There are also weak security cultures that encourage and facilitate poor security behaviors. In the best cases, weak cultures will result in bad behaviors with regard to protection, detection, and reaction. In the worst case, some employees will tell other employees not to behave appropriately. For example, they might encourage others not to lock their desks, so people can access their resources. They might encourage or require shared computer accounts and passwords.
So when you consider how culture fits into awareness programs, in essence to improve awareness, you want to improve the culture.
However when I see culture mentioned in the generation of awareness programs, it is typically to determine how to design materials that will be best accepted by the organization. The talk is about how to word materials to best align with organizational lingo, themes, messaging, etc. While it is important to consider those things, the focus should not be to put out information, but how to impact individual behaviors and the overall culture.
As I discussed previously, information should strive to improve behaviors. When enough people change their behaviors, it will change the culture. The culture will in turn drive behaviors. Clearly, awareness practitioners want to provide information to change behavior, and that information should be as influential as possible. The information must however be designed with the specific intent to improve the culture and not to just adhere to it.
To this end, you need to consider that an awareness program should be more than a series of communications. Those are tactics that frequently have minimal effect. If you truly want to integrate culture into your awareness program, you need to consider high-level strategies that accomplish this.
While high-level strategies to improve culture will be the subject of future articles, examples of such strategies include implementing technologies that enforce behaviors, getting management support to promote proper behaviors, and operational enforcement such as having guards look for violations.
Such strategies are frequently beyond the authority and responsibility of most awareness managers. Clearly when these people create and distribute materials, they align with their organizations’ respective cultures. However, the goal must always be to improve behaviors and change the culture.
Sign up for CIO Asia eNewsletters.