Is your Security Awareness Program Culturally Sensitive? (And does it matter?)
A security awareness program is probably the first line of defense against modern threats to IT systems and company data. Although more and more advanced technical measures must always be in place to ensure the detection and, if possible, the prevention of intrusions, it is extremely important for businesses to make sure employees are aware of possible threats and of how some of their actions could result in severe vulnerabilities for their employer.
Companies are already doing much regarding technical barriers and safeguards for the oversight of network activities and to ensure appropriate IT governance integrating information protections from the outset, understanding potential risks, vulnerabilities, and threats associated with today’s technologies. By developing and instituting a security policy for the operation and management of information and communications technology (ICT), systems administrators try to help remove any technical vulnerabilities, backdoors, and systems weaknesses.
Many of today’s intrusions, however, are perpetrated bypassing technical barriers and simply targeting users with social engineering techniques and phishing or, now more frequently, spear phishing e-mails. Since the human component is now a prime target for attacks, it is important that the attention of IT security professionals is focused on employees and managers to help them recognize, prevent and fight intrusion attempts that target humans.
Alongside risk assessment efforts and ICT security policies that provide the technical assurance modern business are required to strive for, companies are asked to provide and emphasize the importance of ongoing training and security awareness programs that can have a role in managing the integrity and privacy of data. All personnel need to be made aware of their responsibilities in ensuring compliance with regulatory demands and commit to addressing security issues related to the confidentiality, integrity and availability (CIA) of the information housed in ICT systems.
Social engineering and spear phishing tactics, just to mention two of the main threats to the human component of the information systems infrastructure, have now become advanced, and it is really difficult sometimes to be able to discriminate between legitimate e-mails and malicious attempts. Security awareness training cannot ensure all attempts are being recognized, but it can surely make certain safer behavior become automatic and help employees recognize the most common signs of foul play. Security awareness, then, is not simple training, but it focuses on actually changing the behavior of users, long-term. It’s focused on making certain behaviors a way of life not just at work but at home and in the user’s personal life in general. Do cultural issues then come into play? Does a security awareness program benefit from being culturally sensitive?
Security awareness training and culture
ICT has impacted human activities in many different ways and has brought benefits especially regarding communication, information sharing and access to resources; it has also led to new ways of doing business in real time. Being so intertwined with users’ lives and activities, the human side needs to be taken into great consideration when devising InfoSec best practices. Creating proper policies for fostering a security aware culture tailored to the beliefs of the users is essential to reduce risks and to prevent incidents.
An organization’s security culture depends on the identification of proper ICT policies based on risk assessment and management, and in taking a holistic view that includes communicating and holding accountable everyone for procedures in place across the organization; it needs to ensure that all essential personnel are aware of how to avoid security-related incidents, as new threats and vulnerabilities, data breaches as well as attack patterns trends are always emerging. It is important for everyone in the business to understand their roles and responsibilities in such situations that often require them to make good judgment decisions quickly. They shall know what to do and what actions to take when a security incident does happen, but they should also be able to recognize signs that something is not right. Therefore, investing in security awareness training is worth the time and money, as it mainly helps to do just that to reduce risk and prevent material losses. All users can become human-centric controls for an effective defense thanks to consistent “security awareness training (SAT),” which can be achieved through both formal and informal programs, that educate every staff members in the workplace to understand the ICT risks and make better security decisions.
The pervasiveness of ICT-based technology and the possibility it gives for speedier information delivery and access to a variety of technological tools and resources enables more and better communication and collaboration. This has allowed businesses to expand beyond their physical location and even beyond national confines while still counting on a united workforce able to communicate as if under the same roof. Having a diverse, dispersed workforce has many advantages but also means that people with different beliefs and cultural backgrounds are brought together and are asked to share common business values and work following common policies and procedures wherever they are. It is obvious then that the awareness training provided to ensure the communication of what these common goals and objectives are, needs to consider national culture as an essential element.
There are some social influences and cultural factors that can affect human behaviors within the ambit of ICT. User perception and organizational culture related to information security must be properly understood to devise efficient and effective processes to protect the technology on which businesses rely to streamline their operations and enhance their capabilities and reach. Although the basic information and patterns of behavior taught in security awareness training are the same across the board, the approach to the awareness training and the way to sensitize employees to the problem have to be tailored and, therefore, must take into considerations the cultural beliefs of the users. Specifically, the national culture should be taken into consideration when designing InfoSec training programs.
Awareness training must strike a chord and focus on what is important and relevant for the user, and on his/her idea of what is his/her role within an organization. This is something that might change from country to country and from people to people. Awareness must become part of a user’s life and has to be tailored to the audience and needs to be culturally sensitive. Security professionals are not just training, they are focusing on changing behaviors and often affect the users’ personal beliefs and customs.
Being culturally sensitive doesn’t mean simply translating content into the local language, but it means to recognize what issues are important to the groups targeted and on what issues or information could a possible intruder leverage to solicit information from employees. In fact, for example, as spear phishing techniques become more advanced, and intruders become smarter in crafting realistic e-mails, they could exploit the eagerness of some employees to respond quickly to a customer inquiry or to comply immediately with a request from an official. In some countries, privacy laws might be stricter, and a request for personal information would quickly flag a potential problem while in other nations, a request coming from a colleague even of the most sensitive nature would be honored without questions.
It is especially important for multinational companies to realize that a one-size fits all program cannot possibly be applied to employees with different beliefs and backgrounds. An information security training program must take into consideration diversity much as any HR or EEO program. According to a study by the Center for Information Systems and Technology, Claremont Graduate University, in “a quantitative study of 177 professionals across 35 national cultures to investigate whether national culture influences InfoSec training and best practices using Hofstede’s six cultural dimensions, […] findings indicate that training programs should more directly address the variances in perception of InfoSec across cultures. These training programs should also reflect the significance of the organization’s InfoSec policies in the context of the local employee while maintaining unified corporate governance. By increasing training comprehension, organizations can reduce security incidents resulting from unintentional policy violations and, in turn, avoid costly remediation efforts.”
Cultural differences need to be well understood in advance, so that organizations can tailor their security awareness training (SAT), specific to IS/IT, to ensure the human element is taken into consideration with all its facets, from personal to national beliefs. Making the program specific can aid comprehension of aspects of security, privacy, integrity of content and right of access to data in a way that doesn’t conflict with habits and convictions of personnel or established local practices.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
Although it is paramount that an InfoSec training program addresses the compliance with across-the-board company policies and issues affecting confidentiality, integrity and availability – the CIA principles in information security – of digital works, it needs to consider supporting a multicultural approach in harmony with national policies and the local cultures’ best practices, as security principles and awareness tips needs to be fostered in the user’s personal life in general, as a way of life not just at work but at home too.
The study by the Center for Information Systems and Technology, Claremont Graduate University shows that “Increasing globalization trends and the decreasing costs of technologies and communication make global expansion a viable solution for many information technology (IT) organizations. It is crucial for companies with multiple worldwide locations to take an intercultural perspective to address employee needs and attitudes towards information security (InfoSec) training programs and compliance with InfoSec best practices. If cultural differences are well understood in advance, the organization can tailor its security training to increase comprehension and adoption by a global workforce.”
In an era of fast-paced technology and globalization, cultural diversity is a factor that requires attention. Influenced by their culture values, people become selective in the way they perceive and respond to matters. Cultural diversity within and between cross-cultural groups cannot be overlooked, rather managed effectively to optimize the positive outcomes of any attempt at providing awareness training in a variety of topics. This is especially important when involving employees in IT security awareness training, a type of training that requires changing habits and reactions of employees to situations. This is because many malicious hackers’ tactics focus on targeting the users to gain access to the entire IT infrastructure and threaten the security of the ICT.
The purpose of security awareness training and developing IT-related policies and procedures within organizations is to “strengthen the human defense security link that guards an organization’s information assets,” points out Glenda Rotvold in a post written for ARMA International Publication Information Management Journal. Strengthening the human defense security link requires communicating in culturally-sensitive ways the importance of awareness, the role each user has and what are the behaviors that will likely safeguard systems from intrusion attempts. SAT will vary across cultural dimensions, which is why it is important to address this issue.
Derbyshire County Council. (n.d.). Derbyshire County Council ICT Security Awareness Procedures. Information Security Document, Version 5.0. Retrieved from https://www.derbyshire.gov.uk/images/ICT%20Security%20Awareness%20Procedures_tcm44-157185.doc.
Nataatmadia, I., & Dyson, L. E. (2005). Managing the Modern Workforce: Cultural Diversity and Its Implications. Retrieved from http://www.irma-international.org/viewtitle/32666/
Parsons, K., McCormac, A., Butavicius, M., & Ferguson, L. (2010, October). Human Factors and Information Security: Individual, Culture and Security Environment. Retrieved from http://www.dtic.mil/dtic/tr/fulltext/u2/a535944.pdf
Plachkinova, M., & Andrés, S. (2015). Improving Information Security Training: An Intercultural Perspective. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1089&context=pacis2015
Rotvold, G. (2008). How to Create a Security Culture in Your Organization. Retrieved from http://content.arma.org/IMM/NovDec2008/How_to_Create_a_Security_Culture.aspx
Stahl, S. (2005). Beyond Information Security Awareness Training: It’s Time to Change the Culture. Retrieved from https://citadel-information.com/wp-content/uploads/2010/12/Beyond-Awareness-Training-Its-Time-to-Change-the-Culture-Stahl-0504.pdf
Westrup, C., Al-Jaghoub, S., El-Sayed, H. & Liu, W. (2002, July). Taking Culture Seriously: ICTs, Cultures and Development. Retrieved from http://heim.ifi.uio.no/~systarb/in460/doc/bangelorebookchapter.doc