 

As stated in BMIS, security is often seen as functional. Who then needs to see 

it as an intentional aspect of a corporate culture? As stated previously, those 

who are already involved in security and control have the intent, but evidently 

not the ability, to cause a transformative shift of attitudes and behavior or else 

the shift would have already taken place. At the same time, they do not need 

to be convinced, either. The emphasis may be on senior management, middle 

management or on all those staff members who routinely come in contact with 

sensitive and critical information: 

• Senior management may seem the obvious group whose attitudes toward security 

call for change. They are the ones who set the tone at the top because they are the 

top. It is the rare senior executive who would deny the need for security, but these 

people also drive their enterprises toward sales, growth and profits. The objective 

is to get enough mind share for security in the executive suite so that security has 

a chance to hold its own against other imperatives. 

Many executives only have time for security matters when there is a regularly 

scheduled update or if there is a serious security breach. They are well attuned to 

the need for security of the information in their own hands; by the time it gets to 

their level, it is either so concentrated or so sensitive that the need for security is 

self-evident. There is very little for them to do as a group, apart from having one 

of their members champion security. As individuals, they need only think about 

security a little more, consider how it affects them and what they could do more 

securely. They do not need to be persuaded that security is a positive value to 

their enterprises; they need to be convinced to convince others. 

• Middle management is often the greatest stumbling block to a security culture. 

Again, it is not because middle managers are opposed to it, but because they are 

the ones who must formulate budgets and meet senior management’s demands. 

They hear clearly, “Sell more, grow bigger and make more profits.” “Be secure” 

often gets drowned out. Moreover, it is they who transmit their understanding 

of what their management wants to their own staffs. If they feel the heat for 

objectives other than security, they transfer it downward. 

84 



Do middle managers encourage their people to circumvent security? Probably not, 

as blatant contradiction of policy would be insubordinate, but generally, they have 

very little incentive to discourage circumvention, either. The tone may be set at 

the top, but the music is played by those much further down the organizational 

ladder, with middle managers conducting. 

• Staff-level personnel must be the primary recipients of an intentional culture, if 

only because there are so many of them. They are the ones who distribute the 

mail, generate the reports, enter the orders, file the personnel records and carry 

around vast amounts of information on their laptops. They touch information, 

as a group, more than anyone. CISOs may build security, auditors may enforce 

it and managers may expound it, but the staff needs to live it. The attitudes and 

behaviors of the staff are the content of a security culture. If they do not buy in, 

there is no sale. 

Looking at the hierarchy in this manner, it becomes evident that, even if senior 

managers believe in a culture of security, the message will not reach the staff if the 

middle managers are not similarly supportive. The staff must be led to believe that 

management champions are as sincere when they urge security as they are when 

they urge sales. If the staff carries the substance of a culture, middle managers are 

the catalysts who make the substance react. 

5.3 Attributes of a Security Culture 

How can an enterprise determine whether it has a robust, functioning culture 

of security? In other words, how does it complete this sentence: “The culture 

of security is strong if…”? It seems self-evident that such a culture exists if 

the corporate culture includes respect for security, but this is a circular line of 

reasoning. It is preferable to consider the attributes of a security culture and the 

means toward obtaining or strengthening one. 

5.3.1 Security Champions 

The need for a champion has been discussed previously, but what do champions 

actually do? First and foremost, they speak up, including in the board room with top 

executives. When a new initiative is being discussed, the security champion simply 

has to ask, “Is the information secure?” and half the battle is won. It is precisely the 

act of laying security on the table among all the other determinants involved in a 

decision—the more strategic the decision, the better—that makes a security culture 

spring to life. Of course, no one is likely to say, “We do not need the information to 

be secure.” Attitudes, assumptions and beliefs begin to move by putting security on 

an equal footing with other considerations, and as they move, they also nudge along 

behavior and ways of doing things. 



As stated, asking the question is half the battle, which leaves another half to be 

won. It is quite important that the same question be asked repeatedly, initiative 

after initiative, project after project, until it no longer needs to be asked. Everyone 

involved will think about security without being asked. In this way, a culture of 

security goes from being intentional to being unintentional—so natural that it is no 

longer thought about, but just done. It is even better if more than just the original 

champion asks the question. That would indicate that the culture of security is 

catching on at the highest levels. 

Of course, asking the question is insufficient; it must also be answered. If the 

consensus response is, “No, the information is not secure, but we do not care and 

are going to do what we want anyway,” then the security culture dies before it 

begins. Fortunately, few would be so foolhardy as to take that position, publicly 

or privately. If, however, the reply is, “How secure does it have to be?,” then the 

champion must be resolute. Security must be good enough to meet the enterprise’s 

needs, explicitly tying security to overall organizational objectives. Finally, if 

the initiative in question is reshaped in accord with organizational business 

requirements, there is evidence that a security culture is taking root. 

All of this conversation occurs at the highest levels, but champions must also 

communicate it downward. They can invigorate those in their line of authority, but 

the message must also be conveyed down the chains of the champions’ peers, some 

of whom are not yet involved in a culture of security. As noted previously, senior 

management proposes, but middle management disposes. 

5.3.2 Budget for Security 

Unless security is appropriately funded, there is no security. Where security does 

not exist, neither does a meaningful security culture. Simply put, a culture of 

security can be measured by what an enterprise is willing to spend for it. This 

does not mean that an enterprise that has a security budget of US $1 million has 

a security culture twice as strong as one that allocates US $500,000. No two 

corporations or government agencies are exactly alike, and so, their financial 

investments in security will differ based on their industries and relative sizes. As 

was emphasized in section 2.1, a security culture can be viewed realistically only 

within the context of an enterprise and the risks it faces. 

There are more nuanced views of the correlation of budget and culture. For one 

thing, the issue is not so much the money allocated for security, but how well it is 

spent. If one enterprise’s security objectives can be met with less funding, then its 

culture may, in fact, be superior to another that simply throws money at problems. 7 

It is also a matter of when the money is spent. When an enterprise first becomes 

aware that its security is insufficient, at the onset of a demonstrable security 

culture, it needs to spend more just to correct prior shortfalls. Since security is not 

86 



achieved overnight, an enterprise may spend more, but, at the time, be less secure. 

The culture of security is more evident in the trajectory of improvement than in the 

current state. 

There is also the factor of how budgets are calculated and aggregated. One way, of 

course, is to measure the money specifically allocated to an information security 

function. This is meaningful, but incomplete. If security is pervasive within an 

enterprise, there will be a security component to HR, facilities, operations, finance 

and many other functions. It is true to say that an indicator of the strength of 

a security culture is how widely an enterprise spreads its security investments. 

Paradoxically, the stronger the culture, the harder it is to trace the money spent on 

it. Measuring the total cost of security in an enterprise is a fascinating subject for 

future research. 

5.3.3 Broad Accountability 

Beyond budgets, another attribute of a security culture is a broad base of participation 

in securing an enterprise’s information resources. If “security is everyone’s job,” then 

everyone must be accountable for security. In an enterprise where a security culture 

has taken hold, roles and responsibilities for security are spelled out and individual 

managers are answerable for their part of the total protection of information. Figure 6 

suggests a possible distribution of accountability. 

Figure 6—Possible Distribution of Accountability 

Aspect of Security Accountable Function 

Risk assessment Risk management 

Security policy and standards Information security 

Asset management Information security, physical security 

Employee screening HR 

Physical security or information Physical security, datacenter operations 

Network data security Telecommunications 

Spoken security Corporate communications, telecommunications 

Data retention Datacenter operations, facilities 

Monitoring and enforcement Internal audit 

Access control Information security 

Encryption Information security 

Information acquisition, storage and disposal General counsel, privacy, facilities 

Incident response Information security, physical security 

Recovery and resilience BCM 

Compliance Compliance 



As shown in figure 6, many functions have a role to play. The overall 

organizational culture of security is weak when more aspects of security are 

concentrated in an information security department and when other functions have 

less accountability. 

5.3.4 Awareness and Education 

It is in the context of broad accountability that awareness enters into the culture 

of security. As stated previously in section 4.4, security awareness alone is not 

enough. There is a significant difference between making people aware that there 

is a need for security and that they have a specific role to play in achieving it. The 

former is a half-formed wish. The latter is an attribute of a culture of security. 

Making people aware of the parts that they are to play in securing an enterprise’s 

information resources and holding them accountable for their roles are essential 

for an intentional security culture. There is a positive decision to be made in 

assigning responsibility to a particular function. Awareness occurs on multiple 

levels. Someone in a position of relatively high authority must conclude that a 

given function has a set of responsibilities. This person may be the aforementioned 

champion or someone influenced by the champion. Managers of the functions that 

receive the mandate must accept that they bear the designated responsibility, and 

staff members should also be consulted on their roles. The gap between grudging 

and wholehearted acceptance is filled by a security culture. It is the culture that 

creates awareness and not the other way around. 

Of course, just because someone has a responsibility does not mean that the 

individual knows how to fulfill it; therefore, the person must be educated. This may 

be achieved in a number of ways, including formal training, professional literature, 

coaching, the use of consultants or delegation to specialists in the assigned roles. Most 

likely, the educational process will incorporate all of these learning alternatives. 

5.3.5 Policies, Standards and Guidelines 

Staff needs a good understanding of the policies, standards and guidelines that the 

enterprise has adopted with regard to security. This, of course, presupposes that the 

policies, standards and guidelines exist; as previously stated, it is the province of the 

information security function to make sure that they do. Even more so, they must 

ensure that the policies, standards and guidelines are comprehensible, actionable and 

enforceable. It would help if they were straightforward and simple, also. Standards 

need to be intelligible to be followed. If a culture permits information security to 

write them, it also requires that the people who receive them understand them. 

(While it is difficult for CISOs to be the champions of a security culture, that is not 

to say that they have no role in its strengthening. As stated previously, the function 

88 



is an instrumental force behind asset management, access control, encryption and 

incident response and the development of policies, standards and guidelines. The 

CISO’s role in the culture is to give substance to security.) 

For example, a standard such as “symmetric encryption systems that utilize shared 

secret keys for authentication and encryption must change these keys on at least 

an annual basis” cannot be issued without explanation and education. What is 

a symmetric encryption system? Is there an asymmetric system, and how does 

it differ? What is an encryption system? What are shared secret keys (are there 

unshared ones?), and why must they be changed? 

The standard helps build security; the education in its meaning and use builds a 

culture of security. The challenge is not whether the information security function 

has the ability to draft policies, standards and guidelines, but whether it has the 

communications skill to sell them. 

5.3.6 Go/No-go Decisions 

The crossroads of a security culture is whether anyone has the power to stop an 

initiative from occurring on the grounds that it is not sufficiently secure. That 

person may be the security champion or the CISO. It would be best if it were the 

CEO, indicating that a culture of security had percolated to the very top of an 

enterprise. If someone can halt an effort on the basis of security, then a security 

culture can truly be said to exist. 

This is not a power to be used lightly, and as with so much of a culture of security, 

it must be applied in context. It is insufficient for a CISO to state by fiat, “This 

shall not pass.” There must be a broadly accepted framework within which that 

power may be exercised. Fortunately, that context is provided by the policies, 

standards and guidelines that had been agreed on previous to the decision in 

question. If a product or project does not live up to them, it should not be allowed. 

Policies should be the least malleable; there should be little, if any, cause to go 

forward if policies are violated. Standards usually contain waiver mechanisms that 

apply to cases in which the business or a technology cannot support a requirement. 

Guidelines, by their nature, are most open to interpretation. Thus, the mechanisms 

are there for security to be the deciding factor for or against an initiative. Senior 

leaders, if well informed, have the right to make decisions contrary to security 

interests, but they also inherently accept accountability if overruling security 

concerns backfires. Attitudes, not platitudes, are the stuff of a security culture, 

and those attitudes manifest themselves when tough decisions need to be made. 

From a cultural perspective, it is sufficient that security be grounds for not doing 

something, with the blessing of management. 



5.3.7 Rewards 

If management must take the blame for poor decisions, it must also be rewarded for 

good ones. As noted in section 4.6, the absence of rewards is an inhibitor of a security 

culture. It is difficult, as noted, to equate the compensation for sales, growth or profits 

with those of security. They cannot be measured on the same scale. 

However, with the contemporary attention to risk management 8 in finance, 

government, extractive industries and power generation (to name a few affected 

industries), it is easier to reward someone for good risk-related decision making. 

(It is easier, but still not easy.) The role of senior executives is to make decisions, 

so if a security culture induces these men and women to consider safety and 

prudence as a part of their jobs, they should get something for it, in remuneration, 

influence and respect. 

The challenge is to translate the consideration of security downward. Many, if not 

most, initiatives in an enterprise start from below and work their way up to senior 

management for approval and budget. Those at the top should note where insecure 

recommendations come from (and come from regularly)—not so much to punish 

the malefactors, but as a basis for comparison with those who do not. If middle 

managers see that poor recommendations are rejected, but that security ones are 

accepted and funded, the message will be conveyed and the culture strengthened. 

5.3.8 Rigorous Response to Breaches 

It is important to remember that no matter how good the standards and the backing 

to implement them, security-related incidents may still occur. When they do, an 

enterprise must be swift and resolute in responding to and learning from them. Any 

enterprise will respond when attacked, including the least secure and those with the 

weakest security culture. It is not the response that defines the culture, but the vigor 

and visibility with which it does so. The importance is not only doing the right 

thing, but to be seen doing it. 

Security breaches come in many forms. If one is the result of external forces (e.g., 

hacks or DoS service attacks), it pays to be very public in taking action against them. 9 

If nothing else, it would demonstrate to customers and staff alike that a company is 

serious about security if it makes strategic or tactical changes to its business model 

in the face of attacks. Equally important is to be visible in responding to internal 

violations of security. When these are criminal matters, an enterprise should seek 

prosecution. If they are breaches of trust or propriety, they should not be swept under 

the corporate carpet. If security is seen as a part of an enterprise’s business, then it 

needs to show that it means business when it comes to security. 

90 



5.3.9 Satisfied Customers 

Nothing is as good for business as satisfied customers. Increasingly, enterprises 

are demanding security and reliability from their suppliers. Some of this is driven 

by laws defining business accountability, such as the US Sarbanes-Oxley Act or 

Japan’s Financial Instruments and Exchange Law, known as J-SOX. These laws 

induce companies to ensure that not only are they secure, but that the companies 

with whom they do business are also. 

There is little doubt that laws and regulations have helped enterprises improve their 

systems of internal control and, in turn, their security cultures. However, an equally 

important factor has been the interaction of companies in what has been termed an 

“extended enterprise.” 10 If there is to be an active collaboration among business 

partners, each must be satisfied that the other has achieved at least a comparable 

level of security as its own. Mutual interdependence breeds a joint concern for 

security. If any party to a transaction feels that it is exposed, there is little chance of 

success. Thus, each seeks assurance from the other so that together they may reap a 

“variety of business benefits (e.g., enhanced customer loyalty, increased revenues, 

reduced inventory, reduced time to market for new products, more effective 

business processes, reduced costs, and/or increased profits).” 11 

Note the reference to customers in the preceding quotation. When entrusted with 

people’s (or enterprise’s) information, customers do not demand security, but simply 

expect it. It is, or should be, a routine matter that those who hold information need 

to protect it. This may be backed up by law and regulation (e.g., the European Data 

Protection Directive of 1995), but it is a manifestation of a culture of security among 

customers that they ask for security and among vendors that they supply it. After all, 

vendors are also somebody’s customers. It is quite clear that customers dissatisfied with 

security will bring action (and strengthen a security culture). When there are satisfied 

customers, the tie between security and revenues and profits is more demonstrable, and 

thus, it is easier to tie rewards to security. 

Each of the attributes of a culture of security, as described previously, seems 

simple to implement. They almost seem self-evident. If that is the case, why is 

strengthening a security culture an issue at all? Why is a strong culture of security 

not present in all enterprises? The answer is that, while the individual attributes 

may be easy to achieve, one by one, they all must be present for there to be a strong 

culture. Enterprises cannot pick and choose. They cannot decide to have policies 

without education, champions without budget or satisfied customers without 

rewards to those who satisfy them. If it were that easy, every enterprise would have 

a culture of security (and this volume would be unnecessary). The fact that many 

enterprises have not accomplished all of the attributes indicates that there is a long 

way to go to instill a cultural regard for security across societies. The situation 

seems better than it was in many enterprises, but there is still quite a way to go. 



Endnotes 

1 Sartre, Jean-Paul; Existentialism and Human Emotions, Citadel Press, USA, 

1957, p. 15 

2 For example, the volume 2, 2010 issue of the ISACA Journal, dedicated to 

security, has on its cover a stylized personal computer looking like a vault door, 

with two combination locks and a large vault bolt. 

3 www.mcgruff.org 

4 Knowles, Malcolm S.; Elwood F. Holton III; Richard A. Swanson; How Adults 

Learn, Elsevier, UK, 2005 


6 Bentham, Jeremy; An Introduction to the Principles of Morals and Legislation, 

UK, 1780, p. 82-83 

7 Boesen, Thomas; “New Tools for a Corporate Culture,” Balanced Scorecard 

Report, Harvard Business School Publishing, USA, November-December 2000 

8 Discussions of risk management in society at large are too numerous to cite. One 

that is indicative of the public consciousness of risk management may be found in 

Brooks, David; “Drilling for Certainty,” New York Times, USA, 28 May 2010 

9 For example, Google received much positive publicity about its decision to 

change its business plans in the face of perceived security attacks. (See “Google, 

Inc.,” New York Times, USA, 20 April 2010, http://topics.nytimes.com/top/news/ 

business/companies/google_inc/index.html?scp=15&sq=Google+security&st= 

cse.) Less discussed was the effect of the decision on morale within the company. 

10 See David, Edward Wilson; Robert E. Spekman; Extended Enterprise: Gaining 

Competitive Advantage Through Collaborative Supply Chains, FT Press, UK, 2004 

11 Ibid., p. 132-133 

92 


6.0 PoSitive reinforCement 

6.0 PoSItIve ReInfoRCement 

Creating a culture is one thing (if, indeed, it can be done). Strengthening a culture 

is something else, and keeping it going and growing is a third. Management 

influences behavior, if not attitudes, through measures designed to provide positive 

reinforcement for desired conduct and negative reinforcement for that which it 

wishes to suppress. Negative reinforcement, unfortunately, is a necessary part of a 

culture, but one that raises, once again, the image of security that is best left out of 

sight until needed. It is addressed in the next section. 

The ultimate positive reinforcement, as stated previously, is the rewards that come 

to the individual for treating information securely. There is an important distinction 

here: Remuneration, advancement and influence come to people for what they 

do to protect information resources and there can be no culture of security where 

security is ignored. However, reinforcing a culture is different. It necessitates 

actions to inculcate attitudes and beliefs, an organizational vision of how security 

fits into its behavior, and a way of doing things. 

The objective is to fuse the interests of the enterprise, the individual and security 

into one organic whole. The enterprise may face circumstances in which security 

seemingly runs counter to short-term goals, such as speed or flexibility in 

responding to customer demands. An executive may think, “Who will know or care 

if the rules are bent—not broken, to be sure—just a little?” An individual may see 

security as an impediment, slowing things down and generating more bureaucracy. 

A security culture reinforces itself by getting all within an enterprise to see that 

security makes things better. This is the heartbeat that must be felt throughout an 

enterprise: Secure is better. 

Why is it better? If “secure is better” is the heartbeat of a security culture, then the 

reasons it is better are a culture’s lifeblood. Secure is better because an enterprise’s 

business depends on it. It is better because customers expect reliability. It is better 

because it lives within tolerable risks. It is better because secure resources will not 

be misused and will be there when needed. It is better because a secure anything is 

better than an insecure anything. 

The challenge for management is to build security into the way it thinks about and 

runs an enterprise and by reinforcing all the positive attributes of a security culture 

listed previously. It would be enough to make all personnel behave in a secure 

manner, but the real goal of a culture is to convince them to think about what 

they do for the business in a certain way, placing security, if not first, at least not 

last. Thought patterns are best directed by emphasizing organizational goodness, 

not the punishments that will be meted out for bad behavior. It calls for a liberal 

application of honey with a dose of vinegar in reserve to spice it up. 



6.1 Alignment of Information Security and Business Objectives 

Unfortunately, many people do not see that a secure enterprise is a better enterprise. 

That is because they see their own business requirements going in one direction and 

security’s going in another, if not blocking their business objectives altogether. It is 

insufficient to point out the risks these people are taking. They have accommodated 

risk in their own minds. Whether they are rationalizing their ambitions or not, they 

believe that there is something they want to do, generally to make more money for 

a private-sector enterprise or improve service in the public sector, that they would 

and could do except for the “silly” demands of security. For them, security is an 

obstruction to overcome. By the time security becomes a consideration, it is already 

too late. The information security function may prevail in stopping an insecure 

initiative, but that will only deepen these employees’ suspicion of security and the 

professionals who expound it. 

It is curious that security is so often singled out as an obstructive element within 

an enterprise. The accounting department is not considered an obstacle to progress 

because it enforces standard ways of showing revenue and profit. The legal 

department is not viewed as an impediment because it points out what is prohibited. 

Risk management is not seen as a barrier because it says that someone’s project 

or product is uninsurable. To be fair, many people do grumble about accounting, 

legal or risk management departments, but there is greater recognition that these 

functions are imposing restrictions set by external forces such as accounting boards, 

legislatures or insurers and not creating difficulties themselves. 

6.1.1 Security as an Obstacle 

Rules and laws are both external and in the past tense. They are limitations that 

come from outside an enterprise; no matter how much people may rail against 

government or insurance companies, they recognize that the laws must be obeyed 

and that insurance policies do not cover everything. However, they also expect 

accountants, lawyers and risk managers to help them to accomplish what they want 

to do. The American financier J. P. Morgan was reputed to have said, “I don’t want 

a lawyer to tell me what I cannot do. I hire him to tell me how to do what I want to 

do.” 1 Why, then, do people not feel the same about security professionals? 

It is largely because security does not deal in hard, documented facts such as laws 

or insurance policies. Security looks to the future: what may happen, but has not 

happened yet. Sometimes, security does deal with incidents, but once these have 

been repaired, the next incident still lies in the future. Everyone has to accept 

laws, standards and regulations that have already been issued, but people can hold 

different opinions 2 about what may happen in the future. Where a CISO may see 

only the prospect of harm, a salesperson may see profit and discount the possibility 

of an incident as so remote as to be dismissible. 

94 



When other staff functions manage alignment of a business with things that have 

happened in the past, information security must manage the future. In reality, all 

management should be oriented toward the future: the sales to be made, bonuses to 

be paid and mistakes not to be made. In the same way that lawyers help their clients 

to do what they want to do legally, security professionals can help their colleagues 

to do what they want to do securely. The challenge to these professionals and the 

secret of creating a security culture is to transform themselves from naysayers to 

problem-solvers. They can demonstrate their alignment with the overall business by 

assisting their colleagues to meet their own business objectives. 

In fact, security professionals rarely see themselves as negative and do feel 

that their role is to help their enterprises. They understand security so well and 

so deeply that it puzzles them that others do not. They try to help others avoid 

mistakes. Security people live within a security culture by predisposition, profession 

and choice. However, they are cynical about what people in and outside of their 

enterprises would do if security were not present and, so, put themselves on the 

front line in the war against misuse and destruction of information. That is heroism. 

What is needed for a culture is not heroism, but leadership to bring others along 

with them instead of fighting the lonely fight. 

6.1.2 Strategic Necessity 

Security professionals may engage others by demonstrating that security is a 

strategic imperative, the realm of senior management decision making. At a 

strategic level, a security professional must be aware of the business of the 

enterprise. Security is stronger at banks, for example, than at manufacturing 

companies because, as Willie Sutton 3 said, that is where the money is found. So, 

security is acculturated in banks more so than other enterprises. 

The CISOs of various industries cannot all achieve the same level of security; once 

again, context enters the discussion. Security professionals can measure themselves 

against others in their own industries. Using conferences, literature and personal 

networks, they can learn what others are accomplishing in security and raise the 

levels within their own enterprises. (A special challenge comes for those who lead the 

pack in their own industries, but do not feel they have done enough. Perhaps they are 

reaching for too much.) The interesting question that should be posed and answered is 

whether the different appetites for risk, company to company, justify different degrees 

of security. If so, security professionals must adjust their sights accordingly to remain 

in alignment with their own enterprise’s goals. Not to do so is to oppose security to 

the corporate culture, which is hardly conducive to reinforcing a security culture. 

Security professionals in the private sector need to understand how their enterprises 

make money and focus their attention there. Clearly, this entails security for the 

systems that take orders, manage inventory and ship products. There are other 



types of information such as formulas, trade secrets and new product developments 

that are money makers also. A culture of security most frequently exists around 

this latter sort of information. People accept that secret recipes and information 

about the latest models needs to be secure. They have bought into a culture of 

security, at least that far. That culture can be reinforced by extending it to other 

types of information. 

It is important that security professionals help their enterprises to recognize the real 

extent of the risks they face. Simply put, some are targets for misuse of information 

more than others. For example, information in the military and intelligence agencies 

is more likely to be sought and misused than in civilian agencies. As mentioned, the 

information in banks and other financial institutions is constantly under attack because 

it has monetary value. A culture of security suffuses these types of enterprises 

because the threats are clear. No one at the US Central Intelligence Agency (CIA); 

UK Military Intelligence, Section 5 (MI5); or the Russian military intelligence 

agency Glavnoye Razvedyvatel’noye Upravleniye (GRU) thinks for a moment that 

security is a nonissue. In enterprises in which threats are not so evident, it may be 

hard to see why anyone would misuse information about the seemingly uninteresting 

products they make. However, if enterprises make revenue on their products and the 

information about them supports profits, there will be someone who is interested in 

stealing, revealing, modifying or destroying that information. The culture must rise to 

the level of the threat for the safeguards to be appropriate. 

Of course, there is a cost side to the risk equation. The best investments in security 

are those that cost little and protect a lot. The best contribution of a security culture 

to overall business objectives is the understanding that the right level of security, 

in context, is a parallel objective of the business. Security devices and software can 

be costly and protect against only a limited range of threats. A culture that leads to 

understanding those threats costs very little and can be applied against the full array 

of risks an enterprise faces. 

6.1.3 Risk Management 

Understanding risks is a necessary, but insufficient, precursor to an appropriate 

level of security. A security culture is also a requirement so that security is 

right-sized against real risks. Not all risks can be eliminated, nor should they be; a 

tolerable amount is necessary for business to proceed. Culturally, this is generally 

accepted. No enterprise tolerates stupid risks, at least not for long. All profitable 

enterprises make money by taking smart risks. A security culture is not reinforced 

by insisting on eliminating all risk, but by eliminating the stupid ones and providing 

a fallback position if the tolerated ones turn out not to be so smart after all. 

96 



The essence of risk management—as opposed to risk mitigation, reduction or 

elimination—is in the grey area between clearly foolish and clearly acceptable 

risk. Human nature being what it is, there will always be people who propose to do 

something that makes no sense and can only lead to sorrow. Management should be 

adept enough to see this and stop them before they move forward. Unfortunately, 

it is not so easy to see which risks are so acceptable that it would be foolish not to 

take them. If the possibility of harm to information is never realized, then the risk 

was a smart one—or was it? Was it just a matter of luck so that, if the same risk 

were taken over and over, it would turn sour eventually? 

Bad things that may happen do not always occur. The frequency of occurrence 

(not the probability) is the measure of risk acceptability. Something that goes 

wrong once in 10 times is surely unacceptable. Something that goes wrong once in 

a million times may be acceptable, except for enterprises that perform millions of 

risk-bearing transactions every year. Even for those who do not face risk as often, it 

must be accepted that the one-in-a-million occurrence could happen today. 

There is a virtual cycle between risk management and a security culture: the more 

people in an enterprise who appreciate the nature of the risks they face, the more 

likely they are to incorporate security in their attitudes concerning their business 

and the more acculturated they are toward security, the more they will appreciate 

the appropriate amount of risk they can take. In short, risk management reinforces a 

culture of security. Nonetheless, in many enterprises, risk management is no stronger 

than its security culture, so they both need to be elevated. In fact, it may be axiomatic 

that where a security culture is strong, risk management is also strong. 

In recent years, so many seemingly “smart” risks have proved to be foolish that 

there is greater acceptance of risk management in enterprises around the world. 

For the most part, the areas of risk that have caused the most harm do not concern 

information. However, gross miscalculations in such diverse fields as warfare, 

finance, petroleum and construction have heightened overall awareness of risk, 

which can be leveraged for security’s sake. It is notable that the term “information 

risk management” (IRM) is gaining currency. Some CISOs style themselves—or 

report to—information risk managers. Much of the literature on the subject of IRM 

addresses the same points as have been made about a security culture: alignment 

with organizational goals, senior management support, visibility for security and 

incentives for secure behavior. One study even states that the risk mindset—much 

the same as a culture—must change for “information risk [to be] part of every 

business discussion.” 4 In these terms, it is easy to see the symbiosis between a 

security culture and risk management. 



6.1.4 Security Procedures Embedded in Daily Operations 

In its definition of a security culture, BMIS strikes a balance between what people 

think (beliefs, assumptions and attitudes) and what they do (a pattern of behaviors, 

ways of doing things). An appreciation of risk and respect for security are all well and 

good, but mean little if people do not act on what they believe. Even more, a culture 

of security may be considered entrenched in an enterprise if people act securely 

without thinking about doing so. People do not awaken and think, “I will be secure 

today.” Rather, they follow routine procedures that become so engrained that they do 

not even realize that they are following them—or that they are being secure. 

For example, in the financial services industry, one group of people consists of 

traders and another performs all the posttrade activities to execute the trades. The 

functions are incompatible. Were a trader to carry out the posttrade activities, there 

would be a significant breakdown in separation of duties. No one would cross 

that line without realizing that, to do so, a fraud would be committed a fraud. 5 

The information that the two groups use is the same, but they use it at different 

stages of a trading life cycle. Security is enforced by an access control system 

that permits traders and operations personnel to see and act on the information 

only at the required stages. Also, the access control system may be backed up by 

an identity management system that recognizes all the people in a group called 

“Traders” and another called “Trade Executors.” The point of this little treatise 

on trade processing is that no one in a financial institution gives a second thought 

about whether to carry out activities securely. This is simply the way in which the 

job is done. Despite the occasional fraudster who finds a way around the system, 

thousands (perhaps millions) of people are involved in trading every day, with 

attitudes and behaviors enveloped in security without their even thinking about it. 

An interesting question is how people become acculturated to following secure 

procedures and acting securely when they are new to a function. Does someone say, 

“This is how we keep this function secure,” or are people simply instructed on how 

to do their jobs, with security already built in? If the latter, then someone at some 

time must have considered security in devising those procedures. Was that person (or 

people) part of a security culture, or were the risks so evident that anyone would have 

built security into the procedures? 

There have been trading activities going on since the dawn of humanity that were 

formalized during the Renaissance and passed down to the present day. A notable 

turning point occurred when trading systems were automated in the second half of 

the 20 th century. At that time, security had to be built into a series of programs and 

user operating procedures. Not all security decisions were as simple as the separation 

of duties described previously. Limits, approvals, reporting, correction, controls 

and many other aspects of business life have to be encapsulated in programs and 

procedures. Even in an activity such as trading in which the need for security is so 

98 



evident, decisions can and have been made that strengthen or weaken overall security. 

The manner in which those decisions are made is indicative of the strength of a 

security culture. Including security professionals as advisors or even as designers 

reinforces a culture of security. The same may be said of auditors, although they 

would rarely design controls they may have to audit, and of risk managers, who may 

be called upon for their insights into the risks in a business function. 

6.1.5 Management Reward Structure 

Much has been said in this volume about rewards as a means of strengthening 

a culture of security and of the metrics for determining whether rewards are 

warranted. There is a vital aspect of rewarding people as a means toward solidifying 

a security culture: People, especially middle managers, need to know that secure 

behavior will be rewarded. That, in turn, means that senior managers must make 

their intentions clear. Senior management must encourage the implementation of 

security safeguards with all the budgetary support that it implies and must also 

promote the attitudes that constitute a culture of security. 

In other words, to be rewarded in pay, promotion, respect and clout, managers must 

not only do the right things with regard to security, but also be seen to be doing so 

willingly, supportively and intentionally. They must be proactive in considering 

security as a part of their jobs, insisting on secure solutions to day-to-day problems. 

They should find themselves in accord with security professionals on most matters 

and should not be constantly negotiating for less security in each new project and 

system. Senior management should be aware of the attitudes and approaches taken 

by middle managers and reward them accordingly. 

If a business manager and a CISO disagree on the extent of security needed, should 

the CISO always be considered to be correct, and how does a senior manager know 

whether a middle manager is being obstructive to security or standing firm for the 

appropriate level of security? To the first question, it is clear that CISOs are not 

always right and that they sometimes are more extreme in their drive for the most 

secure operations possible, losing sight of the business context in which security 

is to be implemented. It is as incumbent on CISOs to learn to think like business 

managers as it is on business managers to think like CISOs. That said, most CISOs 

are not overly extreme all of the time (or else they will not be in their positions for 

very long). A particular disagreement between the two means little, especially if the 

difference of opinion is conducted in a collegial manner, but a pattern of conflict 

is another matter entirely. Senior managers should be attuned to such behavior and 

reward or reprimand accordingly. 

One of the roles of senior managers is the resolution of disputes among their 

subordinates. They can tell who is involved the most often and how often those 

people are supported or denied in their arguments over security. (To be sure, 



a senior manager may also act outside a security culture, but if the culture is 

to be built around security in context, it is senior management that bears the 

responsibility of establishing that context.) Senior managers do not need to rely 

solely on their own judgment in determining who is and is not supportive of a 

security culture. They know who is criticized in audits on a regular basis, who is 

out of tune with colleagues and who is running the greatest risks. 

Establishing the reward structure for a culture of security does not need to take the 

form of a written set of metrics. In fact, to define a culture solely on the basis of a list 

of dos and don’ts would unnecessarily constrain it. A quiet word in the corridor, a 

note on an annual review or a supportive e-mail may do quite as well. The important 

thing is for everyone to know that someone above is aware of the cultural temperature 

of an enterprise and will take active measures to reward those trying to raise it. 

6.2 Balance 

Tightrope walkers have many skills and attributes: style, courage, determination, 

showmanship and a little bit of magic. They definitely have a culture of security 

that consists of balancing poles, nets and years of practice. What they have most 

of all is balance. If building a security culture is not quite so treacherous as 

tightrope walking, it calls just as much for balance. It requires some organizational 

acrobatics, the ability to change direction and overcome inertia, and a solid central 

position that does not shift when conditions do. 

6.2.1 The Burden on Security Professionals 

Perhaps the most important part of balancing, in cultural terms, is just getting 

along well with others. Those who support a security culture must convince others 

and transform their thoughts and actions. This is rarely achieved by pounding the 

boardroom table. Persuasion is a gentle art that calls for the proponent to demonstrate 

(more so than explain) that security is beneficial to others who are not quite so 

certain. As much as anything, it requires the supporters of a culture of security to 

have a firm, internal comprehension of what makes information secure and why the 

information should be secure in the first place. The demonstration of the value of 

security must be given in terms to which each recipient will understand and relate. 

Balance is needed because some position, action or initiative is so weighted to 

one, insecure side that a counterweight needs to be applied. Therefore, it requires 

the proponent of security to be able to recognize the other person’s goals and 

objectives and apply just the right amount of countering force. The focus must 

be as much on the recognition as the force. Imposing security over the objections 

of a salesperson, an accountant, an operations manager or an administrator may 

build greater security, but may just as easily undermine a culture of security. It 

is not a question of winning or losing, but of understanding the greater long-term 

100 



goals of an enterprise. Security professionals, empowered as they are to keep an 

enterprise’s information safe from misuse, must, at the same time, visualize how 

that information is and can be put to profitable use. 

This ability to see the matters from another person’s viewpoint is a difficult skill to 

master. It is the essence of organizational balance, especially for those who are entrusted 

with the responsibility to keep information safe. In the information security functions of 

many enterprises, there is a history of battles won, but mostly lost, and of slow progress 

to push the front forward to overcome the forces that would sacrifice safety for meager 

gains. The use of military terms in the previous sentence is intentional, and for those 

security professionals who think in those terms, it is destructive of a security culture. 

Security of business information is not a war, and implementing security is not a matter 

of wins and losses. Those who think back on the introduction of a new application or 

technology and are still upset because management did not support a particular security 

initiative have to put all that behind them. 

Each issue has to stand on its own merits in context and with balance. The imagery 

of battle is counterproductive precisely because, even if security is not a war, one’s 

fellow employees are allies in the fight. Security professionals need to ask themselves 

what would be a “win” for the others in their enterprise who have its welfare at heart 

just as much as they do. Security can be achieved by forcing a particular safeguard or 

restriction to be put in place, but the imposition of organizational force undermines a 


Security professionals must learn to think like salespeople, accountants, operations 

managers or administrators and to understand what drives and compensates them. 

They should seek to achieve the objectives of both a business unit and a security 

department. True organizational balance will be achieved when a CISO can be 

promoted to a revenue-generating role and a business unit leader can be promoted 

to CISO. In many, perhaps the vast majority, of enterprises, this balance is a long 

way off in the future. 

To some extent, the problem lies with security professionals’ lack of understanding 

(and some would say, of interest) in how a business actually works and how a 

private enterprise makes money. This is, in most cases, overstated; most security 

professionals have a very good comprehension of the workings of their enterprises, 

gained through business impact analyses and risk assessments. What many lack is, 

in the words of the poet, the ability to see themselves as others see them. 6 In too 

many enterprises, the information security function is not well liked, even where it 

is respected. As explained in section 4.0, security professionals are sometimes seen 

as organizational cops and not friendly. They still have the obligation to do the right 

things for the security of an enterprise’s information; they must learn to put things 

their way, but nicely. 



6.2.2 The Burden on the Enterprise 

Security professionals cannot forego their responsibilities for the sake of nicety, 

though. They are as likely to fall from the tightrope by giving away too much as 

giving too little. Throughout every enterprise, people must realize—and many 

do—that business has undergone and is still undergoing profound change in only a 

generation. Information is available in ways never before encountered: in greater 

quantities, at less cost, in less time and anywhere in the world. Protecting it is a 

tireless job in a battle—here the imagery is appropriate—against unknown, unseen 

forces, some of whom may appear to be friends. 

In short, information truly is at risk and enterprises are at risk of not controlling 

their precious information. This recognition needs to be engrained in every 

company, government agency and charitable institution today. Technology has 

altered the balance of security everywhere. The sheer amount of data is growing at 

incredible rates, more than 50 percent year over year. 7 In previous years, data were 

measured in megabytes, then gigabytes and then terabytes. Industry analysts now 

talk in terms of petabytes—that is thousands of trillions of bytes of information. 

The information flows quickly as well. It is routine for large enterprises to have 

communications lines of megabits per second. Even home users of the Internet are 

seeing speeds of many megabits per second. 

Information does not just fly, it walks as well. In many enterprises, there is a 

growing understanding of the vast amount of data that move through society on 

laptop computers; compact disks-read only memory (CD-ROMs); Universal Serial 

Bus (USB) drives; backup tapes; and, yes, paper. In many cases, data do not 

leave the protected perimeter of an enterprise’s data processing systems through a 

security breach, in which someone accesses data without authorization, but, rather, 

through transportation of data accessed in an authorized manner. This is not a new 

concern, but the increased ubiquity and capacity of readily transportable media 

have magnified the problem. 8 Enterprises must be cognizant of the change in the 

dynamic of securing all that information. 

This also raises the urgency for strengthening a culture of security. Business leaders 

cannot sit idly by, waiting for the CISO in their enterprise—if there is one—to 

save the day. Enough has been said already about the need for champions who 

are aware of the problem of securing so much information. The CISO’s task is 

to communicate the magnitude of the problem and to present solutions that the 

business can accommodate, and it is up to the leadership of each enterprise to heed 

the warning. 

In other words, if the balance point for security has changed, so, too, has the center 

of gravity of a security culture. There are issues on which security professionals 

can bend and others in which any bending will lead to rupture. Although there is 

102 



room for accommodation in some matters, the center must still hold. It is up to 

security professionals everywhere to identify the breaking point for the information 

in their enterprises. A security culture, too, is a fabric that can bend in some 

places, but must be stiffened so as not to tear. For example, there is much room for 

compromise as to which roles need access to which information to perform at an 

optimum level, but there is no space for a breakdown in separation of duties. Some 

latitude may be given to system administrators to have privileged access to many 

servers and operating systems, but the ability to bypass supervision and control with 

regard to programs and data is not negotiable. Information owners can deliberate 

on how critical their information is to their business and, therefore, how quickly it 

needs to be restored after a disruption. They cannot scrimp on cost by foregoing 

recoverability altogether. Also, once they have decided on the sensitivity, criticality 

and risk of their information, they cannot quarrel with the cost of the necessary 

safeguards and controls to protect it to the level they have determined. 

In many enterprises, it is felt that information owners are all in favor of security, 

recoverability and control—until they hear the price of achieving it. If there is to be 

a culture of security in an enterprise, it must be based on openness and cooperation 

in finding the balance between the need and the cost of security. Security 

professionals generally strive to provide decision makers with accurate and relevant 

information of risk and costs, and information owners must not adjust their 

risk-related decisions based purely on cost. That is not to say that affordability 

should be taken out of the assessment of the appropriate level of security; cost is a 

factor of appropriateness. However, the risk does not change whether the price of 

safety is high. By analogy, many people buy the maximum amount of insurance 

they can afford and accept the fact that, if the insured event occurs, they may not 

be fully recompensed. Enterprises with a serious security culture make the right 

choices, not always the ones that provide the highest level of security. 

6.3 Convergence of Security Roles 

The distinction between security professionals and business leaders is, of course, a 

false one. Those in the information security function are part of the business, and 

many parts of an enterprise participate in security. As BMIS notes: 

To maximize [ROI], all security functions (information security, 

physical security, etc.) should be aligned with and support each other. 

Nonaligned security functions are wasteful and hinder the identification 

and mitigation of cross-functional risk. 9 



However, there are many others who play a part in information security, whether 

they have a security title or not. (See section 5.3.) Each participant must be in 

close contact with the others to build, in ISO’s terms, an information security 

management system—not an information security department. Risk management, 

HR, physical security, datacenter operations, corporate communications, 

telecommunications, general counsel, internal audit, compliance, privacy and BCM 

all have a part to play in securing information. It would be easy to think that all 

these different organizational functions taken together would form the nucleus of a 


They would, if they recognized one another for their different roles in security. 

Unfortunately, in all too many cases, they do not. A notable example in many 

enterprises is the divergence between what should be closely entwined functions: 

information security and BCM. Continuity and security are simply two points on 

a spectrum of risk management. If the risk involved to information is one or more 

events or conditions that create losses (financial, surely, but data losses as well), all 

sources of those events or conditions should be understood as being the same, or at 

least closely related. “Business continuity” is generally used for a loss caused by 

a physical event (e.g., a disaster), and “information security” is generally used for 

a loss caused by a logical event (e.g., a virus). As long as confidentiality, integrity 

and availability are used as a definition of security, then business continuity must 

be included. There is a definite convergence of interest between the two. Moreover, 

the risk to availability stems from more than the possibility of disasters, which 

occur rarely, but with enormous impact. Losses are caused by fires and earthquakes, 

but they are also caused by downtime of any sort. 10 

Why do these two functions not work more seamlessly together? Why, for that 

matter, are the different components of security not more closely aligned? The 

problem is politics; the solution is a culture of security, which would, as BMIS puts 

it, allow “for the convergence of security strategies,” 11 operations, supervision and 

reporting. The most useful contribution senior management can make to a security 

culture, aside from intentionally championing its existence, is to ensure that all 

those with converging security responsibilities reinforce one another rather than 

needlessly, heedlessly fighting for their own “turf” at the expense of one another 

and the detriment of the security cultures in their enterprises. 

6.4 Automated Cultural Tools 

There is a place for automation in the establishment of a security culture. This 

seems surprising because culture seems to ride above technology, not encompass 

it. However, in an era with mobile phones, personal digital assistants (PDAs), 

laptop computers, e-mail, social networking, instant messaging and e-books, it is 

104 



hard to recognize a contemporary culture that is not heavily influenced by technical 

tools, methods and assumptions. Much of the business world has come to expect 

information to be available instantly, in every degree of detail, anywhere and 

anytime. The security of all that information and the role technology may play 

in it should be obvious. 

There is a process that enterprises can follow that will allow them to approach 

complete absorption of security into a corporate culture even if they never 

completely get there. It implies that the cultural environment is not static; at 

the same time as requirements are issued (or become obsolete), systems are 

being introduced, upgraded or discarded. The process calls for vigilance and 

responsiveness. When an enterprise needs to respond to an internal or external 

stimulus (e.g., a reorganization, an acquisition, or a new law or regulation), it needs 

to instigate action regarding security. The first step is to analyze the requirement, 

which can rarely be done by security professionals alone. It necessitates 

involvement by those who own or use the information in question; often by legal 

counsel; and, in some instances, by senior management. 

The culture then needs to adapt to fit the requirement to the enterprise. Depending 

on what it is, the CISO may lead the way or perhaps someone in an enterprise 

closer to the impact of the change. Analysis must be performed to determine 

whether an enterprise is already doing what is required everywhere and without 

exception. At this point, the change is subject to automated tools for project 

management, reporting, budgetary impact and role management. None of these are 

automation of the culture as such, but together, they influence what the culture of 

security is and what it is to become. 

As simple of a requirement as the regulation to “assign a unique name and/or 

number for identifying and tracking user identity” 12 can have significant cultural 

impact. It implies that every user of every system is individually known and 

identifiable, that everyone’s activity with regard to information is known, and that 

people are accountable for what they do with the information they encounter. This 

has huge cultural implications, and honoring the regulatory requirement involves a 

certain set of assumptions and attitudes about who uses what information for which 

functions. The automation that enables this manifestation of a security culture is, 

in this case, identity management software. The technology involved contains a 

number of elements, as shown figure 7. 13 



Business Events/Triggers 

106 

Authoritative 

Source 

Employee 

Customer 

Business 

Partner 

Figure 7—Identity Management Elements 

Identity 

Repository User 

Attributes 

Attributes 

Attributes 

Enterprise Identity Role Architecture 

Protection 

Provisioning 

Access 

Management 

The identity repository is, essentially, a directory of everyone known to the 

enterprise who may have access to information, a cultural artifact if ever there 

was one. Provisioning associates people with resources, and access management 

enforces those entitlements (and restrictions) at the time of access. However, the 

most important element, from a cultural perspective, is the authoritative source. 

It is metadata, information about information, that states who should have access 

to what. A management structure is implicit when it has the authority to make 

those determinations and, by extension, to exclude everyone everywhere who is 

not included. 

The point of the previous example is that there are technologies that have cultural 

impact on security. In implementing technical tools, enterprises come face to face 

with the fact that they need to tailor their cultures, security being not the least 

aspect, to work effectively with their technologies. At the same time, technical tools 

become instruments for the development of a security culture. 

6.4.1 An Architecture for a Security Culture 

It is possible to use automation to support a security culture through the use of tools 

that enable management to understand and control the interaction among people, 

processes and technology that constitute a corporate culture. 14 The tools (or more 

properly, a tool kit) have a logical architecture with three major layers: 

• Repository—Serves as the system of record 

• Business logic—Manages the execution of the processes and analytics 

• Presentation—Provides the views, dashboards and interfaces to management 


Applications and Data


Repository Layer 

The repository is more than just a data warehouse of laws and regulations. It 

consists of components that interact in such a way as to provide the raw data that 

need to be acted on by the business logic to make a culture comprehensible. Tools 

that make up the repository include: 

• Databases of relevant information about the enterprise, including the management 

structure, identity management, infrastructure and applications, location and use 

of information, and networks 

• A compliance requirements database that contains the complete range of laws, 

regulations, policies, standards, guidelines and directives to which an enterprise 

is subject. There must be a normalizing structure to enable users to learn about all 

the requirements for access control, identification, recoverability, etc. 

• A database of cultural documents, closely linked (perhaps the same as) the 

compliance requirements database, containing the actual language (translated 

as necessary) of the policies, standards, guidelines, management dictates, laws, 

regulations, etc. 

• A policy interface that harmonizes naming standards, control processes, metadata, 

technology elements, etc. This interface is needed to apply all the other information 

in the repository to a given matter at hand: making all the pieces and parts of an 

enterprise and its technology fit together in a manner that supports a security culture. 

Business Logic Layer 

Where the components of the repository are data stores, those of business logic are, 

naturally enough, application programs. These constitute the engine that figures out 

what a security culture is and, instance by instance, determines whether it has been 

achieved. They include: 

• A workflow management tool that organizes the sequence of cultural actions. 

It directs and escalates the activities that occur from the time a requirement is 

recognized until it is either satisfied or a decision is taken not to accede to it. It is 

also the mechanism for tracking notifications, alerts and incomplete work items. 

• A self-assessment tool that provides an interface that enables management 

to input parameters and receive back a report of the state of the culture. The 

tool should be able to evaluate individual aspects of a culture (e.g., security 

accountability, rewards, budgets) or the strength of security within an entire 

corporate culture. It has to be driven by a rules-based engine and applied against 

all the data in the repository. 



Presentation Layer 

As it may be deduced from what has been said previously, it is no easy task to put 

together all these components in a way that can be readily used by people. The data 

generated by the business logic have to be interpreted and digested to a level that 

makes appropriate actions clear and measures whether those actions have been or 

are being taken in a timely fashion. The presentation layer has two components: 

• A portal to enable users to navigate through all the data, services and reports 

offered by the foregoing components. This portal should also have connections 

to related systems such as configuration management, access control and identity 

management. 

• A dashboard that will enable managers at all levels to monitor the security culture. 

It should facilitate ad hoc queries and reporting. 

The cultural tool kit described does not stand alone. It needs to fit within the 

process, enterprise and governance addressed previously. The set of tools that 

is needed in one industry is not necessarily the same as those for others. 

Manufacturing companies, for example, may be more concerned with personnel 

safety than would be banks, which, in turn, may be more focused on uninterrupted 

availability of IT systems. Just as surely as there is a body of law and regulation in 

each industry around these issues, there is a broader set of attributes (see section 

5.3) that should be the lens through which management views its security culture. 

As with any set of tools, the quality of use is more important than the quality of the 

tools themselves. The uses of automated tools are limited only by the imagination 

of the user, but these can be categorized in such a way as to lead to effective growth 

of a security culture: 

• Managing a culture begins with recognizing that a culture exists. This requires 

identification and documentation in the repository of all the attributes of a security 

culture. It also implicitly requires that missing elements be identified and filled 

in over time. This requires local personnel to recognize new and altered attributes 

and requirements and enter them into the repository. Logging the entry should 

initiate a workflow of evaluation, prioritization and assignment of responsibility. 

• A cultural tool kit consists of more than programs and databases that labor to fix 

things that no one recognizes as broken. When done correctly, the tool kit can 

be used to reinforce the assimilation of the culture of the enterprise through the 

details of security in system development, configuration management, datacenter 

operations, vital records management and other aspects of using information. 

This programmatic aspect of a culture of security is a reflection of enterprise and 

governance as recognized through the evidence it leaves behind. 

• Finally, a security culture is not an objective unto itself, but the inclusion of attitudes 

and behaviors into the full array of day-to-day activities that make up a business. 

The tool kit makes it possible to scan, monitor, anticipate, respond and learn over 

time. It should be obvious that a cultural tool kit can be used to make an enterprise 

more in tune with its internal and external obligations, but not all at once. 

108 



This is a generic description of software that is often labeled as governance, risk and 

compliance (GRC). GRC itself is not a security culture, but it is impossible to have 

a functioning culture of security if GRC is not managed. As a general statement, the 

vendors of commercial GRC software products do not emphasize the cultural aspects 

of what they are selling. However, their products cannot be implemented without 

considering their cultural implications and an enterprise’s security culture can be 

ratcheted up by using such tools. 

6.5 Stakeholder Feedback 

Former New York (USA) mayor Ed Koch was famous for asking “How am I 

doing?” of every citizen he encountered. As an elected official, responsible to the 

people of the city, it was appropriate for him to ask such a question. So, too, this 

question may be asked of those who would support a security culture. Interestingly, 

it is not clear who should ask and who should answer. There are cultural and 

political ramifications in both the query and the response. 

In every enterprise, as previously stated, a security culture exists whether or not 

it is an intentional one. However weak or strong it may be, it does not belong to 

anyone. The champions may drive it, the CISO may define it and the auditor may 

enforce it, but it is not theirs. It “belongs”—if that is the right word—to everyone 

in the enterprise who participates in it. Thus, to ask, “How am I doing?” is to 

inherently admit that a culture exists, that the questioner feels a part of it and that 

reinforcement is being sought about what is being done. 

The question demands an answer. Internal auditors and, to a lesser extent, security 

professionals are empowered to answer, but the best that they can do with regard 

to culture is observe and comment on patterns of behavior. Unless they are mind 

readers, they have no ability to determine the beliefs, assumptions and attitudes of 

others. Yet, a state of mind can be read through what people say, how they say it, to 

whom they say it, under what circumstances they say it, and at what potential cost 

in influence and respect it is said. In short, if a person wants an answer to “How am 

I doing?” with regard to a security culture, that person should not only act securely, 

but speak up about it. 

“How am I doing?” is a very different question from “How are we doing?” The latter 

is a question that should be asked foremost by boards of directors, which have a 

fiduciary interest in the security of the enterprises they serve. They should, and often 

do, inquire about the state of security, but less often about how security is viewed, 

spoken of and acculturated. In one industry in one country, the responsibility is 

clearly stated: “Information security should be supported throughout the institution, 

including the board of directors, senior management, information security officers, 

employees, auditors, service providers and contractors.” 15 All of these people should 



have a firm grasp of what the stakeholders are doing with regard to security and 

should attempt to impute intent from actions. 

Stakeholder feedback should be sought out, but in a culture in which all are 

participants, who is not a stakeholder? Reactions should be sought from the 

ultimate stakeholders, the customers (or the citizenry, in the case of a public sector 

enterprise). There is some information that is purely proprietary to an enterprise, 

such as strategic plans, financial reports and product evaluations, but a great deal of 

information in every business is actually someone else’s orders, records, personal 

data, medical history, literary preferences, travel plans, etc. The people in question 

have a very real stake in the security of their information and the way in which it is 

used by the people in enterprises that have been provided that information. Today, 

many enterprises are seeking assurance on security and recoverability from their 

vendors, and the nature of their questions should, in part, inform their own security 

culture and those of the respondents. However, senior managers, especially those 

who elect to be champions of a security culture, should be asking their business 

partners, “How are we doing?” Security should be a part of the question. 

Endnotes 

1 “Business: Concerning Morgan,” Time Magazine, USA, 21 March 1927, 

www.time.com/time/magazine/article/0,9171,730161,00.html 

2 The American sociologist and senator Daniel Patrick Moynihan said, “Everyone is 

entitled to his own opinion but not his own facts.” 

3 Willie “The Actor” Sutton was a small-time American bank robber. He was not 

very good at his trade and kept getting caught. When he was asked why he kept 

robbing banks, he replied “Because that’s where the money is.” See US Federal 

Bureau of Investigation, www.fbi.gov/libref/historic/famcases/sutton/sutton.htm. 

4 Johnson, M. Eric; Eric Goetz; Shari Lawrence Pfleeger; “Security Through 

Information Risk Management,” Dartmouth College, USA, http://mba.tuck. 

dartmouth.edu/digital/Research/ResearchProjects/JohnsonRiskManagement_ 

Finald.pdf 

5 This was precisely what occurred in the massive fraud that brought down the 

Barings banking firm in 1995. (See “Bank of England Cites Fraud in Barings 

Collapse,” New York Times, USA, 19 July 1995). The same thing is alleged in the 

case at Societé Generale in 2008. 

6 Burns, Robert; “To a Louse,” Scotland, 1786, the actual line is “Oh would some 

power the giftie gie us, to see ourselves as others see us.” 

7 “Disk Storage Systems Market Rebounds to Double-Digit Growth Across All 

Segments in First Quarter, According to IDC,” Press release, 4 June 2010, 

www.idc.com/about/viewpressrelease.jsp?containerId=prUS22368310&sectionId= 

null&elementId=null&pageType=SYNOPSIS 

8 Ross, Steven; “Data Plumbing,” ISACA Journal, vol. 6, USA, 2009 

110 



9 ISACA, An Introduction to BMIS, op.cit., p. 13 

10 Ross, Steven; “Converging Need, Diverging Response,” Information Systems 

Control Journal, vol. 2, USA, 2006 

11 ISACA, An Introduction to BMIS, op.cit., p. 13 

12 Health Insurance Portability and Accountability Act (US), § 164.312(a) (2) (i) 

13 Ross, Steven; “Identity Architecture,” Information Systems Control Journal, 

vol. 3, USA, 2004 

14 Much of the material in this section is adapted from Ross, Steven; “Automating 

Compliance,” Information Systems Control Journal, vol. 5, USA, 2007. 

15 US Federal Financial Information Examination Council (FFIEC), “Information 

Security,” USA, July 2006, www.ffiec.gov/ffiecinfobase/booklets/information_ 

security/01_security_process.htm 



112 



7.0 negative reinforCement 

7.0 negAtIve ReInfoRCement 

The fact that information seems secure does not necessarily indicate that there 

is a functioning culture of security, but it is clear that where security is lacking, 

the security culture is lax, ineffective and counterproductive. If people within 

an enterprise (and outside, for that matter) have access to information that they 

have no business using, leave the office with proprietary data, routinely disclose 

personal information and commit other information sins, then the security culture 

is a negative, harmful one. It is a clear indication that no one in the enterprise’s 

leadership has any intention of strengthening the culture, either. In this sort of 

enterprise, a champion must arise to recognize the risks and to take active measures 

to reverse course. (See section 5.) 

Known shortcomings in security, at the level of either specific safeguards or 

the program as a whole, must be remediated. If there is evidence of intentional 

disregard of security provisions, management must take action. Where there is 

malicious intent (e.g., fraud, sabotage) almost all enterprises will terminate the 

individual involved and will (or should) instigate criminal prosecution. This goes 

well beyond what may be described as negative reinforcement of a security culture; 

they are matters of prudence and common sense. 

From the cultural perspective, there is a need to eliminate attitudes and behaviors 

that are harmful to security. It is easier to manage actions than thoughts, and if all 

people always acted in a secure manner, no matter what they thought, the issue 

of the culture would be moot. However, that is not human nature; the thought 

instigates the deed. Both need to be addressed, and a security culture must be 

advanced by counteracting insecurity in both word and action. At some point, 

negative reinforcement involves discipline, but that cannot be the only basis of 

an effective security culture. This simply reinforces the perception of security as 

a negative force. Rather, just as positive reinforcement consists of management 

practices to promote desired attitudes and ways of doing things, negative 

reinforcement entails prevention of unwanted behaviors and thinking. 

It is significant to remember the distinction between policy and culture. What 

management intends an enterprise to do is stated in policy; what it actually does is 

its culture. The objective of management reinforcement, both positive and negative, 

is to bring the two into alignment. All those involved in fostering a culture of 

security, from senior management to the most concerned staff member, should 

take part in both accentuating the positive and eliminating the negative. It must be 

recognized that positive reinforcement is easier. Most managers would prefer to 

commend secure behavior rather than reprimand the opposite, but they know that 

both praise and punishment are parts of the job. 



It is important to note that all managers need to be involved, not just a CISO. It is 

tempting to use security professionals to frighten people into surly submission to 

security requirements. In the long run, though, it undermines a security culture, as 

noted previously, and no security professional should accept that role. Culturally, 

it is quite different to say that people should behave securely so as not to run 

afoul of the information security department as opposed to doing so because it is 

management’s expectation—a part of their jobs. This is the difference between 

functional and intentional security, as described in section 5.2. 

7.1 Perverse Incentives 

Perverse incentives are “measures that have unintended and undesirable effects which 

go against the interest of the incentive makers. They become counterproductive in the 

end.” 1 It is not unusual to read about, or even experience, this sort of conundrum, but 

in security, as in many other endeavors, the possibility of an action having an equal 

and opposite—but very much undesired—reaction is an ever-present possibility. 

Humans being human, these things will occur; it is up to those who manage within a 

security culture to be sensitive to the occurrence of such incentives and to stamp them 

out when they occur. 

The most common example of a perverse security incentive deals with passwords. 

In many instances, enterprises attempt to make passwords “tougher” by making 

them longer. It is not unusual to see a system-enforced requirement for passwords 

to be eight characters long. 2 So-called “hard” passwords also may call for 

capitalized letters, special characters and numerals. However, research has shown 

that such conglomerations of digits, letters and symbols are very difficult to 

remember, so people write the passwords down and sometimes post them near their 

workspaces so that they will not be locked out and have to call a help desk, which 

incurs both lost productivity and a cost for a password reset. 3 The very purpose 

of passwords, to authenticate user identities, is, thus, completely undermined by 

attempts to enhance them. 

This has the destructive cultural effect of encouraging people to act in a manner that 

is clearly beneficial to themselves (i.e., higher productivity), directly at the expense 

of security. Saying one thing while doing another does create a way of doing things, 

but that pattern is the exact opposite of what the basis for a security culture may be. 

Most parents know the “do as I say, not as I do” trap. This makes it especially 

important that management at all levels in an enterprise avoids the temptation to 

bypass security measures for its own convenience. In many, if not all, enterprises, 

there is already a cultural divide between management and staff. Demonstrating that 

security is for the “little people” while the leadership can ignore it without penalty 

114 



sends a defeatist message about that enterprise’s culture of security. The necessary 

negative reinforcement is to hold executives to the highest standards of compliance. 

In particular, security professionals should never bypass security. 4 

Bruce Schneier, the noted information security specialist, has addressed the topic of 

perverse incentives: 

I regularly see security decisions that … seem to make absolutely no 

sense. However, in every case, the decisions actually make perfect sense 

once you understand the underlying incentives driving the decision. 

All security decisions are trade-offs, but the motivations behind 

them are not always obvious: They’re often subjective, and driven 

by external incentives. And often security trade-offs are made for 

nonsecurity reasons. 5 

To avoid creating perverse incentives, managers should look at security demands 

in a broad context. If, using the previous example, an enterprise wishes to 

strengthen its passwords, it should consider the balance between seemingly better 

authenticators and the potential for misusing them. When, in practice, passwords 

are written down and left visible, the initial objective is proved faulty and should 

be revised. In some cases, notably in Italian law, 6 strong passwords of eight diverse 

characters are an external requirement. Where that is the case, special care must 

be taken to recognize the force of law, but also to counsel all personnel on the 

importance of keeping their passwords safe. 

7.2 Vigilance 

US president and revolutionary patriot Thomas Jefferson said, “The price of freedom 

is eternal vigilance.” Although an enterprise’s security culture is important, it cannot 

be compared with the concept of freedom, but vigilance is the price of both. Not 

only do enterprises need to watch for shortcomings in security itself, but they must 

also constantly observe themselves and look for signs of reversion in the culture. 

As difficult as it is to strengthen a security culture, it is all too easy to backslide and 

return to old, bad habits for all the reasons expressed in section 4 and more. 

7.2.1 What to Watch 

For what should enterprises look, and who should do the looking? At one level, 

they must monitor security-related activities such as identification, authentication, 

attempted virus attacks, data leakage and the like, but they must also be on the 

lookout for any diminution in the culture. There is no such thing as a “perfect” 

security culture; conditions change, personnel change, and there are always 

strengths and weaknesses. Each weakness has the potential to undermine security as 



a whole while, at the same time, being an opportunity for improved management. 

Unfortunately, cultural weaknesses are rarely self-correcting. It is impossible 

to break out of a downward slide without deliberate management attention. An 

enterprise with an intentional security culture must constantly manage it. 7 

The first things for which to look are those that an enterprise does not have: 

a dedicated information security function, security policies and standards, 

enforcement mechanisms, automated security safeguards, or tight access controls. 

(Of course, if these do not exist, it is difficult to substantiate the claim that an 

intentional security culture exists at all.) Assuming that these are present, a leading 

indicator of cultural weakness is the number of disputes concerning security that 

must be resolved by senior management. If each new initiative, system or product 

causes a confrontation between security professionals and business leaders, there is 

clearly something amiss. 

The matter of balance comes into play. CISOs are not always right, but they are 

not always wrong, either. If the majority of disagreements are settled in favor of 

greater security, it signifies that greater awareness and training are required in 

certain business areas. Training should not be seen as negative reinforcement, but 

when it is remedial training, it clearly has a negative impact. However, if senior 

management regularly overrides security, then perhaps the security professionals 

have lost sight of the overall business objectives, are out of step with management’s 

directions, or have simply lost balance and underestimated the enterprise’s risk 

appetite. Here the negative reinforcement is much more direct; always being 

overruled generally leads away from compensation; promotion; influence; and, 

ultimately, employment. 

A security culture may be weak if there are constant disagreements between 

information security and the business. Perversely, there may be a problem if there are 

no disagreements, either. If nothing reaches the ears of senior management, it is likely 

that the information security function is getting along by going along. There is little 

value to a guard dog who sleeps through break-ins, and there is little purpose to a 

security function that permits every requested deviation from security requirements. 

Much more difficult to deal with, but perhaps more insidious, are casual 

conversations that downplay the importance of security. If people discuss 

information concerning a customer, client or patient in a public space, they are not 

only violating implicit policy, but they are undermining the enterprise’s security 

culture. If they carry home sensitive information on a CD-ROM or thumb drive, 

they are not only leaking data, but diminishing the culture of security. When 

someone shares a password, the security culture suffers. As bad as these sorts 

of activities are, from a cultural perspective, it is even worse when someone— 

especially a manager—approves such behavior. 

116 



This sabotage of a security culture can be stopped, but only if managers and 

colleagues are vigilant about doing so. It may seem difficult for an enterprise to 

stop such attitudes and actions, but in recent years, it has been done with regard to 

differences in race, gender and sexual orientation. Through training; admonition; 

and, above all else, negative reinforcement, cultures around the world have 

changed. If unacceptable behavior and speech have not been eliminated, they have 

been reduced. If enterprise cultures have been transformed with regard to long-held 

prejudices, changing minds about security should be even easier. 

7.2.2 Who Should Watch 

Internal auditors can and should be among the first line of vigilance with regard 

to a culture of security. They are, after all, paid and trained observers. Their 

focus is generally on the enterprise system of internal control. While, in the 

accounting literature, culture is not defined as a part of that system, BMIS does 

tie an intentional security culture to business “objectives, operating and regulatory 

environment, potential threats, risk impacts, operational flexibility, and resilience.” 8 

It can hardly be argued that regulations, threats, risks and resilience are not a part of 

a system of internal controls, so it follows that auditors should be paying attention 

to the enterprise security culture. 

It would be extremely difficult to conduct an audit of a culture, but it is not as 

hard to “take the temperature” of the culture using the audits of an enterprise’s 

departments and information systems. Auditors may question the considerations 

of security in business processes and systems. They may examine the quality 

of security safeguards. They may even ask the information security department 

about its experience with the department or system. Most important, they should 

determine the actions management has taken when security-related problems have 

been noted. These should not include only major security matters such as frauds; 

management already knows about the reaction to those. What is indicative of a 

security culture is how departmental management reacts to taking data home, 

leaving information on desktops and sharing passwords and to the myriad “little” 

security breaches. The auditor’s overall impressions, certainly supported by factual 

evidence, should be reported to senior management. Many see audit comments as 

a form of negative reinforcement. If so, negative reinforcement of this sort should 

help strengthen a security culture. 

At a different level, it is up to every manager to be watchful about a culture of 

security. Idle talk of theft, fraud or discrimination should not be tolerated, and 

hallway conversations that demean management’s insistence on security should not 

go unchallenged. Colleagues should have the same attitude. In this case, security 

(culture) really is everyone’s job. 



What should people do if local management is openly unsupportive of security, or 

worse, if they are asked by management to do something in violation of security 

policy? It is easy, in the abstract, to say that anyone in that situation should refuse, 

report the manager upward and blow the whistle. Negative reinforcement may 

come down very quickly; unfortunately, it may come down on the person who says 

refuses. That person also has a form of reinforcement. Being put in such a situation 

is grounds for considering alternate employment. 

7.3 Automated Detection 

If poor security is indicative of a poor security culture, then security failures are 

leading indicators. These would not be outright security breaches, but all the little 

(and some not so little) deficiencies in security that, if left uncorrected, may result 

in a true breach over time. For example, an incorrectly entered password means 

nothing by itself, but with a culture defined, in part, as a pattern of behavior, then 

a pattern of incorrectly entered passwords may mean that a culture of security has 

failed to reach into some part of an enterprise. The same may be said of standards 

violations, unapplied patches, sensitive papers left on desktops and ill-considered 

conversations in public places. At the very least, these show that someone was not 

paying attention at the awareness sessions. At worst, such patterns may indicate a 

deliberate ignorance of security requirements. 

Automated monitoring tools can be employed to monitor the health of a security 

culture and to take corrective action where required. Of course, these software 

products only monitor the use of electronic information, but that covers a lot. Access 

control and intrusion detection systems, for instance, generally provide reports on 

failed access attempts, privileged user access, access attempts outside normal business 

hours, attempted rule violations and other indicators of security-related activity. 

In some cases, these reports and shorter-term alarms signify an attempted external 

attack. While important, they are not necessarily relevant to a security culture, but in 

other instances, they may show that there are certain organizational units that have a 

disproportionally large percentage of the identified problems. 

In monitoring the reports, it is possible to apply the “systems thinking” approach as 

described in BMIS to detect areas in which deficiencies in management oversight, 

training, staffing or communications are leading to cultural weakness. At the very 

least, concentrations of security-related problems should call for further investigation. 

If one looks solely at the safety of the information involved, monitoring reports can 

be misleading; after all, if invalid access attempts failed, then the information in 

question is unharmed. However, these may also demonstrate causes and inclinations 

that are tied more to weaknesses in a culture than in a set of safeguards. 

118 



If the root cause proves to be ineffective training, then the security education 

program can be enhanced. If certain individuals are ignoring or bypassing 

security, they should be shown the possible repercussions of their actions and be 

reprimanded. If it is management that is at fault, then deliberate reinforcement 

of the tenets of security should be made. Moreover, managers must be shown 

the correlation between the so-called “silly” requirements of security and an 

enterprise’s overall risk profile. 

7.4 Alerts, Alarms and Triggers 

While automated tools can assist in the vigilance required to maintain an effective 

security culture, there is more to it than reviewing computer-generated reports. 

Management 9 at all levels must be attuned to the possibilities for weakening the 

culture and be prepared to take appropriate action. To do so, managers need to be 

aware of the indicators of backsliding. Some should raise concern, others should 

instigate corrective action and still others should be a routine part of assuring that a 

culture of security remains strong. 

At a certain level, a security culture is a system (a management system, to be sure) 

that processes inputs and maintains itself. (See section 2.2.5.) Thus, the system 

itself should contain mechanisms to alert management if there are problems, signal 

the need for immediate action and provide maintenance routines. Viewed in this 

manner, a culture of security may be thought of as self-sustaining. This would be 

erroneous: A culture may be a system, but it is not a machine. It requires constant 

attention from its participants—senior managers, champions, middle management 

and staff. 

7.4.1 Alerts 

Audit comments on a security culture are an effective means to keep management’s 

level of awareness of the culture high, but audits are periodic affairs and occur only 

after the fact. There should be indicators produced within a culture that can show 

management where trouble spots may be arising and what to do about them before 

they become troublesome. One means of doing so would be a “dashboard” related 

to a security culture. (See section 6.4.1). The concept of a dashboard relates to that 

of key performance indicators (KPIs). These are quantifiable measurements that can 

be traced over time to show progress or regression. 

When key performance indicators are properly developed and 

implemented, they should provide employees specific roles and 

responsibilities, clear goals and objectives, and outline how they 

contribute to the overall success of the company. Key performance 

indicators can strengthen the organizational culture [emphasis added] 

of a business through common goals and shared values. 10 



What, then, are those goals and values that can be measured quantitatively? 

The simplest is an enumeration of the major projects and initiatives occurring in 

an enterprise that highlight the involvement of the information security function 

in them. (In fairness, the information security function may not be the only one 

whose participation should be measured. The time and effort of functions such 

as risk management and internal audit should be tracked as well, but information 

security’s functions are the surest to be security-related.) It is not necessary that 

there be a quota for security professional involvement. The important measurements 

are whether that participation occurs at all and whether it is sufficient to provide 

more than token input. One does not need a quota to recognize that just a few 

hours of information security’s time on a multimillion dollar, euro, yen, ruble, etc., 

information system development is insufficient. Also important is the timing of that 

involvement; as a general rule, it may be said that earlier is better. 

In figure 8, management should be able to discern that there is insufficient 

contribution by information security in projects 2 and 5, regardless of the nature 

of the projects. In project 2, there seems to be consideration of security only at the 

end of the project, when it would be very difficult to effect changes, if required. 

In project 5, there has been no information security participation at all, nor is any 

planned. The consideration given to security, as evidenced by the involvement of 

security professionals, is clearly greater in the other projects, but out of context, 

it cannot be discerned whether this is appropriate. If, for example, project 6 is the 

establishment of an encryption scheme, then information security should be even 

more involved than it is. With a dashboard such as this, management can be alerted 

to the necessity of possible corrective action. The very existence of such cultural 

reporting is negative reinforcement of a security culture. 

Other dashboards may show the incidence of security-related incidents in production 

systems, the number of guest accesses to areas with highly sensitive information (e.g., 

patient records, contract files), and revisions to disaster recovery plans following 

tests and actual incidents. While any one report may alert management to a potential 

problem, as in the previous example, it is the accumulation of information over time 

that is the most enlightening in terms of maintaining a security culture. Analysis of 

these dashboards will show trends and identify potential trouble spots in terms of 

certain departments or types of projects or information. (Note: The implication is 

that dashboards should be graphic in nature. This is not necessarily true, and in some 

cases, information on a culture of security may be better conveyed in a table or in 

words. However, graphic representations are generally the most powerful.) 

120 


Project 1 

Project 2 

Project 3 

Project 4 

Project 5 

Project 6 

7.0 Negative ReiNfoRcemeNt 

Figure 8—Sample Information Security Involvement Dashboard 

January 

June December 

Percent of Project complete Percent of Project incomplete 

Information security involvement Planned information security involvement 

7.4.2 Alarms 

In some cases, action must be taken at once to correct a growing problem. The 

clearest case is the existence of actual security violations. These should be tracked 

and reported to determine whether there is a pattern to the attacks and inappropriate 

actions. Combating actual security weakness is the objective of an information 

security function, but by itself, is not a cultural KPI. A measure of a security 

culture would be the budget in terms of staff time and capital outlay to eliminate 

a weakness once it is exposed and the time taken between an alarm and the 

corresponding response. 

Another sort of alarm that is a KPI of a security culture is the disputed requirements 

for security that are elevated to a senior level (see section 7.2), in which cases, 

management must actually make security-related decisions. A dispute in and of 

itself means little, but there are several matters to be aware of: how often these 

disputes occur, from where they stem and how difficult it is to resolve them. If 

nearly every project results in management intervention, then it is indicative of 

problems, not only with the process for resolution, but in the culture itself. A 

different story is told if disagreements arise routinely in certain sectors and not 

in others or if disagreements regularly occur with the same type of information 

(research, financials, personnel records, etc.). These should be alarms for 

management to take a closer look at certain policies and people regarding those 

sorts of information. 



Disputes should be difficult to resolve. The fact of disagreement means that 

honorable people have looked at the same facts and come to different conclusions, 

necessitating senior-level resolution. If problems are cleared quickly and easily, 

it indicates stubborn resistance on one part or another. If it is always the same 

person or function exhibiting that obstinacy, it is a clear signal to management that 

something must be done, not only to prevent recurrence, but to shore up its culture 

of security. 

7.4.3 Triggers 

There are planned and unplanned cultural triggers that necessitate management 

action. The former are generally associated with the passage of time. For example, 

management should consider an assessment of an enterprise’s security culture on 

a regular basis, perhaps every few years (more or less dependent on the overall 

corporate culture and the sensitivity of the information involved). This implies that 

management is aware of a culture of security, recognizes its importance and supports 

maintaining it at a high level. Where that is not the case, some party (i.e., information 

security, the security champion, internal audit) may perform such an assessment 

on its own, presenting the results to management and, one would hope, triggering 

both further analysis and, ultimately, decisive action. A formal assessment is not a 

necessity for creating an intentional culture of security (see section 5), but depending 

on its findings, it may provide a badly needed “wake-up call.” 

It may be more valuable to initiate a security culture assessment on more than a 

regularly scheduled basis if it appears that a culture is slipping. There is a 

dangerous period between management’s support for a security culture and the time 

it becomes ingrained in an enterprise. Performing a study to see how well a culture 

of security is taking root may trigger corrective action by management if it is not 

moving smoothly or rapidly enough. 

The most important unplanned trigger is a pattern of weakness in a culture of 

security that management sees, but does not understand. Individually, the 

weaknesses may be anomalies, but if the same problems keep recurring, always 

stem from the same sources or result in unacceptable losses, there is usually some 

underlying cause leading to those problems. Further analysis may be required. As 

a general term, this is referred to as “root cause analysis.” The cause of a cultural 

weakness may be a lack of training, management oversight, communication, or staff 

energy. On the other hand, the cause may be systemic or technological, the end 

result of what are actually a deep-rooted series of problems that come to light only 

when an end result is observed. 

Not every issue is a momentous problem; many are simply the result of one-time 

human error. These are easily corrected. The first step is to determine which 

anomalies are triggers for root cause analysis. The frequency that constitutes a 

122 



trigger is a determination heavily influenced by industry, geography, risk profile 

and other factors. 

Typically, a root cause analysis will not result in an explanation that “A occurred 

because of B.” Often, B was caused by C, which was caused by D, etc. For that 

matter, it is not always the case that an event has a single cause. Therefore, it is 

important to clarify the chain of causation leading to a defect. It is always necessary 

to validate whether the negative KPIs in question are accurate; it may be that the 

problem is in the measurement, not the process itself. The responsible person or 

people should be interviewed to gain an understanding of the reason for the 

cultural shortcoming. 

The causes of a cultural weakness may not be clear, especially if it requires working 

backward from effects to causes. Essentially, this necessitates asking, “If A had not 

occurred, would B have happened?” in an iterative fashion. The causal chain should 

be examined at each step to see whether the action suspected of causing the ultimate 

cultural weakness did, in fact, contribute. At the end of the root cause analysis 

process, it is necessary to reach conclusions as to the underlying causes of cultural 

weaknesses. While it is important not to allow root cause analysis to become a search 

for someone to blame, it is equally important to find and fix existential problems. 

Affixing blame is self-defeating; it leads to the conclusion that the problem is caused 

by ineffective people rather than dysfunctional processes or technology. 

It is important to note that identification of a root cause provides the opportunity for 

leverage. The resolution of a problem at its source may have wider ramifications 

further down the line, but there are times when the cause really is individuals acting 

in ways that are counter to an intentional security culture. In those cases, negative 

reinforcement is called for, rather than simply blame. 

7.5 When All Else Fails 

If a security culture is to have any meaning, there are times when it is necessary to 

take decisive and punitive action against those who determinedly defy everything 

for which the culture stands. Notwithstanding all that has been said before in this 

volume, security cannot always be positive, upbeat, supportive and reassuring. 

Those who run counter to the culture must be warned of the consequences of their 

actions and receive those consequences if behavior does not change. Behavioral 

modification is sufficient; it is unrealistic to enforce changes in attitude. However, 

generally, when people act differently, their hearts and minds do follow. 

There are two analogous cultural changes in the business world that can be used 

as examples of the effective use of negative reinforcement: smoking and sexual 

harassment. It is true that these have not developed in the same way and at the 



same speed in all parts of the world. There are still nations where people routinely 

smoke in the office, and the treatment of coworkers is not the same everywhere. 

Nonetheless, in many countries, management has made a commitment to the 

health of employees and banned smoking in the workplace. Those who were told 

to change their actions were, in the most literal sense, addicted to a behavior that 

was harmful to themselves and those around them. There was resistance at first, 

but change has been accomplished. In Spain, where there is a higher percentage of 

smokers than in the rest of Europe, the smoking ban has been effective as applied 

to public buildings and workplaces. Nonsmokers have no problems in government 

buildings, airports, offices and so on. 11 In Germany, some still smoke at work, 

but only behind closed doors in their private offices. 12 In China, progress against 

smoking has been slower, “but even there, the smoking ban is mostly targeting 

offices and public working areas.” 13 The same may be said of all corners of the 

globe. Culture can be changed if it is enforced. 

As a cultural issue in the workplace, sexual harassment is both different and the 

same as that of security—different in that: 

124 

Even within a single culture, the definition of sexual harassment is 

often misunderstood and is the subject of considerable debate in legal, 

psychological and human resource management literature, both [in the 

US] and abroad. 14 

However defined, harassment, like misuse of information, is morally 

indefensible and, in many cases, is criminal. Nonetheless, it was a fixture in 

many societies and continues as such in some even today, but it is changing 

due to stern and deliberate management action. 

The point is that cultural attitudes and behaviors were forced to change by 

public mores, to be sure, but also through certain managers saying that this is 

unacceptable. Despite the cultural differences as to what constitutes permissible 

behavior, a consensus has arisen that: 

[A] work environment should not be offensive, uncomfortable 

or embarrassing, even to the culturally based sensibilities of an 

employee (to the point of impairing his/her work) would not violate 

the boundaries established by majority values and traditions; it would 

certainly not undermine the order and stability of the society. 15 

This understanding did not simply occur haphazardly in businesses and government 

agencies. The spirit of the times did change, but managers made it happen in 

their enterprises by making it clear that certain behaviors and attitudes were 

impermissible and taking forceful action to stop them. 



If cultural change can be made to happen through decisive responses to such 

ingrained habits as smoking or harassment, it can work in defending a culture of 

security. People did not stop smoking in the office simply because management 

made them aware of the dangers nor did people stop mistreating their colleagues 

because management said it was not nice. Change occurred because external and 

internal forces brought management to the realization that these behaviors had to 

cease and that policies to that effect had to be enforced. 

7.5.1 Penalties 

In some cases, it is not enough to reward good conduct. There are times when 

penalties must be exacted for bad behavior. As applied to security, those penalties 

range from reprimands to prosecution. The latter, of course, is reserved for very 

bad behavior indeed: fraud, espionage, sabotage or theft. While criminal cases 

are necessary when there are crimes, this actually does little to improve a security 

culture. It is, in the minds of many, the exception that proves the rule. They do not 

see themselves as criminals, and for the most part, they are not. To base security 

on extreme cases leads to complacency for those in the middle. One of the tests of 

criminality is intent, and most people who do not participate in a culture of security 

intend no harm—they just cannot be bothered. 

When management, through the auspices of a CISO, promulgates security policy, 

there is an implicit commitment to enforcement, which, in turn, means that those 

who flout the policies must face the consequences. If there are no consequences, 

there is no policy and, by extension, no security culture. The repercussions do not 

need to be severe, or at least not for first (and minor) offenses. A stern word from 

a superior is often quite enough to make people mend their ways. If the superior is 

not in synch with a security culture, then that individual should receive the rebuke 

and so on, up the line. The closer the line gets to senior management, the greater 

the role of the security champion to stiffen spines. 

If a warning is insufficient, then more drastic action needs to be taken. People who 

violate security policy by sharing passwords, disclosing sensitive information, 

reading prohibited records or bypassing access restrictions should be told bluntly 

that these actions are impermissible and that a memorandum will be added to 

their personnel file or some such permanent record. Such a statement indicates 

that the acts were noticed; that the offenders were rebuked; and, most important, 

that the acts will have effect over time. The time in question may be when raises, 

bonuses and promotions are given out. If people believe that they will be penalized 

in material ways in the future, behavior (and maybe even attitudes) will change. 

Regardless of what caused the violation, unless fired, the offenders need to be 

reeducated in security policy and its importance. 

Therefore, it is necessary that threats be realized, or at least be seen as being 

realized. If, for example, a salesperson has been reprimanded about use of 



information, but has had an excellent body of sales, it is not necessary to dock 

commissions or bonuses. A statement at a regular review that the bonus would 

have been greater were it not for security-related problems will go a long way 

to bringing that salesperson into a culture of security. If there are still repeated 

instances of insecure behavior, then there can be actual monetary penalties. 

7.5.2 Defiance 

What of the people who deliberately refuse to follow security policy or to act in a 

secure manner? There is no point in reminding them of the potential harm in failing 

to secure information resources. They have indicated that they do not care. They, 

too, are a part of an intentional culture of security; one that is dismissive, disdainful, 

disobedient and defiant. These are not the people who violate security requirements 

inadvertently. They see themselves apart from an enterprise’s expressed intent to 

promote security, believing that it only interferes with some “higher purpose.” 

These people are the most destructive of a security culture. If management fails to 

counter their defiance, then management implicitly buys into their higher purpose. It 

avails nothing to appeal to the organizational commitment of those who defy security 

requirements; they have placed their own goals in front of the enterprise’s. The issue 

is no longer security, but insubordination. That is exactly how smoking bans and 

antiharassment policies have taken effect. Management no longer debates the relative 

merits of a policy; it simply says that this is the policy and it must be observed. 

This tough line is not drawn all at once. There should be a period of time in which 

people learn how to behave under the security policies. As with nonsmoking 

policies, the level of top management support is directly correlated with the speed 

at which the enterprise becomes compliant. Where senior management strongly 

supports security (or smoking or harassment prohibition) policies, they move ahead 

without resistance. Once compliance with security policies is considered the norm, 16 

an intentional, positive security culture has been achieved. Those who refuse to 

conform to normative behavior have to be removed from an enterprise. 

The real proof of a security culture comes when otherwise valuable employees are 

let go for refusing to protect the information with which they come in contact. This 

is not a routine occurrence; many security cultures do need strengthening. However, 

termination for cause does exist, and in the military and intelligence fields, it is 

understood that compliance is mandatory. This attitude is also spreading to the 

fields of education, health care and financial services. 17 

7.5.3 Career Impact 

The message of negative reinforcement is that insecure actions are not only bad in 

and of themselves, but they are bad for careers. There really is no positive way of 

conveying that message. People will adapt to a security culture when they see that 

doing otherwise will cost them money, advancement and opportunities. Negative 

126 



reinforcement does not need to be as draconian as termination or loss of income. 

Within a corporate culture, the regard of one’s peers is a mighty incentive. (See 

section 4.7.) Just as obtaining the respect of others is a response to WIFM, losing 

that respect can be motivational as well. 

Being the person who causes a security problem should result in more than snide 

comments at the water cooler. For example, reports of security and privacy 

breaches due to loss of physical media (one aspect of data leakage) are so numerous 

that they barely make the news. 18 When they do happen, the people responsible 

receive unwanted attention from their superiors. They also become participants in 

an intentional culture of security, but only too late. 

Endnotes 

1 “Metrics—Perverse Incentives,” Test Side Story, 23 June 2010, 

http://testsidestory.wordpress.com/2010/06/23/metrics-perverse-incentives/ 

2 European University Institute, “Strong Password Policy,” Italy, 20 July 2009, 

www.eui.eu/ServicesAndAdmin/ComputingService/Documentation/ 

PolicyDocuments/StrongPasswordPolicy.aspx#One 

3 Smith, Richard E.; “Password Expiration Considered Harmful”, Cryptosmith, 

USA, 15 June 2002, www.cryptosmith.com/sanity/expharmful.html 

4 As with every rule, there is an exception. Security professionals may actively 

override safeguards, with management approval, when not to do so would cause 

more harm than good. 

5 Schneier, Bruce; “How Perverse Incentives Drive Bad Security Decisions,” Wired, 

Condé Nast, 26 February 2009, www.wired.com/politics/security/commentary/ 

securitymatters/2009/02/securitymatters_0226 

6 Personal Data Protection Code, Legislative Decree no. 196 of 30 June 

2003, p. 168, in English translation at www.garanteprivacy.it/garante/ 

document?ID=311066 

7 Bettinger, Cass; “Managing Your Corporate Culture for High Performance,” Cass 

Bettinger & Assoc., 2008, p.2, www.cassbettinger.com/Articles/Managing_CC_ 

for_High-Performance.pdf 


9 The term “management” is used in this section without specificity. It does not 

necessarily mean senior management; it could be a CISO, a risk manager or a 

department head. Implicitly, it is the appropriate level of management in a given 

organization, based on the context of its risks and operations. 

10 Thornton, Shane; “Definition of Key Performance Indicators”, eHow, 

www.ehow.com/about_5142698_definition-key-performance-indicators.html 

11 “Smoking Spain—A Really Tough Smoking Ban in Spain, or Not,” Culture 

Spain, 23 July 2010, www.culturespain.com/living-in-spain/smoking-spain- 

%E2%80%93-a-really-tough-smoking-ban-in-spain-or-not 



12 Tracie Marquardt; “Smoking Ban in Germany,” Bella Online, 2010, 

www.bellaonline.com/articles/art16340.asp 

13 “Future of China’s Smoking Ban Looks Hazy,” Wall Street Journal, USA, 26 July 

2010, http://blogs.wsj.com/chinarealtime/2010/05/14/future-of-china% 

E2%80%99s-smoking-ban-looks-hazy/ 

14 Zembroff, Jennifer; “Cultural Differences in Perceptions of and Responses to Sexual 

Harassment,” 2005, www.thefreelibrary.com/Cultural+differences+in+ 

perceptions+of+and+responses+ to+sexual...-a0166350028 

15 Ibid. 

16 Harris, Jeffrey S.; “Clearing the Air—Enforcing No Smoking Policies in the 

Workplace,” HR Magazine, February 1993, http://findarticles.com/p/articles/ 

mi_m3495/is_n2_v38/ai_14152258/pg_3/?tag=content;col1 

17 See examples, including Wright State University, USA, “Security Violations,” Feb. 

1993, www.wright.edu/rsp/Security/S3stndrd/Adjudica.htm#Security Violations; 

Ivinson Memorial Hospital, “Sanctions for privacy and Information Security 

Violations,” www.ivinsonhospital.org/docs/HP015_Security_Violations.pdf, USA, 

2007; FIA Card Services, “Terms of Use,” http://disclosures.fiacardservices.com/ 

terms/index.html#terms, USA, 2008. 

The Wright State document is notable for describing the particulars of just the sort 

of defiant behavior discussed here: 

• Leaving a classified file or security container unlocked and unattended either 

during or after normal working hours 

• Keeping classified material in a desk or unauthorized cabinet, container, or area 

• Leaving classified material unsecured or unattended on desks, tables, cabinets or 

elsewhere in an unsecured area, either during or after normal working hours 

• Reproducing or transmitting classified material without proper authorization 

• Losing your security badge 

• Removing classified material from the work area in order to work on it at home 

• Granting a visitor, contractor, employee or any other person access to classified 

information without verifying both the individual’s clearance level and need-to-know 

• Discussing classified information over the telephone, other than a phone 

approved for classified discussion 

• Discussing classified information in lobbies, cafeterias, corridors or any other 

public area where the discussion might be overheard 

• Carrying safe combinations or computer passwords (identifiable as such) on 

one’s person, writing them on calendar pads, keeping them in desk drawers, or 

otherwise failing to protect the security of a safe or computer 

• Failing to mark classified documents properly 

• Failing to follow appropriate procedures for destruction of classified material 

18 A few recent cases have. See Wilson, Tim; “Two Major Breaches Caused 

By Loss Of Physical Media,” Security Dark Reading, 14 July 2010, 

www.darkreading.com/security/privacy/showArticle.jhtml?articleID=225800186 

128 


8.0 how good iS good enough? 

8.0 how good IS good enough? 

A culture of security is made up of many elements, including champions, 

management, staff, policy, rewards and penalties. All of them are needed to effect the 

transition from an unintentional or negative culture to one that is simply functional 

and, finally, to one that is intentionally strong and supportive of overall business 

goals. As has been emphasized repeatedly in this volume, the culture must align with 

the context of an enterprise’s business and be balanced between too great and too 

little of an emphasis on security. Consideration of context and balance means that no 

two enterprises have precisely the same intentional security culture. With different 

business models, people, processes and information resources, there is no reason to 

think that they could or should be identical. 

If management wishes to develop an intentional culture of security, it follows 

that management’s intentions should be well thought out from the beginning. 

Unfortunately, cultures do not evolve that way. If an appropriate security culture 

could be ordered on demand, there would be no need for any champions or policies. 

It could simply be obtained, not developed. At some point, a culture reaches a 

desired point and then the emphasis shifts from creation to maintenance. It is often 

hard to tell whether one is at the crest of a hill until one has gotten there. 

Management has the more difficult task of having to understand just how secure its 

information needs to be to establish a culture at the right level. Clearly, information 

in an intelligence agency calls for more security (and a tighter culture to protect it) 

than in a bank, which may need more security than a pharmaceutical maker, which 

may need more than a manufacturer of shoes; etc. In short, managers, CISOs, 

auditors and others need to confront the question: How good is good enough? 

Figure 9 offers some metrics that may be applied to that decision. No enterprise 

wants to have a culture that could be called “lagging” in security (or at least 

no enterprise should want one). Yet, there are too many enterprises with senior 

management that exhibit no support for security, middle managers who are 

actively hostile to anything that limits their ability to do whatever they want, and 

complacent staff and systems that show no evidence of security in their design or 

operation. Although a security culture does exist in these enterprises, “lagging” is 

too nice of a word for to describe it. 



130 

Role Lagging Aware 

Senior 

management 

Middle 

management 

Figure 9—Security Culture Maturity Model 

Uncaring Caring, 

but more 

concerned 

about cost 

Actively 

opposed to 

most security 

requirements 

Concerned, 

but bypasses 

security when 

it seems to 

hamper goals 

Staff Unconcerned Concerned, 

but inactive 

IT Does not build 

security into 

systems 

Security 

professionals 

Are only 

administrators 

Builds minimal 

security into 

systems 

Partially 

Effective Effective Leading Edge 

Funds a 

security 

program 

Respects 

security as 

long as other 

goals can be 

met 

Follows 

security rules 

Builds required 

security into 

systems 

Write policy Implement 

security 

safeguards 

Involves 

security 

in tactical 

decision 

making 

Involves 

security 


in major 

initiatives 

Considers the 

security of 

information 

while using it 

Seeks the 

assistance 

of security 


in building 

security into 

systems 

Advise 

management 

on tactical 

issues 


Involves 

security in 

strategic 

decision 

making 

Sees security 

as a 

competitive 

advantage 

Thinks about 

security 

before using 

information 

Anticipates 

the need for 

security in 

the systems it 

builds 

Advise 

management 

on strategic 

issues 

An enterprise that is aware of the need for security, but does not do enough to 

achieve it, is little better. One could argue that having good intentions, but ignoring 

them, is worse than having no intentions for security at all. If anything positive may 

be said about an enterprise at this level of cultural maturity, it is that a champion is 

more likely to emerge in one of these than in one totally oblivious to the need for 

security and a culture supportive of it. 

If no enterprise would or should want to find itself in these categories, it is less 

clear how much more it would want to do to have an acceptable culture. Having a 

partially effective security culture is enough for many enterprises. After all, there 

is a funded security program that implements safeguards that managers adhere 

to most of the time. This is, in many ways, a restatement of a functional security 

culture. (See section 5.2.) For a certain sort of enterprise—one with few people, 

little information and even less of consequence, minimal information systems and 

a generous appetite for risk—a “partially effective” security culture may well be all 

that is needed or desired.


There are nuanced decisions to be made between a fully effective security 

culture and one that may be classified as leading edge. Many of them deal with 

expectations. When challenged, manufacturers may say, “We are not a bank”; 

bankers may say that they are not the government; civilian agencies that they are 

not the military, etc., and the military accepts that it must have a leading-edge 

security culture. Security is, after all, the business of the military. If an enterprise is 

content to have an “effective” security culture, does it need to meet all the attributes 

stated in figure 9? Would it be sufficient to have a staff that follows the rules if that 

is balanced by an attuned IT function that builds in enough security into the systems 

it implements that it mitigates the necessity for considering the importance of the 

security of information while using it? The answer is a definite maybe. 

The metrics for a culture are not so well and sharply defined that anyone can say 

that only this practice, this belief or this attitude would make the best culture of 

security, as opposed to one that is merely good enough. In these circumstances, it 

is too easy to make the best the enemy of the good. Yes, managers should want a 

culture that will support the appropriate level of security in their enterprises, but it 

is possible to overreach as well. The objective is not to keep building an intentional 

security culture indefinitely nor to get to a certain point and then stop. Rather, 

enterprises should always be aware of potential slippage, be vigilant and keep trying 

to do better. In short, within the context of any business, the ideal security culture 

will never be attained or, if it is, it will need to change with changing contexts. 

8.1 Getting There 

There is a cycle to the development and maintenance of an effective culture of 

security within an enterprise and of the governance of the information within that 

enterprise. 1 It is, at the same time, a matter of positive reinforcement and insistence 

on management’s requirements, no less than it is of moving management to 

articulate those requirements. 

As with any endeavor, there are distinct phases to the implementation of a security 

culture. The first phase is always a dawning recognition that something should 

be done. Then, there is the doing followed by the effort to sustain that which 

was done. In the case of a security culture, it is a cyclical process because it is 

never-ending. 

ISACA has published a model for implementing IT governance, as shown in the 

figure 10. It is an inexact guide for implementing an intentional security culture, 

but there is considerable overlap between creating an effective IT governance 

structure and a supportive culture. It may even be argued that effective governance 

of IT, if not organizational information as a whole, cannot be accomplished without 

a culture that accepts governance. 



132 

6 Did we get there? 

Figure 10—Seven Phases of the Implementation Life Cycle 

7 How do we keep the momentum going? 

Realise benefits 

5 How do we get there? 

Embed new 

Execute plan 

approaches 

Review 

effectiveness 

Operate 

and use 

Operate 

Sustain 

and 

measure 

Implement 

improvements 

Monitor 

Identify role 

players 

Plan programme 

1 What are the drivers? 

Initiate programme Define problems and 

Establish desire 

to change 

Communicate 

4 What needs to be done? 3 Where do we want to be? 

Source: ISACA, Implementing • and Continually Improving IT Governance, USA, 2009, figure 5 

Programme management • Change enablement • Continual improvement life cycle 

(outer ring) (middle ring) (inner ring) 

and 

evaluate 

Recognise 

improvements 

Using the IT governance model as a guide, the stages of attaining a desired, 

intentional culture of security may be seen as follows. 

Build 

need to 

8.1.1 Establish the Need for Change 

The only way to have an intentional security culture, quite obviously, is to 

intend to have one. This implies recognition that the culture that exists within 

an enterprise does not measure up to the desires of those in a position to change 

it, the champions. It is not an easy moment when someone realizes that the way 

things are, perhaps the way things have always been, is not as they should be. 

This moment may come about because of an incident, a personal encounter with 

ineffective security or an observation of another enterprise. What typifies this 

mental transformation is not only recognition that something is wrong with the 

culture, but also that it can be changed in a positive direction. Moreover, the 

Form implementation 


act 

state 

Define 

target 

Assess 

current 

state 

team 

outcome 

opportunities 

Define road map 

2 Where are we now?


person experiencing this breakthrough accepts personal empowerment to make a 

difference, takes on the role of “change maker” and convinces others to join the 

campaign—thus, are champions made. 

Creation of an intentional security culture is not a one-person affair, no matter how 

well-intentioned the initial champion may be. It requires the active involvement of 

many people in positions of influence, if not authority. Widening the group that sees 

the need for positive change to a culture is a matter of persuasion and advocacy. It 

arises far more from interpersonal relationships than from management direction. 

The circle of champions will not constitute, in any real sense, an implementation 

team. The champions will not hold regular meetings, produce any documents or come 

up with a project plan. They will act as a group to build a new consensus within the 

enterprise, and to that end, they must reach a consensus among themselves. Some will 

be more aggressive and some more accepting of existing attitudes and ways of doing 

things. To be effective, they must be able to articulate a common vision of what an 

intentional culture would look like, how it would work in practice and how it would 

affect the interests of others within that enterprise. 

As in so many aspects in the development of a security culture within an enterprise, 

a balance must be attained. If the intended, strengthened security culture is too 

aggressive in making changes, it will inevitably lead to unintended consequences 

that will undermine its attainment. At the same time, if the imperative for change is 

too feeble, then the security culture will remain essentially as it is. 

8.1.2 Communicate the Desired Vision 

At some point, preferably sooner than later, the definition of the desired cultural 

changes must be communicated to those not (yet) converted. Some will be puzzled 

by the need for change, others will give lip service to proposed enhancements simply 

because of the eminence of the champions, and still others will be hostile. Each 

must be spoken with in their own terms. The unifying element is the benefits to the 

enterprise and to each individual. As stated in section 5.1.1, the message must be 

crafted to appeal to the interests of different audiences, “their behavioral profiles and 

information requirements, communication channels, and principles.” 2 In general, 

the expanded group of champions and supporters need to communicate not only the 

benefits of an improved security culture, but also the risks of leaving it as it is. The 

champions should portray the desired state and the road map for getting there. 

8.1.3 Achieve Initial Objectives 

It should be apparent that any culture, of security or otherwise, cannot be 

transformed all at one go. The desired changes must be implanted and expanded a 

little at a time. That is not to say that there cannot be “quick wins.” Management 

that is supportive of an intentional security culture should identify the most 



important revisions and also those most readily achieved. For example, it may 

be thought that protecting data from unintended leakage, the greatest risk to an 

enterprise, is the highest priority for implementation. Unfortunately, it may be quite 

difficult to prevent well-meaning personnel from taking sensitive information home 

to work on after hours, much less to stop deliberate theft of information. Therefore, 

despite the priority of data leakage prevention, it may not be achievable in the short 

term. Something less critical, such as a clean desk policy, may be more enforceable 

and, hence, easier to attain in short order. 

8.1.4 Strike a Balance 

As has been continually emphasized throughout this volume, a balance of interests 

within an enterprise is essential to implementing an intentional culture of security. 

As different aspects of management’s intended improvements to that culture roll 

out, they will inevitably bump up against other, competing interests. Those will 

have to give way somewhat to security, but not in all cases and not always to 

the same extent. Solutions will be rolled out, and during this process, mentoring 

and coaching will be critical to ensure uptake among all those affected. The 

change requirements and objectives that have been set when the initial champion 

recognized the need for change should be revisited to ensure that they were 

adequately addressed—or need to be revised. 3 

8.1.5 Institutionalize the Intentional Security Culture 

Over time, the enhanced culture of security will become the new norm. Behaviors, 

beliefs, assumptions, attitudes and ways of doing things will have been reshaped, 

and stakeholders will not even realize that they are participating in a culture that 

is intentionally supportive of security. This does not imply that slackness is now 

permissible, but rather that the drive for change can be relaxed once change has 

been achieved. 

8.1.6 Sustain the Intentional Security Culture 

It should not be inferred that an intentional security culture will be self-perpetuating. 

It requires attention by auditors, risk managers, information security professionals 

and even the champions, as required when backsliding becomes evident. 

Sustainment calls for both positive and negative reinforcement, as described 

in sections 6 and 7. Moreover, business, technology and legal changes must be 

reflected in the culture, making it endlessly cyclical. As shown in figure 11, the 

cycle of implementing a security culture is very much like that of implementing 

IT governance. 

134 


Institutionalize. 

Sustain. 

Strike a balance. 

8.2 Conclusion 


Figure 11—Security Culture Life Cycle 

Champions 

Senior 

Management 

Middle 

Management 

Staff 

Achieve initial 

objectives. 

Establish the need. 

Communicate 

the vision. 

A security culture is more than a policy, although it needs a security policy to 

give it form and substance. It is broader than management, although it needs 

to be managed. It is more than individual attitudes and beliefs because it is the 

interaction among many attitudes and beliefs that give a culture life. It is more than 

the awareness of the need for security because, no matter how aware an enterprise 

may be, its security culture means nothing if the proper safeguards are not funded, 

implemented and maintained. A culture of security is not an end in itself, and it is 

the end result of many efforts to secure an enterprise’s information resources. It is 

about IT, and it is about more than just electronic information. It is ephemeral, but 

real; it is hard to identify and easy to recognize. A security culture is both more and 

less than security itself. It says more about what people are than what they do, and 

what they do is the basis of a culture. A culture of security is the result of change, 

and it makes change happen. It is the end result of the actions of many; it starts 

with an individual making a decision to act and think in a secure manner. 

© 2 0 1 1 I S A C A . A l l R I g h t S R e S e R v e d . 135 

Widen the circle.


Endnotes 

1 ISACA, Implementing and Continually Improving IT Governance, USA, 2009, 

p. 35-36 

2 Ibid., p. 36 

3 Ibid. 

136 


iSaCa ProfeSSional guidanCe PubliCationS 

ISACA PRofeSSIonAl guIdAnCe PuBlICAtIonS 

Many ISACA publications contain detailed assessment questionnaires and work program that 

provide valuable guidance. Please visit www.isaca.org/bookstore or e-mail bookstore@isaca. 

org for more information. 

Frameworks and Model 

• The Business Model for Information Security, 2010 

• COBIT ® 4.1, 2007 

• Enterprise Value: Governance of IT Investments: The Val IT TM Framework 2.0, 2008 

• ITAF TM : A Professional Practices Framework for IT Assurance, 2008 

• The Risk IT Framework, 2009 

BMIS-related Publication 

• An Introduction to the Business Model for Information Security, 2009 

COBIT-related Publications 

• Aligning COBIT ® 4.1, ITIL ® V3 and ISO/IEC 27002 for Business Benefit, 2008 

• Building the Business Case for COBIT ® and Val IT TM : Executive Briefing, 2009 

• COBIT ® and Application Controls, 2009 

• COBIT ® Control Practices: Guidance to Achieve Control Objectives for Successful 

IT Governance, 2 nd Edition, 2007 

• COBIT ® Mapping: Mapping of CMMI ® for Development V1.2 With COBIT ® 4.1, 2011 

• COBIT ® Mapping: Mapping of FFIEC With COBIT ® 4.1, 2010 

• COBIT ® Mapping: Mapping of ISO/IEC 17799:2000 With COBIT ® , 2 nd Edition, 2006 

• COBIT ® Mapping: Mapping of ISO/IEC 17799:2005 With COBIT ® 4.0, 2006 

• COBIT ® Mapping: Mapping of ISO/IEC 20000:2005 With COBIT ® 4.1, 2011 

• COBIT ® Mapping: Mapping of ITIL ® V3 With COBIT ® 4.1, 2008 

• COBIT ® Mapping: Mapping of NIST SP 800-53 With COBIT ® 4.1, 2007 

• COBIT ® Mapping: Mapping of PMBOK ® With COBIT ® 4.0, 2006 

• COBIT ® Mapping: Mapping of SEI’s CMM ® for Software With COBIT ® 4.0, 2006 

• COBIT ® Mapping: Mapping of TOGAF 8.1 With COBIT ® 4.0, 2007 

• COBIT ® Quickstart TM , 2 nd Edition, 2007 

• COBIT ® Security Baseline TM , 2 nd Edition, 2007 

• COBIT ® User Guide for Service Managers, 2009 

• Implementing and Continually Improving IT Governance, 2009 

• IT Assurance Guide: Using COBIT ® , 2007 

• IT Control Objectives for Basel II, 2007 

• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and 

Implementation of Internal Control Over Financial Reporting, 2 nd Edition, 2006 

• ITGI Enables ISO/IEC 38500:2008 Adoption, 2009 

• SharePoint ® Deployment and Governance Using COBIT ® 4.1: A Practical Approach, 2010 

Risk IT-related Publication 

• The Risk IT Practitioner Guide, 2009 



Val IT-related Publications 

• The Business Case Guide: Using Val IT TM 2.0, 2010 

• Enterprise Value: Getting Started With Value Management, 2008 

• Value Management Guidance for Assurance Professionals: Using Val IT TM 2.0, 2010 

Academic Guidance 

• IT Governance Using COBIT ® and Val IT TM : 

– Student Book, 2 nd Edition, 2007 

– Caselets, 2 nd Edition, and Teaching Notes, 2007 

– TIBO Case Study, 2 nd Edition, and Teaching Notes, 2007 (Spanish translation 

also available) 

– Presentation, 2 nd Edition, 2007 (35-slide PowerPoint deck on COBIT) 

– Caselets, 3 rd Edition, and Teaching Notes, 2010 

– City Medical Center Case Study, 3 rd Edition, and Teaching Notes, 2010 

• Information Security Using the CISM ® Review Manual and BMIS TM : 

– Caselets, 2010 

– More4Less Foods Case Study, 2010 

– Caselets and More4Less Foods Case Study—Teaching Notes, 2010 

Executive and Management Guidance 

• Board Briefing on IT Governance, 2 nd Edition, 2003 

• Defining Information Security Management Position Requirements: Guidance for 

Executives and Managers, 2008 

• An Executive View of IT Governance, 2008 

• Identifying and Aligning Business Goals and IT Goals: Full Research Report, 2008 

• Information Security Governance: Guidance for Boards of Directors and Executive 

Management, 2 nd Edition, 2006 

• Information Security Governance: Guidance for Information Security Managers, 2008 

• Information Security Governance—Top Actions for Security Managers, 2005 

• IT Governance Domain Practices and Competencies: 

– Governance of Outsourcing, 2005 

– Information Risks: Whose Business Are They?, 2005 

– IT Alignment: Who Is in Charge?, 2005 

– Measuring and Demonstrating the Value of IT, 2005 

– Optimising Value Creation From IT Investments, 2005 

• IT Governance and Process Maturity, 2008 

• IT Governance Roundtables: 

– Defining IT Governance, 2008 

– IT Staffing Challenges, 2008 

– Unlocking Value, 2009 

– Value Delivery, 2008 

• Managing Information Integrity: Security, Control and Audit Issues, 2004 

• Understanding How Business Goals Drive IT Goals, 2008 

• Unlocking Value: An Executive Primer on the Critical Role of IT Governance, 2008 

138 


iSaCa ProfeSSional guidanCe PubliCationS 

Practitioner Guidance 

• Audit/Assurance Programs: 

– Apache TM Web Services Server Audit/Assurance Program, 2010 

– Change Management Audit/Assurance Program, 2009 

– Cloud Computing Management Audit/Assurance Program, 2010 

– Crisis Management Audit/Assurance Program, 2010 

– Generic Application Audit/Assurance Program, 2009 

– Identity Management Audit/Assurance Program, 2009 

– Information Security Management Audit/Assurance Program, 2010 

– IT Continuity Planning Audit/Assurance Program, 2009 

– Microsoft ® Internet Information Services (115) 7 Web Services Server 

Audit/Assurance Program, 2011 

– Mobile Computing Security Audit/Assurance Program, 2010 

– MySQL TM Server Audit/Assurance Program, 2010 

– Network Perimeter Security Audit/Assurance Program, 2009 

– Outsourced IT Environments Audit/Assurance Program, 2009 

– Security Incident Management Audit/Assurance Program, 2009 

– Social Media Audit/Assurance Program, 2011 

– Systems Development and Project Management Audit/Assurance Program, 2009 

– UNIX/LINUX Operating System Security Audit/Assurance Program, 2009 

– VMware ® Server Virtualization Audit/Assurance Program, 2011 

– Windows Active Directory Audit/Assurance Program, 2010 

– z/OS Security Audit/Assurance Program, 2009 

• Creating a Culture of Security, 2011 

• Cybercrime: Incident Response and Digital Forensics, 2005 

• Enterprise Identity Management: Managing Secure and Controllable Access in the 

Extended Enterprise Environment, 2004 

• Information Security Career Progression Survey Results, 2008 

• Information Security Harmonisation—Classification of Global Guidance, 2005 

• Monitoring Internal Control Systems and IT, 2010 

• OS/390—z/OS: Security, Control and Audit Features, 2003 

• Peer-to-peer Networking Security and Control, 2003 

• Risks of Customer Relationship Management: A Security, Control and Audit Approach, 2003 

• Security Awareness: Best Practices to Serve Your Enterprise, 2005 

• Security Critical Issues, 2005 

• Security Provisioning: Managing Access in Extended Enterprises, 2002 

• Stepping Through the InfoSec Program, 2007 

• Stepping Through the IS Audit, 2 nd Edition, 2004 

• Technical and Risk Management Reference Series: 

– Security, Audit and Control Features Oracle ® Database, 3 rd Edition, 2009 

– Security, Audit and Control Features Oracle ® E-Business Suite, 3 rd Edition, 2010 

– Security, Audit and Control Features PeopleSoft, 2 nd Edition, 2006 

– Security, Audit and Control Features SAP ® ERP, 3 rd Edition, 2009 

• Top Business/Technology Survey Results, 2008 



Practitioner Guidance (cont.) 

• White Papers: 

– Cloud Computing: Business Benefits With Security, Governance and Assurance 

Perspectives, 2009 

– Data Leak Prevention, 2010 

– E-commerce and Consumer Retailing: Risks and Benefits, 2010 

– Electronic Discovery, 2011 

– New Service Auditor Standard: A User Entity Perspective, 2010 

– Securing Mobile Devices, 2010 

– Security Information and Event Management: Business Benefits and Security, 

Governance and Assurance Perspectives, 2010 

– Social Media: Business Benefits and Security, Governance and Assurance 

Perspectives, 2010 

– Virtualization: Benefits and Challenges, 2010 

140

Creating a Culture of Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?