Security Awareness Maturity Model arrow

I'm beginning to notice a trend within the world of security awareness, different groups of people talking about changing behaviors vs. changing culture.  Some people talk as if they are separate projects or even separate goals.  While they are different, they are very much related. Behaviors are the actions or manners of individuals within an environment. To learn more about behavior and changing behaviors I highly recommend the BJ Fogg Behavior Model.  

Culture is a bit more squishy, it is the attitudes, beliefs and behavioral norms of a group.  So which one is more important, what should you be focusing on?  Well ultimately both, but you want to start with behaviors first.   In fact, you will notice that in the Security Awareness Maturity Model we have behaviors listed first.  Why is that, why don't we just focus on culture?  There are a several reasons for this.

  1. Ultimately, it is behavior that secures an organization, not culture.  If you have a strong security culture people will believe in the need of security and the importance their role plays, but do they still know what behaviors they need to exhibit?  They may think they should be locking the door to their car, when in reality it is the fact their mobile device has no passcode that is a far larger issue.  Ultimately behaviors secure the organization, not culture.  It is just much easier to create and maintain secure behaviors in a strong secure culture.
  2. You can change behavior in days, but it takes years to change culture.  John Kotter explains it in his book "Leading Change" that for people to believe in change, they have to see their behaviors have a positive impact.  When people see how phishing training helps them detect attacks, when they see how a passcode protects their lost phone, they start believing in security.  As a result, their attitudes and beliefs change.  Ultimately, to change culture you need to first start changing behaviors.

For a truly mature awareness program, you want to not only ensure you are changing behaviors but changing culture (and have a metrics framework to measure it).  These goals are highly related, but to get there you have to start with behaviors first.