WCCS Creating A Culture of Security 31mar2011 Research

Creating a
Culture of Security
by Steven J. Ross, Risk Masters

Creating Culture
reatingaaC Security
ofSecurity
ultureof
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider
of knowledge, certifications, community, advocacy and education on information systems (IS)
assurance and security, enterprise governance and management of IT, and IT-related risk and
compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences,
publishes the ISACA® Journal, and develops international IS auditing and control standards,
which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance
of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM)
designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise
leaders fulfill their IT governance and management responsibilities, particularly in the areas of
assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Creating a Culture of Security (the “Work”) primarily as an
educational resource for security professionals. ISACA makes no claim that use of any of the
Work will assure a successful outcome. The Work should not be considered inclusive of any
proper information, procedures and tests or exclusive of other information, procedures and tests
that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, security professionals should apply their own professional
judgment to the specific circumstances presented by the particular systems or information
technology environment.
Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any
means (electronic, mechanical, photocopying, recording or otherwise) without the prior written
authorization of ISACA. Reproduction and use of all or portions of this publication are permitted
solely for academic, internal and noncommercial use and for consulting/advisory engagements and
must include full attribution of the material’s source. No other right or permission is granted with
respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-183-3
Creating a Culture of Security
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in
countries throughout the world.
2 © 2011 ISACA. Al l Ri g h t s Re s e r v e d .
Acknowledgements
Acknowledgements
Acknowledgments
ISACA wishes to recognize:
Development Team
Steven J. Ross, CISA, CBCP, CISSP, Risk Masters, Inc., USA, Author
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia, Chair
Christos Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece
Wendy Goucher, Idrach Ltd., UK
Norman Kromberg, CISA, CGEIT, Alliance Data, USA
Finn Olav Sveen, Ph.D., Gjøvik University College, Norway
Vernon Poole, CISM, CGEIT, Sapphire, UK
Rinki Sethi, CISA, eBay, USA
Expert Reviewers
Sanjay Bahl, CISM, Microsoft Corp. (India) Pvt. Ltd., India
Garry Barnes, CISA, CISM, CGEIT, Commonwealth Bank of Australia, Australia
Krag Brotby, CISM, CGEIT, NextStepInfoSec, USA
Meenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USA
Mark Lobel, CISA, CISM, CISSP, PricewaterhouseCoopers LLP, USA
Naiden Nedelchev, CISM, CGEIT, Mobiltel EAD, Bulgaria
Ramesan Ramani, CISM, CGEIT, Paramount Computer Systems, UAE
Christophe Veltsos, Ph.D., CISA, CIPP, CISSP, GCFA, Minnesota State University, Mankato, USA
ISACA Board of Directors

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation,
Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government,
Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee
Guidance and Practices Committee

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand
© 2011 ISACA. Al l Ri g h t s Re s e r v e d . 3
Acknowledgments (cont.)
ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
Contents
Preface............................................................................................................................... 9
Endnotes....................................................................................................................... 9
1.0 Introduction............................................................................................................. 11
1.1 Hard and Soft Security....................................................................................... 13
1.2 Whose Culture Is It?............................................................................................. 15
Endnotes..................................................................................................................... 15
2.0 A Culture of Security in Context......................................................................... 17

2.1 Doing vs. Believing............................................................................................ 17
2.1.1 Ambiguity and Inconsistency.................................................................. 18
2.2 Culture in Context.............................................................................................. 18
2.2.1 Societal Culture and Security ................................................................. 20
2.2.2 Organizational Culture and Security....................................................... 21
2.2.3 Personal Culture and Security.................................................................. 22
2.3 Security in the Context of Culture.................................................................... 24
2.3.1 Security as the Basis of Trust.................................................................. 26
2.3.2 Security in the Prevention of Fraud and Misuse of
Information Resources...............................................................................28
2.3.3 Security and Risk Mitigation................................................................... 29
2.3.4 Security as a Strategic Driver.................................................................. 32
2.3.5 Security in Systemic Terms..................................................................... 34
Endnotes..................................................................................................................... 35
3.0 The Benefits of a Culture of Security................................................................. 39

3.1 The Benefits of Trust......................................................................................... 40
3.1.1 Internal Trust............................................................................................. 42
3.1.2 External Trust............................................................................................ 43
3.2 The Benefits of Consistency.............................................................................. 45
3.2.1 Valuing Information................................................................................. 46
3.2.2 Exception Processes.................................................................................. 47
3.2.3 Risk Management..................................................................................... 47
3.2.4 Predictability.............................................................................................. 48
3.2.5 Standardization.......................................................................................... 49
3.3 Improved Ability to Manage Risk.................................................................... 50
3.4 Improved Return on Security Investment........................................................ 51
3.5 Compliance With Laws and Regulations......................................................... 53
3.6 Shareholder/Citizen Value................................................................................. 54
Endnotes..................................................................................................................... 55
4.0 Inhibitors to a Culture of Security...................................................................... 57

4.1 Societal Culture.................................................................................................. 58
4.2 Lack of Organizational Imperatives................................................................. 59
4.3 Unclear Requirements........................................................................................ 60
4.4 Insufficiency of Awareness Alone.................................................................... 61
4.4.1 Comprehension of Risk............................................................................ 62
4.4.2 The Personal Experience of Security...................................................... 62
4.5 Systemic Shortcomings...................................................................................... 64
4.5.1 Inability to Detect Variances From Policy and Culture........................ 66
4.5.2 Inability to Monitor and Enforce Compliance With the Culture.......... 67
4.6 Lack of Rewards................................................................................................. 68
4.6.1 Security Professionals............................................................................... 69
4.6.2 Lack of Metrics......................................................................................... 69
4.6.3 Failure to Measure Risk........................................................................... 70
4.6.4 Lack of Incidents....................................................................................... 71
4.6.5 No Financial Connection.......................................................................... 71
4.7 What Is in It for Me?.......................................................................................... 72
4.7.1 Budget........................................................................................................ 72
4.7.2 Influence.................................................................................................... 73
4.7.3 Management Attention............................................................................. 73
4.7.4 Personal Regard........................................................................................ 73
Endnotes..................................................................................................................... 74
5.0 Creating an Intentional Culture of Security...................................................... 75

5.1 Changing Perceptions of Security..................................................................... 76
5.1.1 Branding Security..................................................................................... 77
5.1.2 Educating About Security........................................................................ 80
5.2 The People Who Make the Culture.................................................................. 81
5.2.1 Intentionality.............................................................................................. 82
5.2.2 Finding the Champion.............................................................................. 83
5.2.3 Objects of a Security Culture................................................................... 84
5.3 Attributes of a Security Culture........................................................................ 85
5.3.1 Security Champions.................................................................................. 85
5.3.2 Budget for Security................................................................................... 86
5.3.3 Broad Accountability................................................................................ 87
5.3.4 Awareness and Education........................................................................ 88
5.3.5 Policies, Standards and Guidelines......................................................... 88
5.3.6 Go/No-go Decisions................................................................................. 89
5.3.7 Rewards...................................................................................................... 90
5.3.8 Rigorous Response to Breaches............................................................... 90
5.3.9 Satisfied Customers.................................................................................. 91
Endnotes..................................................................................................................... 92
Table of Contents
6.0 Positive Reinforcement.......................................................................................... 93
6.1 Alignment of Information Security and Business Objectives........................ 94
6.1.1 Security as an Obstacle............................................................................. 94
6.1.2 Strategic Necessity.................................................................................... 95
6.1.3 Risk Management..................................................................................... 96
6.1.4 Security Procedures Embedded in Daily Operations............................. 98
6.1.5 Management Reward Structure............................................................... 99
6.2 Balance.............................................................................................................. 100
6.2.1 The Burden on Security Professionals ................................................. 100
6.2.2 The Burden on the Enterprise................................................................ 102
6.3 Convergence of Security Roles....................................................................... 103
6.4 Automated Cultural Tools............................................................................... 104
6.4.1 An Architecture for a Security Culture................................................. 106
6.5 Stakeholder Feedback...................................................................................... 109
Endnotes................................................................................................................... 110
7.0 Negative Reinforcement....................................................................................... 113

7.1 Perverse Incentives........................................................................................... 114
7.2 Vigilance........................................................................................................... 115
7.2.1 What to Watch......................................................................................... 115
7.2.2 Who Should Watch................................................................................. 117
7.3 Automated Detection........................................................................................ 118
7.4 Alerts, Alarms and Triggers............................................................................ 119
7.4.1 Alerts........................................................................................................ 119
7.4.2 Alarms...................................................................................................... 121
7.4.3 Triggers ................................................................................................... 122
7.5 When All Else Fails......................................................................................... 123
7.5.1 Penalties................................................................................................... 125
7.5.2 Defiance................................................................................................... 126
7.5.3 Career Impact.......................................................................................... 126
Endnotes................................................................................................................... 127
8.0 How Good Is Good Enough?.............................................................................. 129

8.1 Getting There.................................................................................................... 131
8.1.1 Establish the Need for Change.............................................................. 132
8.1.2 Communicate the Desired Vision.......................................................... 133
8.1.3 Achieve Initial Objectives...................................................................... 133
8.1.4 Strike a Balance...................................................................................... 134
8.1.5 Institutionalize the Intentional Security Culture.................................. 134
8.1.6 Sustain the Intentional Security Culture............................................... 134
8.2 Conclusion......................................................................................................... 135
Endnotes................................................................................................................... 136
ISACA Professional Guidance Publications.......................................................... 137

Page intentionally left blank
Preface
Preface
In October 2010, ISACA published The Business Model for Information Security
(BMIS). The model takes a business oriented approach to managing information
security, building on the foundational concepts developed by the association. It
utilizes systems thinking to clarify complex relationships within the enterprise and,
thus, to more effectively manage security.1
One of the findings of the BMIS study was that an intentional culture of security2
was the primary objective for the model, as applied to information security.3 The
intentionality of security must be emphasized. Implicit in the use of “intentional”
is that enterprises—companies in the private sector, agencies in the public
sector—do not, for the most part, have an effective culture of security, one
that supports the protection of information while also supporting the broader
aims of the enterprise. They must take active, directed steps to improve it. All
enterprises have a culture of security. In most cases, it lacks intentionality and is
inconsistent to the extent that it exists at all; in others, it is robust and guides the
daily activities of employees and others who come in contact with the enterprise.
Most important, those enterprises with a stronger culture of security may not have
created it purposefully; the existence of meaningful security is so clearly aligned
with the mission of the business that management did not need to apply intentional
measures. Understanding whether the culture was created in a purposeful manner or
by “accident” is critical to sustaining the culture in the long run.
This volume is dedicated to all those who recognize the importance of security
and who strive to achieve it. They may feel that their enterprises have given lip
service to security, but do not actually have the firmness and resolution of purpose
to receive the full value of the investments made in security. The people they work
with say the right things, often do the right things and even pay for the right things,
but the information with which they carry out their responsibilities is not really
secure. They want to achieve a meaningful, intentional security culture. It is the
purpose of this volume to suggest the way to do it.
Endnotes
1
ISACA, The Business Model for Information Security (BMIS), USA, 2010
2
hroughout this volume, it is assumed, but not stated, that “security” refers to the
T
security of information resources. If a differentiation is required, it is specified,
e.g., physical, personnel or operations security.
3
ISACA, An Introduction to the Business Model for Information Security, 2009, p. 12
1.0 Introduction
1.0 Introduction
My management just does not “get” information security!
Our information security department keeps getting more tools, but as a

senior executive, I do not think we are any more secure.
Security policy is one thing. Reality is another.
Sure, I support security, but if there is going to be a company to secure,

departments like mine need to make money.
I am so overwhelmed with all the passwords I have to remember; I just

write them down and leave them next to my computer.
I know that I am not supposed to have access to this information, but

I was granted authorization in my old position and just kept it when I
was transferred.
Management has authorized acquisition of monitoring tools, but they

did not give me any budget for people to do the monitoring.
All the information security people do is say “no.” They should learn
the way this business really works.
All of these comments, and many more like them, are heard in enterprise after
enterprise around the world. Often enough, all of these statements may be heard
in the same enterprise, although they do seem mutually contradictory. How can
it be that senior management funds an information security function; provides it
with the latest, most effective tools; and backs those tools with a definitive security
policy, but still does not feel that the enterprise’s information is secure? In fact,
there is sufficient evidence that it is not secure. Somewhere within the workings
of the company or government agency, something that should be happening is not
happening. Someone—or many people—is not effectively supporting security.
The missing element is a culture of security, defined in BMIS as a pattern of

behaviors, beliefs, assumptions, attitudes and ways of doing things. It is emergent
and learned, and it creates a sense of comfort. Culture evolves as a type of shared
history as a group goes through a set of common experiences. Those similar
experiences cause certain responses, which become a set of expected and shared
behaviors. These behaviors become unwritten rules that, in turn, become norms
that are shared by all people who have that common history. It is important to
understand the culture of the enterprise because it profoundly influences what

information is considered, how it is interpreted and what will be done with it.1
Note the importance of the terms used in the definition from BMIS:
• Pattern—Not just intermittent, but continuous
• Behaviors—The way people act and not what they say they intend to do
• Beliefs—The core principles that people bring to the world of business
• Assumptions—The personal and societal expectations about information and its
protection that binds belief and behaviors
• Attitudes—The perspectives on security that are ingrained in people based on
previous experience
• Ways of doing things—The security procedures embedded in day-to-day
operations
A culture arises whenever two or more people are engaged in a common endeavor.
In a business setting, there is a pattern of behaviors, beliefs, assumptions, attitudes
and ways of doing things that constitute a corporate culture. To the extent that
information is a part of that business, there is a component that is a security
culture. It may be weak, ineffective, disorganized, contradictory, unrecognized and
haphazard, but it exists. A security culture exists in every enterprise. It is preferable
that a culture of security be strong, effective, well-organized, consistent and
supportive of the intentions of those in an enterprise who recognize that security is
a strategic attribute and contributes to the overall health of the enterprise. That is,
supposedly, the intention of management.
Even in enterprises in which there are many of the components of security—staff,

software, hardware, procedures, policies and standards—without a culture to bind
them to the overall corporate culture, the best that can be hoped for is mechanistic
compliance with the routine requirements of protecting information. It will be
the minimum security that the enterprise can tolerate—meaning it is something
that must be endured or accepted grudgingly. It will not be the degree of security
appropriate to that enterprise, in the context of the way it does business in its
industry or with its customers or where it is located in the world. Security without
culture is insufficient security.
Achievement of that level of security will not happen by itself—self-generated

and unsystematically. It requires people of good intent to take both positive and
punitive measures to strengthen a security culture to a desired level, the level
that management intends it to be or should be in the opinion of organizational
leadership. For that reason, this volume is focused on the development of an
intentional security culture. Yes, a culture of security always exists, but an
intentionally strong, effective and resilient security culture requires work, both to
build and maintain it.
1.0 Introduction
An enterprise that recognizes that it does not operate with an effective culture of
security, but that wishes to create one, must establish a systemic viewpoint across
the enterprise with regard to the protection of information. It must reconcile all the
contradictory impulses within the enterprise that inhibit the growth of security. A
culture cannot be effected quickly, as may the mechanics of security. There is no
appliance to install or software to implement. It involves the creation of a mindset
among the people who make up the enterprise and among those with whom it
comes in contact—vendors, customers, other stakeholders and the society at large.
That mindset, the outlook and attitudes that drive behavior, is the substance of a
culture, one that must be implanted, nurtured and accepted gradually. It cannot be
imposed from above, although organizational leadership can lead the way.
Once established, an intentional culture of security tends to be forgotten—not the

culture itself, but the intentionality of it. At that point, certain behaviors are intrinsic
to the enterprise’s way of doing business. For example, in the private sector, there
is no need for an intentional culture of sales; sales teams sell products because that
is what they do. It is simply recognized that, without sales, there is no business,
and people act accordingly. An exaggerated sales culture can be disadvantageous to
customer service, profit or security. In extreme cases, a sales culture can overwhelm
ethics and legality. In the same way, a culture of security that is too heavy could
be an impediment to growth or mission achievement. A heavy security culture
could be a business disabler if not properly aligned with the organizational mission
and business functions. It must fit comfortably within the overall culture of the
enterprise and become so habitual that it is barely noticed.
1.1 Hard and Soft Security
It is a fallacy to consider the technology and mechanics of security as being hard,

while considering those aspects that deal with human factors such as planning,
management, motivation and reward as the soft side of security. The word “hard”
has several connotations: impenetrability, difficulty, firmness, factuality, realism
and strictness. In all these senses, it is the development of a culture of security that
is hard:
• To be impenetrable, a culture of security must adapt to changing environments
and contexts as businesses expand or contract, personnel come and go,
management organizes and reorganizes, and technologies foster and inhibit
innovation. No technology is impenetrable, precisely because all technologies are
implemented by people. The effectiveness of any implementation is based on the
thoroughness and consistency of those who carry it out—in other words, by the
culture in which they do so.
• For those without it, technical skill can be hard to come by, but it can be taught
and it can be learned. A culture must arise and be lived. The latter is far more
difficult than the former.
• Technology may seem firm and unbending: A software package will always do
as it is told and a piece of equipment will always work the same way—until they
do not. Software and hardware are engineered artifacts, all of which have defects.
Of course, a culture may be defective as well, but it is much more likely to bend
and adapt than to break.
• Similarly, technology is not always factual. Just because a machine produces a
result does not mean that it is the right result. A sound culture must be based on
facts: the way people actually work, the value of the information with which they
work and their contradictory impulses that must be accommodated.
• It is odd to think of facts as hard and opinions and emotions as soft when the
reality is that many, if not most, people act on the stimuli of their emotions and
opinions and not of the harsh reality before them. A culture of security can be
used to mold opinions across an enterprise much more realistically to the risks of
their business and the environment in which they perform.
• A culture of security is precisely as strict as a given enterprise wants it to be.
There are some types of enterprises, such as national intelligence agencies or
banks, in which security is strictly observed. This did not occur haphazardly, but
was a natural consequence of business drivers that include profit and customer
service, to be sure, but also managed risk, achievement of organizational mission
and ethics.
There are other meanings of security for which a culture must be established to
counter. Security should not be oppressive, unrelenting, resentful or troublesome.
Security must not be allowed to be considered adverse to mission achievement;
where that is so, there is clear evidence that security is a weak part of the overall
corporate culture. It has allowed security to be seen as prohibition rather than
enablement. Among the rationales for a culture of security is the alignment of
security with the business as a whole. The negativity often associated with
security—locks, barricades, punishment, etc.—undermine its effectiveness. A
culture of security is necessary to overcome obstacles of those sorts.
A culture of security may be seen as soft because it is less tangible, but fuzziness
should not be confused with inaccuracy. Culture deals with perceptions, estimations,
preponderances and directions and not with the orderly array of numbers that is
found, for example, in accounting or finance. However, perceptions and directions
are often the indicators of reality, more so than the seemingly hard numbers that on
closer inspection—or revelation—may be seen as a smokescreen designed to obscure
reality. A culture determines what an enterprise actually does about security (or any
other objective, for that matter) and not what it says that it intends to do.
1.0 Introduction
1.2 Whose Culture Is It?
A culture of security does not belong to an information security department any

more than an ethical culture belongs to a legal department. A culture is generalized
across an enterprise—among executive management and a board of directors;
management and staff; revenue producers and their back office; and salespeople,
computer operators, cleaning staff, etc. It is the organizational zeitgeist, the spirit of
the times in which an enterprise operates. It is capable of change, and it is affected
by the composition of the enterprise itself.
Certain functions—such as information security, internal audit, risk management

and corporate security, to name a few—may well have a more leading role in
crafting the culture. These functions exist and are rewarded for being aware of the
need for security and generally being favorable to stronger controls. There is a
trap in perceiving these functions as the owners of a culture of security, as though
excusing other personnel from having to pay attention to it. To the extent that some
are more committed to security than others, a balance must be achieved. However,
all who would wish to be part of an enterprise must adapt to its culture and no one
can afford to stand apart and still thrive. A culture of security is and must be a
joint endeavor.
Endnotes
1
Ibid., p. 16
2.0 A Culture of Security in Context

A culture of security is a pattern of behaviors, beliefs, assumptions, attitudes and
ways of doing things that promotes security. As enterprises operate across nations,
they observe that there are multiple levels of culture—national culture, industry
culture, organizational culture, functional and departmental culture, professional
culture, and cliques and factions culture. What, then, is secure behavior? What does
it mean to believe in security? What assumptions and attitudes lead to security,
and which need to be suppressed if security is to be achieved? Is there a single,
ordained way of doing things that promotes security, with all others undermining
security to some greater or lesser degree?
The answer to these and many more questions that are raised in this volume is
context. A culture of security fits within a much broader context of how a society
interacts; how an enterprise works; and the moral, ethical, political and economic
belief systems of the individual who is a part of that culture. No one set of behaviors
can be extracted from its context and shown to be secure, or insecure, for that
matter. Even more bedeviling, certain patterns of behavior may be secure in routine
circumstances, but become less so in times of crisis. For example, a help desk may
usually respond to callers on a first-come, first-served basis, but needs to react
aggressively without respect to the order of calls when a network is under attack.
2.1 Doing vs. Believing
Does a person have to believe in security to act securely? What, in fact, does it
mean to believe in security? Security is not a religion, so where does belief enter the
discussion? It may be fair to ask for two lists, one of secure practices and another of
dangerous ones. If everyone followed the first and eschewed the second, would that
not create security? Indeed, there is a place for those lists: They are called policy,
standards, guidelines and procedures, which relate the way an enterprise is to go
about its mission. Rules have exceptions, and the people who follow them are not
robots. Judgment; comprehension; and, yes, beliefs enter into the way things actually
work, as opposed to how they are supposed to work.
It is insufficient simply to do what is required because those crafting the requirements

are unable to foresee all of the situations in which they are to be applied and there
are exceptions to the rules best left to those who apply them. There needs to be an
understanding on the part of those acting on the policies as to why they were written,
for whom they were intended and what the intent of the writers was at the time they
were written. It is to be expected that those who issue the policies would be more
conscious of and diligent in adhering to the policies than those who receive them.
For the few to achieve their objectives through the efforts of many, they need to
convey the rationale behind the policies to their constituencies. In short, they must
communicate a systematic viewpoint that drives the policies and that, in turn, is so
conditioned by the way the policy writers have internalized the need for security that
it may accurately be described as a pattern of beliefs.
2.1.1 Ambiguity and Inconsistency

A simple, prescriptive model for developing a secure enterprise also breaks down
in the face of the many ambiguities and inconsistencies inherent in the word
“security.” Everyone wants to be secure, but not always at the cost of comfort,
flexibility, efficiency or timeliness. Security is a desired state, but not at any
price. It does not come risk-free. In fact, true security implies the acceptance of
a reasonable level of risk, which only raises the importance of who determines
the reasonability of any set of decisions or actions. No set of policies, standards,
guidelines or procedures can foresee all the circumstances in which they are to be
interpreted. At that point, it is the interpreter who is making the rules, and if that
person is not grounded in a culture of security, the likelihood of acting in the proper
manner is problematic.
Moreover, there are inherent internal contradictions in the definition of “security”

that defy easy interpretation. For example, access control and privacy are two
aspects of security. Access control demands that the attributes and actions of
each user be known, while privacy demands that these be obscured.1 The balance
between these conflicting imperatives is an essential part of a security culture.
Frustrating as it may be, there will always be ambiguity in any culture, including
one of security. It must deal with the contradictions, shortcomings and just plain
silliness that are a part of the human condition. In attempting to overcome this
ambiguity, many turn to automation. If security is needed, at least in part, to control
technology, what better tool than technology to achieve the objective? Sadly, this is
circular reasoning; philosophers and mathematicians have shown that no system can
be validated within itself.2 In other words, technology will always reach a point at
which it cannot secure itself.
Thus, a culture of security does not guarantee an absence of breaches nor freedom
from error. It is not the cause of security, but rather a necessary context in which
security can be fostered and accepted. It is foundational to the achievement of
security without any preceding understanding of what security is or demands. The
culture does not create security, but true security cannot be created in the absence
of a supportive culture.
2.2 Culture in Context
Enterprises are organic. That is, all enterprises, beyond the most rudimentary, are
a systematic coordination of many discrete and interacting parts. For example, in a
commercial business, there are those who create a product, those who sell it, those
who record and administer the money made, those who control the process, and
those who manage the enterprise as a whole. Each is driven by its own dynamics;
all are working together toward a common goal—or at least should be doing so.
The values, assumptions and attitudes that underlie those goals are referred to as the
“corporate culture” that forms a unifying whole for the enterprise and provides the
context within which events are viewed and understood.
Unfortunately, each part of an enterprise sometimes becomes so captivated by its

own imperatives, direction, rewards and penalties that the enterprise’s common,
unitary culture becomes submerged beneath the siloed cultures of departments,
locations, functions or professions. In some cases, the competing cultures create
tensions that pull on each individual within the enterprise. Some functions may
have a sales culture in which anything done to make a sale is rewarded. Others may
be profit-oriented, with drivers to both high-margin sales and reduced costs. Still
others may participate in a culture of customer service, ethics or growth. Some may
live in a culture of security.
All of these cultures have a place in any enterprise; they need not be contradictory
to one another. They need to be balanced. Selling is good, but not at all costs.
Customer service is good, but not to the exclusion of profit. Growth is good, but
not if existing customers are dissatisfied and take their business elsewhere. Recent
news has shown that when a company allows one aspect of its culture to become so
dominant that others are crowded out, bad results follow. Unbalanced companies
face devastated morale among employees; poor financial results; mass exodus of
staff; and, ultimately, the extinction of a company.
The culture of security is the focus of this volume not because it should be
dominant, but because it appears that, in many enterprises, it is unnecessarily
overlooked. Many enterprises today have a function that oversees security. In
fact, they have many such functions, each one focused on the security of physical
assets; personnel; operational processes; personal information; data; or, indeed,
information in all its forms. Collectively, they may foster a culture of security, but
without active, deliberate, intentional management support, that culture can be so
fractionalized that it is ineffective in the broader enterprise. These functions may
not even recognize that their competing perspectives on security are undermining
the very culture of which they would want to be a part. This, in turn, makes it
difficult for those supportive of security to balance it with competing cultures.
There are some enterprises in which security, in one form or another, is of

paramount concern and in which a culture of security is dominant. Among these
are national intelligence agencies; the military; and, in a different manner, prisons
and gold repositories. For most other enterprises, it would be distortive if security
were the dominant culture. The intent within BMIS is not for security to dominate,
but for it to be integrated into a unifying whole within the corporate culture. An
intentional culture of security does not create values, but heightens them among the
tensions that act on each individual who lives within it.
2.2.1 Societal Culture and Security

It is questionable whether any culture—or, for that matter, any concept of
security—is applicable to all enterprises in all corners of the world, without
consideration of national and regional differences.3 Are the perceptions and the
realities of security the same in urban, industrialized societies and those in rural,
agricultural ones? Are they the same in countries thoroughly embedded in global
commercial processes and those with struggling, self-sufficient economies or for
those at war and those enjoying the blessings of peace? It is not that there are
national attributes that would affect security in any nation. Characterizing people
from certain places as unethical, sly or lazy is reprehensible, but clearly, there are
differences of custom, law, communications, politics and history that make the
realization of a Platonic ideal4 of information security unachievable.
There are international standards for security. Most notably, the 27000 series from the
International Organization for Standardization (ISO)5 is the DNA, style guide, metric
system and scoreboard of security6 and is generally accepted to be definitive about its
management. Even in this case, there is a caveat to universality: “within the context
of the organization’s overall business risks.”7 What, then, of the context of societal
norms and expectations that differ from nation to nation and region to region? For
example, the primary control statement for Data protection and privacy of personal
information is “Data protection and privacy shall be ensured as required in relevant
legislation, regulations, and, if applicable, contractual clauses.”8 Thus, explicitly,
there is no universal meaning for privacy—and, by extension, for confidentiality and
the rest of security—but rather reliance on necessarily local laws, regulations and
contracts. The comparison is very clear, for example, across the Atlantic. In the US,
privacy is limited to industry verticals, primarily financial services9 and health care.10
In most of Europe, privacy is a clearly stated fundamental right across society.11
Multinational companies and those enterprises that do business internationally

cannot presume that dictates for the security of information resources will be
perceived or interpreted in the same way in all locations in which they have
interests. The burden is on the management of those enterprises to create their
own cultures of security, while respecting the differences of milieu in which
they will operate. A Londoner (UK) and a New Yorker (USA) may work for
the same company and adhere to the same corporate goals, but when confronted
with a matter that affects or is affected by considerations of security, they very
well may not understand the same words the same way. How much higher would
these societal barriers be in countries that do not share the same language, history
and heritage? A culture of security cannot be imposed; it must be created on the

substrate of the culture of the societies within which it is. Given differences in law,
regulation and national outlook, it is possible that there may be several subcultures
of security within one enterprise.
2.2.2 Organizational Culture and Security

Just as culture differs across geographic locations, so a culture of security is
profoundly affected by the industry or industries in which an enterprise operates.
Within industries, there are differences in corporate (and often divisional) cultures.
In a positive sense, differentiating security along organizational lines is a strength
of a security culture. It indicates a balance that reflects the differing needs of each
enterprise’s business. A stronger organizational security culture arises when there
is a common security purpose tied to shared beliefs, values and assumptions. For
example, all pharmaceutical companies have concern for the security of their
formulas and their clinical research data. Some of this is driven by the commercial
need to protect the companies’ intellectual property and, to a different degree,
by the ethical consideration of the health and privacy of test subjects. Most
drug manufacturers are less focused on security than are, for example, mining
companies, in which the major focus of security is on the safety of personnel, not
information. How much less powerful is a culture of security for a manufacturer of
commodity products?
Every enterprise has a culture of security. The security needs of commodity

manufacturing pale beside those of developing a cancer therapy, and those of large
corporations are greater than those of a start-up business. In both cases, though,
there is a culture at work. It may be more robust and accepted in one enterprise
than another, without regard to size or the nature of the work. An effective security
culture is simply adapted to the circumstances in which an enterprise finds itself.
In no case is the security culture totally absent; no business accepts an open-door
policy toward its information resources. However, some may not protect the door
very well or even perceive that the door needs to be locked.
This is, again, the concept of a culture of security in context. If there are no
universals in security, who is to say that one culture is superior to another, or is it
true that there are no universals at all? At some elemental level, there are things
that must be achieved or there is no security: access to resources restricted to
authorized people, breaches detected and repaired, data backed up, and people
held accountable for their actions with regard to information. The thoroughness
with which these are accomplished rests, in part, within an enterprise’s culture of
security, but not entirely so. Even the best intentioned and motivated employees
may make mistakes, and these, on occasion, have disastrous security consequences.
An organizational culture sets the limits of acceptable behavior within that entity.
It may be said that policy, not culture, is the driving force for establishing those
boundaries, but conceptually and legally, what an enterprise does is its policy,
not what its management claims that the company does. Policy is a reflection of
aspirational goals; in the case of security, it describes security as management
wants security to be. The way with which people actually work and protect
information (i.e., the culture of security) is reality, and absent any explicit moves
by management to provide disincentives (i.e., punishment) for policy breaches, the
culture of security is, in actuality, policy as well.
In some industries, there are regulatory requirements for security that, in a broad
manner, set the context of a culture of security. That does not mean that all banks,
insurers, brokerages or hospitals have internalized security in the same way or to the
same extent. To much the same degree as unregulated companies, the extent and impact
of a culture of security is dependent on management’s perception of the risk to the
enterprise’s information resources and its willingness (or ability) to fund initiatives that
would strengthen either the culture or specific security measures—or both.
It is possible to achieve a level of security appropriate for a given enterprise without

explicit measures to create a culture of security because that culture is already there.
In many enterprises, such as in financial institutions, intelligence services and the
military, security is so embedded in management’s perception of business risk that
the intentionality of the culture is self-evident. It has provided the context in which
an enterprise makes decisions and allocates budgets. The same cannot be said in
reverse. The level of security cannot exceed the degree to which an enterprise
embeds security into its culture. In that case, rules will be broken and unenforced,
tools will not be applied, and management will not take action against those who
undermine security.
2.2.3 Personal Culture and Security

Ultimately, all enterprises are made up of people. Many, but not by any means
all, of the people are employees. Perhaps there was a time when a company or
government agency was solely comprised of those on the payroll, but if so, that
time is past. Too many enterprises use contractors, outsourcers, service providers
and temporary staff to accept that only personnel are the people who constitute its
human resources. When discussing the security of information, there is a tendency
to think in terms of the number of servers, terabytes of data or breadth of the
network. All of those are under the control of people, and it is people who are the
carriers of the “behaviors, beliefs, assumptions, attitudes and ways of doing things”
that are the corporate culture.
People are not tabulae rasae (blank slates). As they enter an enterprise and become
a part of its culture, they bring their own set of cultural expectations derived from
their parents, siblings, schools and houses of worship, friends and relations, and
companies for which they worked previously. It is fair to say that some are affected
with a deep respect for security and that others are not. The reason for this is a
subject for sociologists, psychologists and anthropologists; for most others, it is
sufficient to accept and recognize differences of outlook and to find the ways to
incorporate them all under the cultural tent.
People can and do change their cultural perceptions, even if they do not realize it
or even realize that they have cultural perceptions. The accepted norms of behavior
are transmitted by many means, and not all of them are intentional. Rules of
confidentiality, for instance, may be documented, but a disapproving glance when
a customer’s name is mentioned can communicate more effectively than an entire
volume of policies. It is less clear how a weak culture affects a person whose mores
are more supportive of security than those of the enterprise. Does someone who is
inclined to respect access rights become unconcerned simply because others do not
share that outlook?
If culture cannot be imposed organizationally, neither can it be achieved by

dictating to individuals against their beliefs. Fortunately, it is the rare soul who is
outright opposed to security. Most of the principles of security are derived from
precepts that are shared across religions and belief systems around the world: Do
unto others as you would have them do unto you; above all, do no harm; mind
your own business; and do not run with scissors. Deep down, everyone (perhaps
excluding the pathologically dishonest) brings these principles to the business. If
they are not always adhered to in the workplace, as they are not always followed in
the world at large, it is because they come into contention with other core concepts:
Get your work done, a penny saved is a penny earned, or let nothing stand in your
way. Somehow, these latter values seem less virtuous, but virtue, too, is a mindset,
an artifact of a culture.
If no one is opposed to security, it is equally true that there are many who are not
vocal in its support. A culture of security needs its evangelists and champions, those
who are eager to speak up and set examples for others. True, there are always going
to be those whose moral outlook is clouded by pride, avarice and sloth, to say nothing
of stupidity. However, if people are rational actors, they will do the right thing—or at
least the most utilitarian thing—most of the time. People hold their beliefs privately,
whether they concern religion, morals or politics. When individuals encounter what
they see (or think they see) as a majority holding different viewpoints, they descend
into a “spiral of silence,” becoming less and less likely to speak up for their beliefs
and, thus, reinforcing their minority status and giving credence to the majority. This
is how culture is formed.12 Only those willing to break out of the spiral are able
to change culture; only those committed to secure behavior are able to drive the
transformation toward a culture of security.
2.3 Security in the Context of Culture
The meaning of a “culture of security” is not intuitively obvious. Perhaps “culture”

is a hazy concept, but surely “security,” here understood to be “information
security,” is a hard and fast, well-understood term, or perhaps, in the so-called
“information age,” the terms “information” and “security” are so widely used
that a consensus has arisen regarding the connotations of these words, separately
and together. In fact, there is lively discussion in both technical and management
circles about the meanings of the words and about their application in diverse
environments, such as the military, civilian government agencies and private
companies, and in everyday usage by ordinary citizens. It is clear that the terms do
not mean the same things in all contexts.
For example, the international standards on information security define “security”

and “information” very broadly.13 Evidently, the very resource to be secured is
thought to be so well understood as not to need a more thorough definition, and
yet, the dictionary offers shadings of meaning. “Information” is facts; in this sense,
information is made up of things that are known. It is also whatever is conveyed
by a particular sequence of symbols, impulses, etc.14 Thus, information is made
up of words, bits and bytes. Information is also the communication of knowledge,
which incorporates documents, conversations and networks. Additionally, it is the
sequence of bits that produce specific effects, in other words, the programs that
manipulate data.15 So, information can be both signifier and signified, subject and
object, and data and the people who and machines that manipulate them.
Information may be represented in “digital form (e.g., data files stored on electronic
or optical media), material form (e.g., on paper) and “unrepresented” in the form of
employee knowledge. Information may be transmitted by various means including:
courier, electronic or verbal communication. “Whatever form information takes,
or the means by which the information is transmitted, it always needs appropriate
protection” (emphasis added).16 The quote makes a broad statement that all
information always needs protection, albeit at an appropriate level. Security, in
the context of culture, cannot be so dogmatic. It is fair to question, first, whether
all information requires protection and, second, how appropriateness is to be
determined. In practice, security is whatever level of protection the culture will
allow with cognizance of differences in approach dependent on the risk related to
different forms, representations, communications, storage and disposal of varying
sorts of information.
Security may be (and often is) defined solely as confidentiality, integrity and
availability (CIA). Without diminishing these characteristics, security may also be
understood to include privacy (different than confidentiality), authenticity, accuracy,
completeness, recoverability (different than availability) and currency. Yet, this is
not the view of security in the popular imagination. When (or if) the public at large
thinks of security, it is in terms of preventing computer hacking and viruses. From
War Games in 1983 to The Taking of Pelham 123 in 2009, it is always the bad guys
hacking the system who are stopped, always at the last moment, by the student;
simple, but honest worker; or old codger relying on the tried–and-true methods.
These popular entertainments are not important in themselves, but they mightily
affect the perception of those who make up the populations of enterprises. The less
these people understand the reality of either computers or security, the higher the
barrier to achieving a culture of security. In short, the culture of security is affected
by the overall culture.
Prevention of malicious attacks and malware are indeed a part, but only a part, of
security, and much, but not all, information is stored and manipulated on computer
systems. For the purposes of creating a culture of security, information must be
addressed in all its forms and secured against all its risks, in context. Inherent in
such a culture is the recognition of value in the information. It is value that is the
limiting factor for the appropriate level of protection. The cost of security cannot
exceed the value of the information to be protected; do not build a $20 fence for a
$10 horse.
However, it is precisely the looseness of the definition of information that makes it so

difficult to assign value to it. A database may be evaluated as the cost of recreating
the data contained within it, which is the general means of valuation for insurance
purposes. However, that does not account for the value inherent in the use of the
information nor the costs incurred if the data are not secure. Does information lose
value as it is transformed from electronic bits to printed records, and what is the value
of a conversation or an image?
There may be good operational reasons, or even organizational benefits, for treating
some data as of a higher value than is apparent. For example, sometimes the
economies of scale, especially from a medium-size business that deals with data
with a range of security classifications, can be found best by treating the security
of all of it in the same way—either all high or all low, but without any particular
thought given to the matter.
These questions of valuation do not need to be answered with precision, and

culture is too blunt of a tool to be precise. However, a culture can encapsulate
what “everybody” knows. One’s values do impact one’s conception of value.
Unless and until information is understood to have value that can be eroded by
disclosure, unauthorized change, destruction or error, a culture of security cannot
arise, nor, for that matter, can security be applied to information consistent with the
repercussions of inadequate security. Unprotected information will not suddenly
lose confidentiality, integrity, availability or the other attributes of security until
and unless it is confronted with an unintentional or malicious threat. Even unlikely

breaches have a definable probability. Probability is the number of events over
time and recognizes that the time of attack may be well in the future … or today.
Allowing probability into the determination of the appropriate level of security
distorts the decision. In most cases, it should not factor into the level of security
unless extremely unlikely (such as a comet strike) if there is no practical approach
to addressing a risk or the cost is too high. It is invalid to reduce security because
a negative event is unlikely; the value of a resource and of the cost of harm to that
resource have to be the decisive factors.
Thus, the value of information is driven by its use, not by threats that may afflict
it. The same information encapsulated in bits on magnetic storage may require
more security than that same information printed on a piece of paper because
the electronic form is used in more processes than the written. Contrarily, the
printed report may be more valuable if it is used for strategic decisions, not routine
transactions. It is the people who are using the information, holding it in custody
or acting as its owner who must make the decisions about its value and, thus, its
security, and those people both make up and are affected by a culture of security.
2.3.1 Security as the Basis of Trust

ISACA’s motto is “Trust in, and value from, information systems.” It is not
coincidental that the terms “trust,” “value” and “information” appear in the same
phrase. The value of information can only be established and retained if the
information is trusted, and trust is established by security and control. The broad
topic of a system of internal control is beyond the scope of this volume, but security
is at its heart.
Trust is necessary in a functional workplace, but for the most part, it is something
that develops slowly. Its necessity is best illustrated by an environment in which
trust is absent: a prison. In a prison, no one trusts anyone, so there are locked
cells within locked cell blocks within locked subsections within locked prison
doors. There are armed guards and rigorously enforced procedures to restrict freedom
of movement. No business could work effectively in that manner. The
heavy-handedness of prison security must be transformed to a structure in which trust
is rewarded. Security is the catalyst of reliability. It evolves over time from repeated
displays of consistency between words (e.g., policies, standards, management
pronouncements) and behavior (e.g., access privileges, rewards, punishments). It
also comes about when all the participants in an enterprise who share resources,
such as information, have an accurate perception of one another’s interests. One
hopes that all those interests align to the benefit of the enterprise as a whole.17
US President Ronald Reagan was noted for saying, “Trust, but verify.” Trust alone
is insufficient; it must be accompanied by controls, among which is verification,
the underpinning of security. A security system should provide the means to verify
the authenticity of information so that all parties using it can assume that it has
not been modified, destroyed or disclosed except by those with the authorization
to do so. It removes the burden of validating each item of information by placing
reliance—that is to say, trust—on the security system that protects it. That reliance is
not necessary only because dishonest people may try to steal, manipulate or destroy
information. No matter what processes are established, what values are instilled,
or how open and transparent management practices are, people will make mistakes
and do things that are not right.18 Security is just as necessary to protect information
against people who are well intentioned, but overzealous, lazy, sloppy or just plain
stupid as from those who are dishonest.
There is more to trust and security than the exchange of information within an
enterprise. Enterprises and government agencies need security to establish trust with
their customers and citizens. Good security is perceived by many enterprises as a
prerequisite for doing business. They must ensure service availability, protection
of customer information and the secure operation of systems that manage customer
information. Without the basic ingredient of trust, founded on security, customers
would simply turn to competitors. Those enterprises that provide goods and
services on the World Wide Web have perhaps the purest vision of the relationship
between trust and security. If the information on a site or the processes by which it
got there is not trusted, the enterprise will probably lose more than a sale—it will
lose a customer. Where trust is strategic, as in these online companies (or in any
business), security becomes a strategic necessity as well.
Security may be seen as a competitive advantage if the enterprise has a high degree
of trust in its information systems. It would drive customer acquisition and retention
and the preservation of the value in a brand. However, enterprises are, in the main,
loath to trumpet their security because they do not want to publicize their protective
measures, they do not want their reputations to be hostage to criminals or they have
not been able to sufficiently verify the integrity of their security systems to publicly
base customer trust on them.
Among the elements leading to trust between enterprises and their customers
is effective management communication of security goals and objectives.
Management must make customers aware that, within its enterprise, there are
incentives for awareness and reporting of security incidents, a broad understanding
that identification of security problems will be dealt with openly and without
retribution, and personal recognition for those who act supportively of security.
Trust is not an absolute; it changes and grows (or diminishes) over time.
Unfortunately, trust can be destroyed far more quickly than it can be established
or repaired. As enterprises themselves grow and change, the basis for trust must
be restated and proven anew. Every security incident that attracts public notice
undermines trust, but if management is shown to be nimble, sensitive, compassionate,
honest and courageous, it can often manage to overcome the negative impact caused
by a seemingly random event.19 Of course, the requirement of honesty calls for
immediate acceptance of a security-related problem and its rapid repair.
There is another facet of trust based on security that is between enterprises that
do business jointly. Each is a separate entity with its own proprietary information
and information systems. In some cases, they are even competitors (so-called
“coopetition”). They need to share some information for their joint ventures, but
more important, they need to protect most information from their partners. They
cannot do business together without trust, and they can only base that trust on
security and, to a great extent, on mutual respect for ethical behavior. Of course,
ethics is a part of security as well.
Trust is a shared cultural experience. To the extent that enterprises are able to create
a culture of security, they will be able to enjoy the benefits of trust with their staff
and customers and with other enterprises. Those benefits mostly accrue in the form
of smooth working relationships, respect and a certain naiveté that allows managers
to proceed with their business without constantly having to check and recheck the
validity of the information with which they work. These “soft” benefits manifest
themselves, over time, in reduced costs and increased profits.
2.3.2 Security in the Prevention of Fraud and Misuse of Information Resources

In the earliest times that information security was applied to business computer
systems (approximately the 1970s), the focus was on the prevention of fraud.
Business computing was exclusively performed on large (for that day), centralized
mainframe computers with little or no online activity. The Internet was unknown.
The role of information systems was primarily for recording and reporting
transactions that had taken place externally from the systems, but not for the active
execution of transactions themselves. The ledger books and paper forms were fast
disappearing into electronic files, and entire systems of internal control based on
the movement of paper no longer had any validity. Computers were the province
of a small coterie of specialists who seemed divorced from the business as a whole.
Many managers realized that, if records could be manipulated, it was possible
for people (in almost all cases insiders) to take money and cover their tracks.
Most security, such as it was, was performed within applications. After-the-fact
assessment and rather rudimentary control of computer use were the substance of
the customary practice of data security.
The focus was subsequently enlarged to the prevention of misuse of data resources,
which includes fraud, but also includes a variety of other concerns such as the
disclosure of secret information (a major concern of governments), unauthorized
manipulation of data (more of a commercial concern)20 and destruction of
computing capacity. As noted, confidentiality, integrity and availability (CIA)
has become, for many, the basic definition of security itself. The purpose of
such elemental features of security as encryption and access control was to
prevent unauthorized and, therefore, potentially malign use of information.21 Both
encryption and access controls were the development of methods of information
protection that had preexisted computer systems. As such, when computers began
to emerge in the business world, these concepts were not unknown and, therefore,
were more readily accepted.
Fraud prevention is still an element of security, at least in environments in which

information has intrinsic monetary value. More broadly, security will always be the
bulwark against misuse of information, but today, it is widely recognized that the
importance of security lies in the preservation of the value of information and the
utility of information as a strategic asset. Nonetheless, for many people, the purpose
of security is only to stop bad things from happening or at least to meet regulatory
requirements. Thus, security is seen by some as essentially negative and reactive.
This perspective, seeing security as a policeman or enforcer rather than as a positive
force for enablement of organizational initiatives, has been one of the major
inhibiting factors against creating a culture of security.
Fraud and misuse of information are indicators of the shortcomings of security. It

is very difficult to establish a positive image of security when the best that can be
said is that there have been no failures (recently). A culture of security must rest on
an understanding of the contributions that security makes to an enterprise’s strategic
objectives. If the only interaction people have with police is when a crime occurs or
when they are caught speeding, they will have little appreciation for the necessity of
the rule of law for an ordered and prosperous society. Similarly, if the only encounter
people have with information security within their enterprises and society at large
comes when a rule is broken, they will view security as an impediment rather than a
support to their daily activities.
Security will always have fraud and misuse as parts of its domain. Until and unless
that domain is seen as having greater application and value, a culture of security
will be difficult to create.
2.3.3 Security and Risk Mitigation

The current, more enlightened view of security is that it is part of the organizational
imperative to manage risk. This is made explicit in ISO 27001, in which it is stated
that the general requirements for an information security management system call
for the establishment, implementation, operation, monitoring, review, maintenance

and improvement of security “within the context of the enterprise’s overall
business activities and the risks it faces.”22 Moreover, in 2008, ISO published ISO
27005, Information technology—Security techniques—Information security risk
management, which highlights that:
A systematic approach to information security risk management is

necessary to identify organizational needs regarding information
security requirements and to create an effective information security
management system (ISMS).23
What are the risks that security is able to manage, and for that matter, what is
“risk”? While one definition of “risk” is that it is the “potential that a given threat
will exploit vulnerabilities of an asset or group of assets and thereby cause harm to
the organization,”24 others define it as the “uncertainty of harm to an asset or group
of assets.”25 The common element is that there is an asset that is subject to harm.
Implicitly, the asset must have value or it would not be an asset. Thus, the harm in
question is the loss of value. The risk is often stated in terms of the causes of the
harm, but this only states threats, not risks. There are indeed threats to information
such as disclosure, manipulation and destruction. The risks arise from the business
of which that information is a part.
Confidentiality Risks
It is true that computerization has changed the nature of information. Information is
hidden from view, and it is in a form that is unintelligible to human beings without
the aid of technical devices. To that extent, it is a great deal easier to prevent the
dissemination of information to unauthorized recipients. At the same time, it is so
compact that vast amounts of information can be stored in very small spaces. It is
easily copied and transmitted, and the copies are very difficult to control. When
information was primarily in printed or written form and stored in bulky containers,
it was relatively easy for someone to gain access to a small amount of information
and, for example, photograph or steal a few sheets of paper. Now, access is
invisible and entire files can be falsely obtained. Hence, the scale of unauthorized
disclosure has been enlarged exponentially.
In some cases, the results for an enterprise whose information was disclosed or
stolen have been quite onerous. For example, a US pharmaceutical manufacturer
sent an e-mail to all participants in an online service for users of certain drugs,
inadvertently disclosing all the names of the people using the service. As a result,
regulatory authorities forced the company to incur the costs for establishing and
maintaining a security program for the protection of its collected personally
identifiable information (PII). The company was further required to perform an
annual third-party audit of its program and have external oversight of the relevant
record keeping.26 In another case, a US-based retailer was hacked and the credit
card information of more than 45.7 million individuals was stolen. As a result, the
retailer paid credit card companies tens of millions of dollars to cover the cost of
the fraud and faced extensive expense to improve its security systems.27
Availability Risks
The same factors that make it easier to steal information also raise the risk of
destruction of information. In electronic form, information does not need to
be destroyed to be made unavailable. The fact that electronic equipment and
information systems are required to read the information means that any failure
of those devices or systems renders information as useless as if it were physically
destroyed. For enterprises dependent on information to function (perhaps a
majority of businesses in the world today), the absence of current information is
tantamount to a cessation of operations. It is no longer possible to go back to the
older, nonautomated way of doing things; the information in file cabinets no longer
exists—indeed, neither do the file cabinets.
Hence, plans and preparations for conducting affairs in the absence of current
information are a necessary part of security. It is a broader question as to whether
interruptions to business caused by factors other than information unavailability are
equally a part of information security. The important point is that an enterprise’s
tolerance for information loss must be gauged and preparations put in place either
to recover the data in a predetermined length of time or to replicate the data at
regular (perhaps instantaneous) intervals so that they will never be lost at all.
Integrity Risks
One of the more significant risks inherent in information is that decisions may be
made on the basis of erroneous information. There are numerous causes and effects.
If someone changes information so that actions will be taken to that person’s
benefit, it is termed fraud. If the same thing happens because of inadvertent or
foolish mistakes, then it is error, but in either case, the value of the information in
question has been diminished. That is the harm; that is the risk.
Data do not need to be manipulated to be false or erroneous. Information may be

out of date, even if only by seconds. Information may come from the wrong source
and be inauthentic. Information may be incomplete. It may be inaccurate. It may
even be meaningless. In every case, the information in question is supposed to have
a certain value that it does not have. The value comes not from the information
itself, but from the lost utility of that information.
Risks to Information Not in Electronic Form

There is a tendency to think of all information as electronic, in part, because such
information is so internalized in society. People in many places are paid with
electronic information, buy products and services with electronic information,

communicate, and are entertained electronically. However, there is still cash in
society, more widely used in some places than others. People still talk with one
another. They still write things down and print reports. While the nature of the risk
differs depending on the medium—a conversation cannot be stolen or destroyed,
but it can be overheard or based on false assumptions—the effect is the same. The
information in question loses value if it is haphazardly communicated, erroneously
stated or simply misplaced.
It is important to remember that risk is unpredictable. To a certain degree, with a

given amount of information and a given number of people who have access to
it, it may be possible to extrapolate how much of it will be misused or lost. It is
equatable to the concept of “shrinkage” in warehousing and retail. The risk is that
the consequential harm caused by misuse or loss cannot be stated with the same
precision. There are no computers powerful enough or algorithms subtle enough to
untangle all the files, records, fields, users, applications and uses of information to
know, in advance, what the harm will be or how much value will be lost.
The risk management decisions that must be made can be reduced to assuming the
worst case, the most likely case or differential cases based on the perceived value of
the information. Assuming the worse case leads to the application of the highest level
of security to all information, which is extremely secure, but difficult to cost justify.
Either of the other two approaches opens the door to an unpredictable level of harm,
the very definition of risk. Information thought to be of low value may be extremely
important in the wrong hands or when combined with other, seemingly unimportant
information. The event thought to be unlikely may just happen. Security “within the
context of the enterprise’s overall business activities” is the answer to risk, but the
context also establishes the fact that some harm will occur. Intolerance for harm that
is greater than expected is a foundation of a culture of security.
2.3.4 Security as a Strategic Driver

The way in which security is perceived is a determinant of the effectiveness
of security within an enterprise. In some cases, security is seen as a roadblock
to valuable, or at least convenient, activities by personnel. In such instances,
a culture arises that is characterized by efforts to bypass security or to wink at
circumvention. (Again, there is always a culture of security, but sometimes, it is not
a good one.) More commonly, security is seen as a necessary tactical supplement
to the primary activities of an enterprise. A company that makes widgets sees all
of the processes involved in widget manufacturing, delivery and sales as its core
mission, and everything else is understood to be secondary and supportive to the
primary functions of the company. In this case, security is not ignored; it is simply
downplayed. The result is a culture in which security is set at the minimum level
consistent with prudence.
It is important to realize that the creation of a culture of security does not imply
that security must be a primary concern for an enterprise. Rather, the objective of
a culture of security is to ensure that security is set at an appropriate level in the
context of an enterprise’s overall operations. In some cases, the minimum level
may be both prudent and appropriate. It is certainly appropriate if organizational
management, in possession of all the relevant facts, makes a conscious decision that
no more than the minimum is required. However, for many industries and for the
information-intensive activities of all, the minimum is insufficient.
Levels of Security
Figure 1 illustrates varying levels of security that may be encountered in an enterprise.
Figure 1—Examples of Enterprise Security Levels

People Process Technology Organization
Deep background The security There is advanced Security is a
Extreme
checks are policy is central to screening and tight senior

conducted for the organizational supervision of management
all personnel. mission. information use. role.
Security checks Security policies Passwords, virus Security is a

are conducted for and standards protection, part of many
all personnel. are enforced. firewalls, data functions.
leakage prevention,
High
intrusion detection,
identity
management, etc.,
are utilized.
Security checks Security policies Passwords, A security

Minimum
are conducted for exist, but are virus protection function exists.
critical personnel. not enforced. and firewalls are
utilized.
There is no No security There is minimal No security

personnel checking policies or or no security function exists.
Low
or security procedures exist. technology.

oversight.
It is important to understand that figure 1 is illustrative and not necessarily definitive

of the levels of security that may be found in all enterprises. The terms “low,”
“minimum,” “appropriate” and “extreme” are meaningful only in the context of a
specific enterprise. For example, what is considered extreme for a manufacturer may
be barely the minimum requirements for an intelligence agency.
An enterprise should be conscious of its own strategic requirements, and then, the
appropriate level of security should be incorporated in them. To the degree that
the confidentiality, integrity and trustworthiness of information are necessities
for the success of an enterprise, the enterprise will find that security is a strategic
requirement. This is particularly evident for enterprises that trade in information,

such as an aforementioned intelligence agency, but also for news sources, online
vendors and movie studios. What is video piracy, after all, but theft of information?
If the information purveyed by such an enterprise is not felt to be correct, authentic
or complete, that enterprise will soon not be in business. Thus, secure information
can be more than the basis for an enterprise’s reliability, but also of the quality of
its goods and services.
To be sure, some enterprises have lower security requirements than others. One
whose products are material goods needs to focus on production and sale, but even
within these enterprises, there are functions that require secure information. If
financial information is not secure, there may be compliance violations. If formulas
are not kept secret, competitive advantage may be lost. If orders are changed or
manipulated, profits may be undermined. If senior management does not receive
accurate information, initiatives may be stunted. Thought of in these terms, security
may be considered as much of a strategic driver for a manufacturer as for an
online service.
Security may be one of many strategic drivers, but only rarely the primary one.
The achievement of the others may be enabled by the effective implementation of
security. It allows management and staff to focus on the business without constant
concern for the possibility of negative events and security incidents. Such a state
must come from intentional acts by management, but once established, security can
be transparent and implicit.
2.3.5 Security in Systemic Terms

BMIS emphasizes that security must be established systemically. The system of
security must be viewed holistically, as a complete, functioning unit in which one
part of the system enables understanding of other parts of the system.
“Systems thinking” is now a widely recognized term that refers to the

examination of how systems interact, how complex systems work and
why “the whole is more than the sum of its parts.” 28
In practical terms, this implies a balance within security in parallel with the balance
of security among other strategic drivers. An enterprise cannot feel secure simply
because it enforces so-called “hard” passwords, has a security policy manual or
filters viruses. All the pieces of an information security management system need
to be addressed—if not equally, at least to the extent that no link is so weak as to
invalidate the integrity of the chain, i.e., the security program. This requires not
only that security be a system, but that the approach to security be thought
of systemically:
[I]t is important to note that the Business Model for Information

Security, which is based on systems theory, should be treated as part
of the strategic plan for the information security program, not as a
quick-fix solution for a broken program. Systems thinking should be
seen as a long-term exercise that will ultimately aid the enterprise in
achieving business goals. In fact, it may help to think of it as a key
to organizational maturity. The maturity of the information security
program is often related to the maturity of the enterprise, which is
linked to the degree systemic thinking is used in the enterprise. Systemic
thinking paves the way for systemic processes.29
As noted, enterprises are organic wholes that are the amalgamation of interacting
systems and are, thus, supersystems in themselves. It would be erroneous and
fruitless to think of security in isolation from other aspects of an enterprise’s
systems, just as it would be fallacious to think of each individual characteristic of
security without reference to the others. In the absence of a holistic understanding
of security, enterprises see either the absence or duplication of security efforts, the
emergence of silos of responsibility for security, and difficulty in restraining costs.
It leads to deviations from accepted practice and, ultimately, to breaches of security.
For example, some enterprises invest disproportionally in incident response and not
enough in policy or prevention. Thus, they invite the very penetrations they would
presumably prefer not to encounter.
In many cases, breaches of security occur not when management perceived

weakness, but when it thought, erroneously in the event, that security was
sufficient or when management was aware of weakness, but prioritized in such
a way that it “bet” the wrong way. The inability to see security systemically
introduces the possibility, perhaps the likelihood, that one or another aspect of
security will be downplayed because reliance will be placed on others. The concept
of compensating controls in security would pertain to only parts of security
requirements. Security measures are either effective or not. Recognizing the need
for a totality of security is a prerequisite for the creation of a culture of security.
Indeed, this systemic viewpoint is one of the characteristics of such a culture.
Endnotes
“The Security—Privacy Paradox: Issues, Misconceptions, and Strategies; A Joint

1
Report by The Information and Privacy Commissioner/Ontario and Deloitte &

Touche,” Canada, August 2003, p. 7
2
This is an evocation of Goedel’s Second Incompleteness Theorem, which has
been summarized as “in any consistent axiomatizable theory (“axiomatizable”
means the axioms can be computably generated), which can encode sequences
of numbers (and, thus, the syntactic notions of “formula,” “sentence” and
“proof ”), the consistency of the system is not provable in the system,”
www.math.hawaii.edu/~dale/godel/godel.html#SecondIncompleteness. See also
Hofstader, Douglas F.; Escher Godel; Bach: An Eternal Golden Braid, Basic
Books, USA, 1979
3
Much in this section is derived from Ross, Steven; “Information Security Matters:
Boston, Berlin, Baghdad and Bora Bora,” ISACA Journal, vol. 4, USA, 2010.
4
The Greek philosopher Plato described a dual reality, that of the material world and
the transcendent realm of forms. Thus, for the purposes of information security,
there is security as we find it in the world we perceive and an ultimate, universal
expression of security. This duality has been argued through the centuries. The
philosophic issue is whether a universally applicable concept of information
security can be separated from the world as we experience it.
5
International Organization for Standardization (ISO), ISO/International
Electrotechnical Commission (IEC) 27000:2009 through (currently)
ISO/IEC 27005:2008, Switzerland
6 Ross, Steven; “IS Security Matters: Frameworkers of the World, Unite,”
Information Systems Control Journal, vol. 6, USA, 2004
7 ISO, ISO/IEC 27001, Switzerland, p. 1
8 ISO, ISO/IEC 27002:2005 Information technology—Security techniques—
Information security management systems—Requirements, Switzerland, p. 102
9 US Financial Services Modernization Act of 1999, better known as the
Gramm-Leach-Bliley Act (GLBA)
US Health Insurance Portability and Accountability Act (HIPAA) of 1996
10
Directive 95/46/EC of the European Parliament and of the Council, 1995, better
11
known as the European Privacy Directive

Watts, Duncan J.; Six Degrees: The Science of a Connected Age, Norton, USA,
12
2003, p. 213
See ISO/IEC 27000:2009, in which “information asset” is defined as “knowledge or
13
data that has value to the organization.”

Ibid.
14
Merriam-Webster Online, www.merriam-webster.com/dictionary/information

15
ISO, ISO/IEC 27000:2009, Switzerland, p. 7

16
Thompson, L.; R. Hastie; Judgement Tasks and Biases in Negotiation, 1990.

17
Sheppard, B.H.; M.H. Bazerman; R.J. Lewicki (eds), Research in Negotiation in

Oganisations. See also Goucher, Wendy; “The Reality of Trust,” Computer Fraud
& Security, vol. 2009, issue 3, The Netherlands, March 2009, p. 14-15.
IBM Corp., “Culture of Trust,” Corporate Trust and Compliance,
18
www.ibm.com/ibm/responsibility/trust.shtml, 2008
Knight, Rory; Deborah Pretty; “Protecting Value in the Face of Mass Fatality
19
Events,” Oxford Metrica, Oxford, UK, 2005. This document is a bit off-topic,
but a mass-fatality event is the ultimate security crisis and Knight and Pretty’s
observations have broader applicability.
In the US, the Department of Defense published a series of papers with covers
20
of various colors that became known, subsequently, as the Rainbow Series. The
first, Trusted Computer Security Evaluation Criteria (CSC-STD-001-83, 1983)
placed the emphasis of security squarely on confidentiality. In 1989, David Clark
of Ernst & Whinney (now Ernst & Young) and David Wilson of the Massachusetts
Institute of Technology (US) published “A Comparison of Commercial and
Military Computer Security Policies” (http://groups.csail.mit.edu/ana/Publications/
PubPDFs/A%20Comparison%20of%20Commercial%20and%20Military%20
Computer%20Security%20Policies.pdf), subsequently known as the Clark-Wilson
Model, which placed the emphasis in the commercial sphere of data integrity.
Ross, Steven J.; “IS Security Matters?,” ISACA Journal, vol. 2, USA, 2010, p. 4
21
ISO, ISO/IEC 27001:2005, op.cit., p. 3

22
ISO, ISO/IEC 27005, op.cit., p. 3. There is considerable debate about the

23
importance or even the relevance of the ISO 27000 standards. It is even more
debatable whether what ISO describes as an Information Security Management
System (ISMS) is equivalent to a culture of information security. Nonetheless, the
standards do represent a framework and a lexicon for security that are accepted
internationally and must be respected if not always observed.
Ibid., p. 1
24
Ross, Steven J.; “Four Little Words,” ISACA Journal, vol. 1, 2009. See also Taleb,
25
Nassim Nicholas; The Black Swan, Random House, USA, 2007, p. xvii-xviv, passim.
Eisenhauer, Margaret P.; The Privacy Case Book: A Global Survey of Privacy
26
and Security Enforcement Actions with Recommendations for Reducing Risks,

PrivacyStudio.com, www.privacystudio.com/Links%20posted%20to%20web/
Casebook%20Ch%202.pdf, p. 28-30
Abelson, Jenn; “Hackers Stole 45.7 million Credit Card Numbers from TJX,”
27
New York Times, USA, 29 March 2007, and “Swiped, Stolen and Sold,”
New York Times (online edition), USA, 6 August 2008,
http://topics.blogs.nytimes.com/2008/08/06/swiped-stolen-and-sold/
ISACA, An Introduction to BMIS, op. cit., p. 10
28
Ibid., p. 11
29
3.0 The Benefits of a Culture of Security

One of the differentiating factors of BMIS “is the importance it places on
organizational culture. Creating an intentional security culture is a primary
objective for the model, as applied to information security” (emphasis added).1 The
intentionality of the culture reflects the notion that cultures are not self-generating.
They require active steps by people in positions of influence, if not authority, to adapt
certain norms of behavior and to encourage others to do so as well. The people in
question may well be the senior executives of an enterprise (the so-called “tone at
the top”), but they may also be further down in the hierarchy if they are committed
enough to champion the cause of the values that culture supports. For that reason,
they are often called “champions,” a word with a pleasant dual connotation.
If a culture of security does not, by itself, create greater security, then why should
anyone champion it? The answer is that a culture is a necessary precondition in
which to establish an appropriate level of security. By analogy, good soil and
climate, the terroir, do not make great wine, but without a fine terroir, the best
grape clones, skilled winemakers and the latest equipment will, at best, result in
mediocre wine. In the same way, without a culture of security, the most advanced
techniques, dedicated security professionals and the finest technology will lead
to a middling level of security, at best. Some security practices may exist,
perhaps supported by technology, but “weaknesses that result from inappropriate
governance, inadequate management, a dysfunctional culture or unready staff
cannot be fixed with technology.”2
Thus, a culture of security is not an end in itself, but a pathway to achieve and
maintain other objectives. In one sense, the primary objective is assurance that
information will not be misused. This assumes that there is consensus on the
appropriate use of information, with everything else being misuse. This sort of
consensus is hard to come by and is the reason why the implementation of security
can be contentious. A culture of security will not eliminate discord, but it will
establish a basis on which accord can be reached.
There can be security in the absence of a robust culture supporting it. It may even
be appropriate to the needs of the enterprise and a rational understanding of the
information in question, if only by happenstance. However, security without culture
cannot be sustained over time. All of the other organizational dynamics will distort
security to the point that it is unrecognizable. Tough economic times will lead to
crippling budget cuts. Competitive pressures will dissipate access controls and
separation of duties. Otherwise benign motivations to serve customers will become
the pretext to lower barriers, and as the enterprise morphs and changes, security
will fall to the wayside. In the same manner, a security culture itself needs to be
sustained over time. Creating it is one thing, strengthening it another, and keeping
it going and growing is definitely a third. Cultures, too, morph as the people who
constitute them come and go. There need to be self-sustaining elements to a culture
or the same security battles will be fought over and over again.
The greatest benefit of a culture of security is the effect it has on other dynamic
interconnections within an enterprise. It leads to greater internal and external trust,
consistency of results, easier compliance with laws and regulations and greater
value in the enterprise as whole. In short, a secure enterprise—one that is as secure
as it needs to be—is a better enterprise. The payoff comes from all the areas
in an enterprise where reliability, open communication and cooperation among
individuals and departments work smoothly together to achieve overall goals.
All that is required is a common commitment to values and behaviors that enable
mutual trust. (See section 6.1.)
As is often the case, the presence of an intentional security culture is harder to discern
than is its absence. The most common indicators of a weak culture of security are an
information security function (if one exists) that is underfunded, demoralized and
so far down the chain of command that it is unlikely to have any influence on
organizational decision making. At the same time, it is common for security
professionals, in their zeal to protect everything as much as possible, to feel that
they never have a large enough budget, are never fully appreciated and are always
overruled on important business decisions. The fact that an information security
function exists does not, in itself, indicate a robust, effective security culture.
It is said that if something cannot be measured, it cannot be managed. So, if a

culture of security is difficult even to discern, it is extremely difficult to manage.
However, it is also not clear that a culture needs managing or whether it can be
managed at all. It is the collective perception among many people, best driven by its
champions. A culture has no direct metrics. Its benefits are best perceived through
the accomplishment of other objectives. In the case of security, these would be an
enterprisewide consensus that the risks to information are well understood, that
information resources are adequately protected, that security enables rather than
inhibits the attainment of business objectives and that the investment in security is
well spent. Note that these are fuzzy and indirect metrics, but they are metrics
nonetheless. Systems of belief are real even though they cannot be seen. When groups
of people within an enterprise behave in a consistent and constructive manner, it is
certain that there is a culture at work. When they accept and promote an appropriate
level of protection for information resources, there is a culture of security.
3.1 The Benefits of Trust
Security is the basis for trust, as stated previously. At the same time, there is the
sign often encountered in American diners: “In God we trust. All others pay cash.”
If one of the benefits of a culture of security is trust, then what is so beneficial

about trust? Put another way, if trust is beneficial, what is it about a culture of
security that creates it?
First, in a business context, trust, is an ingrained assuredness that a person/thing

is what he/she/it purports to be. In many cases, the initial encounter a person has
with an enterprise is an exchange of information: a résumé, a letter of introduction,
a phone call, etc. One of the tenets of security is that a person’s bona fides are to
be validated. The level and thoroughness of verification depends on the business
requirements of the position, the classification of the information to be accessed and
the perceived risks.3 Once this is done, those working with a new employee have
an expectation that the person is capable of performing the assigned tasks, but this
is not security. What is relevant is that, based on prior experience, coworkers can
expect the new hire to use information honestly and as authorized. This expectation
persists throughout and beyond the early period of employment, growing over time
as experience buttresses initial anticipation.
Absent security, there is little or no way to know whether a person has manipulated,
disclosed or destroyed information without authorization to do so. Thus, security
fosters trust by providing assurance that information is being used as allowed or
else that misuse would be noted. Security does not engender trust of others. It
only allows each person to have confidence in the information being used. The
degree of trust should not be overstated; one of the parties may use the information
to undermine a colleague, spread rumors or make silly mistakes. However, the
information that is used to do so can be trusted.
There is a chain of causation here: A culture fosters security, which, in turn, leads
to trust. In turn, trust leads to reliable expectations in the decisions and actions
made on the basis of the information in question. Ultimately, reliability is a benefit
that a culture of security provides. This is true in the workplace, but also in the
home. Spouses must trust the word of spouses and children that of parents. Readers
must trust their press or the advantages of an informed citizenry are lost. Citizens
must be able to trust the information provided to them by their governments or
there is chaos, despotism or both. There is an appropriate, wonderful feedback loop:
Where security fosters trust, it also increases the strength of the culture. Forced
security, as in a prison, may protect resources, but it will not create trust.
Perhaps the benefits of trust as engendered by a culture of security are best

understood by its opposite. Where there is no culture of security, information will,
over time, be shown to be less than reliable. Poor decisions will be made on the
basis of incorrect, incomplete or fallacious information. These decisions will lead
to loss of money; reputation; market share; confidence; credit; and, if taken to
extremes, the viability of an enterprise. All others pay cash, indeed.
3.1.1 Internal Trust

Trust is the lubricant that makes enterprises run smoothly. In a large, widely
dispersed enterprise, a culture of security is essential for individuals, who may
not know or see one another, to pass information between each other and act on
it in the expectation that it has not been manipulated. In enterprises of this sort,
security must be assumed or nothing can be accomplished. This is an effective
security culture only to the extent that this assumption is based on reality.
Information systems exist to manage the content and flow of information among
people within departments that are part of the divisions that make up the enterprise
as a whole. Events will conspire to reveal failures of security that, in time, will
manifest themselves in a lack of trust in the information systems and, ultimately,
the information itself. Where people do not trust information, they create parallel
systems that they do trust—hence, the card file in the desk drawer and the
spreadsheet on the hard drive and, hence, the breakdown of any semblance of
managed processes within the enterprise.
How, then, does trust manifest itself in a supportive culture? It shows up in speed.
Where the recipient or user of information trusts it, there is no need for repetitive
checking and verification. Thus, transactions move through a system quickly and
decisions can be made rapidly (or even be automated based on a reliable set of
rules). In physics, motion is a function of velocity and time. The forward motion
of an enterprise is a recurring function of speed and time—in other words, of
organizational nimbleness.
Nimbleness is the ability to adapt speedily and easily to changing conditions and
continue to perform at a high level. It is characterized by, among other things, quick
and effective decision making, a marked degree of autonomy among the employees
and managers, high-performing teams, and an ability to work through ambiguity
quickly and correctly.4 All of these are enabled by trusted information or, viewed
the other way round, are impossible without trusted information.
There are varying levels of trust within an enterprise. Departments may share
information freely without a need for independent validation until certain decision
points are reached. For example, all the information needed to construct a purchase
order (PO) can be gained from a variety of sources, such as a vendor database,
contracts and procurement policies. However, at the point that a PO is to be issued,
it is prudent to have someone, usually the department head who will have to pay for
it, review and validate all the information.
In another sense of varying levels of trust, the confidence that can be applied to
information in normal conditions is sharply different than that needed in periods of
change, disruption or chaos. As information moves through an enterprise, there are
systems—information systems—that preserve its integrity as it moves from process
to process. Thus, an order becomes an inventory selection that becomes a sale that
becomes a delivery that becomes a payment. The information must stay unchanged,
except through authorized modification procedures, throughout the journey.
However, in challenging times, there is a need to recognize and react to the

possibility of less reliable information. For example, if there is evidence of an
active penetration attempt, information might have been changed. A disaster in a
datacenter can wipe out enormous amounts of information in a very short amount
of time. It is at points such as these that the quality of trust takes on new meaning.
Can security technology be trusted to identify penetration attempts and to isolate
possibly affected records and databases? Can disaster recovery plans be executed
in such a way that the recovered information is current and accurate, at least within
preestablished parameters for currency and accuracy? The answer is yes, if:
• Security has been tested under circumstances similar to that of the event
in question.
• Mechanisms are in place while executing security and recovery measures to
validate the resulting information.
• Leadership exhibits confidence in security as it uses the information in question.
These attributes may be stated in terms of organizational variables such as context,

supportiveness and leadership. These can only be established on the basis of
practices and behaviors put in place long before a crisis. They are the product of
deliberate effort and unremitting hard labor. Leadership, in context, is a hallmark
of a culture; leadership’s trust in information in a crisis is a hallmark of a culture
of security. There is a need for balance among the variables. Maximizing any one
component of a system pressures the whole. Strong leadership is essential, but
disregarding context and culture can lead to over-reliance on leaders in routine
times5 that disappears in crises.
3.1.2 External Trust

The need for trusted information does not stop at an enterprise’s front door. Trust
is essential among business partners, contractors, vendors and customers. The
concept of security’s being erected at the perimeter of an enterprise’s information
systems has long been outmoded.6 Thus, the internal-external distinction has, to a
large extent, become blurred, but it is meaningful nonetheless. There is a basis for
trusting those who work together for a common purpose, with jointly held values
and attitudes about the security of information resources (i.e., a culture of security)
and those who may share some of the same incentives, but whose motivations
ultimately diverge.
While customers and suppliers have a mutuality of interest, there is an inherent

adversarial relationship with regard to information. In many enterprises, there
are entire departments checking invoices against POs to make sure that there
are no overcharges. However, an excessive bill is not indicative of a problem

with security. The good faith in an enterprise’s security is most tested where one
enterprise holds information regarding another (or of individuals). The issue is most
starkly presented where the privacy of PII is concerned, but it is just as valid where
the relationship is a business-to-business one. For example, a company would not
want its buying patterns revealed lest its business strategy be made public as well,
which necessitates that purchasing information must be kept secure, and sellers do
not want to have any tampering with customer orders. Thus, the trust necessary
to enlarge business relationships rests on good products and services, to be sure,
but also on contracts, nondisclosure agreements and a general understanding that
information will be secured diligently by both parties.
The Banking Example

To an extent, a culture of security also accommodates reduced levels of security if
the reduction is attuned to risk and value. A classic example is a bank’s approach
to verifying customer identity with regard to checks. By custom as well as law, a
signature is sufficient authorization to make a payment based on a draft against an
account. At one time, banks would match customers’ signatures on checks against
those on cards filed at the time an account was opened. Over time, banks realized
that the vast majority of checks were not counterfeit or forged, so they stopped the
practice of verification. The cost of risk acceptance was shown to be far less than
the cost of increased security. Thus, the banking culture, always attuned to security,
adapted to a more appropriate level of integrity checking.
The exceptions in check payment are as instructive as the reduced level of

checking. In some countries, banks still verify each signature. In section 2.2.1,
Societal Culture and Security, it was shown that different societies have varying
levels of expectation of trust and honesty, based on economics, language, history
and heritage. Thus, in some nations, the level of confidence in the authenticity of
checks and customer signatures does not permit the same practices as in banks
where validation is not required. (It also limits the number of potential customers.)
Prudence wins out over cost reduction.
Moreover, even banks that do not routinely verify signatures do so when the value
of a check passes a certain threshold. Viewed systemically, the level of security
required increases in a direct relationship with the value of the information. The
heritage of banking is such that trust of customers is only slowly gained; a long
history of timely payments and large deposits has been the basis of lending in the
past. With the vast expansion of banking activity following World War II, it was
necessary for financial institutions to broaden their “know your customer” policies
and introduce automation of the information in banking transactions, notably
including checks. Interestingly, in 1998, “know your customer” rules were proposed
as addenda to bank regulations in the US, but they were withdrawn because of
privacy concerns—yet another example of level setting within the broader culture
of security affecting businesses.
Trust Defined or Earned

As noted previously, a very low level of trust was assumed between enterprises
and their customers in the past. This proved to be a brake on business growth, and
information systems were introduced to speed and standardize the processes of
managing customer information. In parallel (or, in fact, slightly lagging), security
systems arose to protect the information. The reliance within an enterprise on its
security systems allowed business expansion to deal with customers the enterprise
did not know and may never have met. The current state of electronic commerce
(e-commerce), in which customers are geographically dispersed and anonymous, is
the logical extension of that trend.7 Where once trust needed to be earned over time,
it is now more routine to assume that a customer can be trusted until demonstrated
otherwise. The movement from “know before trusting” to “trust, but verify” is a
significant cultural shift across many societies, abetted by cultures of security being
established in enterprise after enterprise.
As information, especially in electronic form, becomes increasingly pervasive in

all aspects of culture, both the scale and inherent value of such information drives
a need for a more pronounced culture of security. The culture must take into
account many contending internal and external forces, but in the context of current
business conditions, the result must include at least a reasonable level of trust.
Setting the bar of reasonableness requires an understanding of the relevant risks, the
effectiveness of security measures and management’s tolerance for losses. In other
words, reasonability is a part of a culture of security and a culture of security is
established in the context of reasonability. This may be viewed as circular logic or,
preferably, as a virtuous cycle that refines a culture over time.
3.2 The Benefits of Consistency
Security should be boring. House keys are boring. Smoke detectors are boring.
When security is working, it is unobtrusive, functional and pervasive. Security is
noticeable only when it is not there when needed. It becomes quite exciting when
there is a security breach: People scramble to find every copy of a report; computer
emergency response teams (CERTs) mobilize to restore systems and networks;
datacenter staff travel to distant recovery sites; etc. Good security is virtually
invisible. Poor security is very evident indeed.
The essence of boredom is repetitiveness and continuity. The same key unlocks
the same door every time. A smoke detector sits in place, with a small light always
glowing. When information is secure, only authorized people have access to
it—always. It is always encrypted in storage, always kept in locked file cabinets,

never spoken of in public places and never left behind after a meeting. Security
is continually, constantly in place; working as expected; and clearly understood,
controlled, monitored and observed.
At least, that is the goal.
Security is derived from a combination of policy, technical and procedural

measures. Consistent security is a result of a culture that applies the same measures
in the same way all the time to all assets of similar value. Implicitly, the culture
must also support clear, well-communicated methods for determining the value of
information and for allowing exceptions to security processes on a controlled
basis. In this way, security can be well understood by all those who encounter
information. Moreover, organizational management can have a rational basis for
relying on the security measures in place and for recognizing the extent to which
security cannot be depended.
3.2.1 Valuing Information

Not all information is of equal value, nor is a given item of information of the
same value all the time. For example, some information is of little or no value at
all to an enterprise (e.g., the bowling league scores). Other information may have
great short-term value, such as the price of a commodity or a stock, that diminishes
rapidly as it is made public. Some is transactional, with minor individual worth, but
great value in the aggregate. Some is strategic, with substantial impact if it were to
be lost, disclosed or manipulated. The test is to determine the:
Potential impact on an enterprise should certain events occur which

jeopardize the information and information systems needed by the
enterprise to accomplish its assigned mission, protect its assets,
fulfill its legal responsibilities, maintain its day-to-day functions,
and protect individuals.8
The potential impact of a lack of security is determined through a risk assessment

process, based on the classification or categorization of the information in question.
The means of classifying information, i.e., setting its value, are a part of a culture of
security. There is considerable debate as to the gradations of value, the metrics for
classification, the frequency and rigor with which information should be categorized,
who should perform the classification, etc. In terms of a culture of security, the
determination of these matters is unimportant as long as information is valued the
same way at all times by all those involved. This consistency reduces the chances of
introducing a security gap if the same information is felt to have different value by
different analysts. If consistently applied, it provides a realistic basis for management
to gauge the investment necessary for the appropriate level of security.
3.2.2 Exception Processes

Security can be undermined if it is too rigid. Standards may be set to govern a broad
range of uses of information, specifying what is and is not permissible for certain
categories and uses. It is impossible to foresee all conditions in which every sort
of information will be used. Inevitably, there are circumstances in which a valid
business case can be made for less (or more) security. If the rules are seen to be blind
to the context in which information is to be used, people will find a way around the
prescribed security measures. In such a case, the culture is typified not by what the
enterprise may expect it to be, but by the craftiness of those who would circumvent it.
The culture of a successful enterprise must recognize that there are exceptions to
every rule. If there is a standard procedure for adjudicating differences between
those responsible for security and those with a legitimate business need to deviate
from prescribed measure, that enterprise’s culture of security is typified by
flexibility and reasonableness. It may seem paradoxical, but consistent application
of exception processes actually creates a more effective culture of security than one
that is authoritarian and unbending.
Of course, it is possible to have too many exceptions, thereby invalidating the rules.
In such a case, the security culture becomes one typified by a “whatever you can
get away with” outlook. This is one instance in which there are metrics for security.
If a given enterprise’s security is based on all exceptions and no application of
standards, then the exception is the rule.
3.2.3 Risk Management

One of the logical outcomes of an exception process is the decision to determine
that a risk is not credible and, thus, to accept it. Some security specialists find it
difficult to acknowledge that, at some point, it is more prudent not to secure an
asset than to do so. That may be because the asset in question is not considered
sufficiently valuable or because the cost of protecting it is seen as being too
high. Security professionals can enter into this decision, but their bias in favor
of protection, perhaps at all costs, renders them unable to be the final arbiter.
Sometimes, enterprises can justifiably accept a risk of misuse of some information.
Again, the determinant in terms of a culture of security is consistency. It is

unacceptable to simply take a risk without an agreed-on process to make and
validate risk acceptance decisions. There are three aspects, or domains, of risk as
the term applies to information: governance, evaluation and response. A
standardized governance of risk (i.e., of deciding whether to mitigate, transfer
or accept risks) is a distinct part of a culture of security. If a culture allows any
manager to blindly evaluate and accept the risk of information misuse, then it is one
of permissiveness—not of protection and certainly not of prudence. Moreover, once
a determination has been made concerning the appropriate response, an enterprise
with a viable security culture is more likely to see the necessary actions followed
through. The benefit of consistency in risk management is that all participants can
respect the decisions made, even if they disagree with them.9
Risk management is not a democratic process. Some stakeholders weigh in more

heavily than others in making risk-related decisions. However, if the methods are
consistent and the information on which the decisions are made is trustworthy, then
the integrity of a culture of security is preserved.
3.2.4 Predictability
One of the byproducts of consistency is a reasonable expectation that the same
process, tool or procedure will render the same results, time after time. This may
be particularly important for security purposes. If security is operative today,
all involved have a right to anticipate that it will work the same way tomorrow,
i.e., that permissible access will be allowed, with all others denied. Information
systems need to be built in the expectation of a certain level of overall security
so that developers can accurately gauge on what their systems can rely outside
an application and what they must build into it. Without predictability, each new
application development would require revisiting security from the top.
An advantage of a predictable security culture is that it is measurable, albeit

indirectly. A computer program can be tested to ensure that it works as specified.
Except for the simplest programs, it is not possible to test all possible logical
permutations to prove that a program is correct. Likewise, information security
cannot be proven to work all of the time, that is, predictably,10 but to the degree
that security does operate as expected, it is an indicator of the vitality of a culture.
Security incidents may be indicators of weakness in a culture of security. However,
if an enterprise responds promptly and effectively to an incident and, in particular,
uses it to strengthen protection, it may also be indicative that a culture of security
exists and is functioning well.
There is another aspect of predictability that bears on a culture of security: the

ability of an enterprise to foresee the risks it will face and to implement measures
proactively to deter them. In numerous instances in recent years, from terrorist
attacks to financial failures to hurricanes, there is a reaction by those who should
have known better that “no one could have anticipated this.” Often, there was
willful ignorance of the potential for harm and preventive or responsive measures
could have been put in place. Foresight is an essential cultural artifact of a
predictable culture attuned to risks and their reduction.
3.2.5 Standardization
If consistency requires security to do the same things time and again, then it ought
to do them the same way. To that end, enterprises settle on standard operating
procedures (SOPs); standard tools; and, well, standards. An important benefit of
standardization is that doing anything in a standardized manner leads not only
to effectiveness, but also efficiency. People within an enterprise do not have to
reinvent methods and practices, but can simply apply those that have worked in the
past to future endeavors. (There is a risk that should not be overlooked, of standards
becoming hidebound and restricting progress.)
There are two types of standards that contribute to a culture of security. Some are
internal to an enterprise, and others are generalized across an industry (e.g., the PCI
Data Security Standards [PCI DSS]), a nation (e.g., those of the American National
Standards Institute [ANSI] or British Standards Institute [BSI]) or the globe (e.g.,
the ISO standards referred to previously). The benefit of external standards is that
they lend themselves to certification, as is the case with ISO 2700111 for security
generally or British Standard (BS) 2599912 for business continuity management
(BCM). Certification itself has two benefits: It promotes a culture of security
and builds internal support for it. Within an enterprise, who would want to be the
cause of it losing its certification? Moreover, certification inspires trust among
business partners. If unable to look deeply into one another’s security practices,
they can place reliance on an independent third-party’s assurance that, at minimum,
a publicly described standard of security has been attained. Certification is a
benchmark of trustworthiness that may be a part of the glue that holds an extended
enterprise together. By the same token, certification is not an unbounded assurance
of security or recoverability. Any individual or enterprise wishing to place reliance
on an associated business’s certificate must understand exactly what is certified.13
Internal organizational standards are the codification of an intentional culture of

security. It is important to remember that standards are prescriptive and aspirational.
They state what management in a given enterprise believes security should be (as
opposed to external standards, which capture generally accepted best practices).
Yet another metric of a culture of security is the comparison of internal and
external standards to see how close management’s intentions are to best practices.
The adherence of an enterprise to its own standards is then subject to audit. The
links—strong, weak or broken—among actual practice, management’s expectations
and globally stated norms are accurate indicators of how entrenched a culture of
security is within an enterprise.
3.3 Improved Ability to Manage Risk
There is risk in every enterprise. Some of it is evident and is addressed through a

risk management process. In some enterprises, risk management is robust and
deals thoroughly with all aspects of strategic, compliance, financial and operational
risk.14 There is a widespread understanding that risk management requires a central
coordinator or champion. Within certain industries, the position of the chief risk
officer (CRO) fulfills this role. The CRO is given the task of coordinating and
overseeing the enterprise’s risk at an enterprise level and reports to a high level
of management.15
In other enterprises, the risk management function is little more than buying
insurance. It is true that risk transfer is one acceptable response to risk; nonetheless,
where risk management is thought of as purely insurance, it fails in its overall
responsibility to the enterprise also to mitigate, control or formally accept risk.
Risk management and security are—or should be—partners in mitigating and

controlling risk within an enterprise. This is very apparent in information-intensive
businesses whose stock in trade is not tangible goods, but data. These would
include financial services16 and many enterprises that sell information, such as
photographs or music, over the Internet. It is unclear whether a culture of security
leads to formal recognition of the importance of risk management or vice versa.
It really is not important. What is clear is that a culture of security creates an
environment that is receptive to understanding and dealing with risk in all forms,
not least those related to information.
Some of these risks are stated in standards and textbooks. Focusing on those risks
results in standard, textbook responses. Risk management has the greatest benefit
in dealing with evident, but unexpected, possibilities, so-called “black swans.”
Both the term and the concept were popularized by Nasim Nicholas Taleb,17 and
these sorts of risks are very much in the consciousness of many risk managers
today. Black swans are credible risks that are so far out of common experience
that they are not given the credence they deserve. Recently, the new term “white
swans” has arisen and means, in general, the ability to see and respond to risks
that are before everyone’s eyes and to take action against them with a view beyond
short-term financial interests. The economy of an enterprise whose business is
based on a sound understanding of the value of its resources will be significantly
healthier than the economy of an enterprise whose business lacks a strong,
value-based approach.18 A value-based approach to risk is more than a white swan;
in the context of information, it is a distinct part of a culture of security.
A culture of security does not, in itself, result in lower risk, although it should
contribute to lowering it. Where such a culture exists, personnel will be more
attuned to risk, better able to see the risks in the way that information is managed
and more likely to use information securely because they comprehend the risks to
themselves and to the enterprise if they do not.
3.4 Improved Return on Security Investment
Perhaps one of the reasons that a culture of security is thought of as the “soft” side
of security is that there is nothing to go out and buy. A pattern of behaviors, beliefs,
assumptions, attitudes and ways of doing things does not show up in a box, but that
does not mean that such a culture is free. It costs money to instill attitudes, change
behaviors and operating procedures, and instill a sense within an enterprise that
security adds value to an enterprise that supports it.
Of course, the software and hardware needed to implement much of security,

especially over electronic information, do come in a box and also cost money.
There are many questions confronting management in many enterprises regarding
how much security is required, what the ratio is between the money spent and the
security obtained, what the long-term total cost of security is, and how the return on
investment (ROI) can be measured and justified. The answers to these questions are
generally encompassed in the term “return on security investment” (ROSI). ISACA
has long understood the importance of ROSI:
Clearly defining ROSI is critical for enterprises to attain business

objectives. To obtain a reasonably accurate estimation of ROSI,
the enterprise needs to determine its security requirements and the
most appropriate measure of ROSI, and establish metrics to collect
information to measure ROSI. Business operations today recognise the
significance of security measures as well as the risks and consequences
involved in ignoring the impact of security to business operations.
Decision makers are required to quantify, review and modify security
metrics periodically to ensure effectiveness of the security measure.19
This subject is too dense and too well explored to be expanded on further here. The
relevant matter is whether a culture of security affects ROSI and whether the impact
is positive or negative. On the surface, it would seem that an enterprise with a more
pronounced culture of security would invest more in security than one without such
a culture. It would buy more security products, hire more security professionals,
and have more complex procedures for implementing and maintaining security.
However, that only looks at one side of the ledger. It does not factor in the expected
returns from the expenditures, the net present value of information resources
over time, annual loss expectations or the cost of recovery if security is breached.
Indeed, there are many ways of calculating ROSI, each with inherent biases in
favor of maximizing security or minimizing the effect of breaches.20 These are
not necessarily the opposite sides of the same coin, inasmuch as the reputational,
social, moral and professional value of security cannot always be stated in purely
monetary terms. There is no way to balance the recognized cost of prevention with
the unrecognizable savings from events that do not happen because the preventive
measures are in place.
Implicitly, then, an enterprise with a culture of security places a value on the frauds
that do not occur, the audit reports that do not need responses, the remediation and
recovery costs that do not have to be incurred, or the disaster that did not disrupt
business operations. The question is whether the ROSI attributable to a culture
of security is an article of faith or whether it can be demonstrated. There are
calculations intended to optimize the investment in security,21 but it remains to be
seen whether they can be tied to a cultural impetus.
One of the difficulties in linking ROSI and culture is that there are many
investments in security that are nondiscretionary. They are mandated by laws
and regulations, so even the most risk-tolerant, security-averse management must
implement some level of security. For example, privacy is required across the board
in some areas of the world and is specified by law in certain industries in other
nations. Additionally, there is a level of prudence that leads to expenditures that no
sensible manager would dispute. For example, who today would operate without
virus filters or firewalls?
The intersection of a culture of security and the investment in protection is in how

much and how well the security will be applied. For instance, a law may call for a
chief security officer (CSO), but it does not say how much the person ought to be
paid, how large a staff there must be or with which software tools the function must
be equipped. There is an implied rule of reason,22 a context that is an essential part
of a culture. It is not so much that a culture of security increases or decreases ROSI,
but that it contributes to reaching the appropriate balance.
The ROSI benefit of a culture of security is that it creates an environment in

which an enterprise can determine the right mix of investments: security products,
insurance and acceptance of the costs of security-related incidents. With explicit
and consistently applied processes for evaluating risk, enterprises are more likely
to fund the most effective means of securing their information. If pure operating
expenses were the only determinant of ROSI, then enterprises should implement
only the minimum amount of security and obtain insurance to recoup the cost of
the inevitable incidents. As stated, this does not take into account the many impacts
on an enterprise that are not measured monetarily or, at least, the cases in which
financial impact is felt only over time and indirectly by diminished reputation and
lost market share. It must also be remembered that incidents still occur, no matter
how great the expenditure on security.
A culture of security comes into play in the middle ground between required security
and clearly excessive spending. These categories are not clearly defined, but fuzzy sets
of values lend themselves to conveying a large amount of information with a very few
words. They make it possible for people to manage uncertainty as characterized by
structures that lack sharp, well-defined boundaries. To that extent, a culture of security
is rightly “soft” in the sense of a soft focus, one that provides a fuzzy, nondiscrete,
poorly defined view of the requirements for security. It is better to be approximately
right than to be wrong with mathematical precision. Numbers, after all, are as subject to
(mis)interpretation as are behaviors. Those looking for “hard” facts and figures would
do well to look elsewhere than into the culture of an enterprise, but they would fail to
take advantage of real forces that guide, steer and push enterprises to the right decisions.
3.5 Compliance With Laws and Regulations
It is fair to say that regulations encapsulate good practice—various measures

that enterprises should be implementing anyway. To the degree that this is so, a
supportive culture makes compliance easier, if not easy. No one can say that a
culture of security enables compliance with a particular law or regulation. Rather, a
culture of security makes an enterprise more amenable to complying with laws and
regulations generally and makes compliance a routine part of operations. A defining
characteristic of a security culture may be that an enterprise always seeks to be in
compliance with the laws and regulations of the area in which it operates. Doing
otherwise could possibly endanger its survival, as has happened to several failed
companies in recent years.
There are three competing views of regulation. Regulation is:

• An unnecessary intrusion into management’s discretion in running its business
• A necessary contributor to an orderly society. Some countries exercise regulation
lightly while others are more authoritarian and dictatorial.
• The basis for competitive advantage23
Whichever the view, enterprises comply unless they deliberately court penalties
with disobedience. Some do so grudgingly, to the least extent possible, while
others embrace the framework that regulations imply. It is not necessary to say
that enterprises with strong security cultures are compliant to recognize that those
without such a culture are more likely to find regulations burdensome.
Those seeking to build a culture of security can use laws and regulations to their
advantage. Where security is legally mandated, external rules can be used to force
internal action. However, imposing a culture in the name of compliance may
change behaviors, but it also hardens negative attitudes about security. Moreover,
those enterprises that operate globally must meet so many regulations that all
investments in security may seem arduous.
A more beneficial approach is to use required security as a baseline for

discretionary measures. The security measures needed to comply with regulations
have a price. Those may prove sufficient to meet the security needs of an enterprise,
with or without regulatory pressure. If additional security is felt to be necessary,
given the risks an enterprise faces, the cost for additional measures is easier to
justify. (If the cost of compliance is x, then, for just a relatively marginal amount,
even better security can be achieved.) However, using regulation as a basis for a
security program is merely a diversion from the basic requirement to observe legal
and regulatory requirements.
The benefit of a culture of security is that it fosters proactivity, which enables an

enterprise to position itself in front of externalities and base its security profile
on its own needs rather than those imposed by laws and regulations. In the long
run, there are savings to be achieved by anticipating problems rather than reacting
to them when they arrive. In many, if not most, cases, the steps taken to meet
perceived organizational security needs may be sufficient to satisfy regulatory
bodies as well, and when they are not, the cost of compliance may be subsumed
into that of security itself. The price will be paid regardless, but where there is
a culture of security, the price may be seen not as an additional burden on the
enterprise, but as a part of the investment in overall organizational growth.
3.6 Shareholder/Citizen Value
The greatest benefit of a culture of security is that those enterprises that have
one are simply better enterprises than those that do not. Private companies with a
culture of security create greater value for their shareholders. Government agencies
deliver greater value to their citizens. Real value is derived from profits and mission
accomplishment in the short term. The ability to continue to create value is based in
an enterprise’s culture.
It is perhaps easier to see that a culture of service pleases customers, a culture of

growth pleases investors and a culture of productivity pleases employees. However,
who derives pleasure from security? As long as security is viewed as a negative,
restrictive factor within an enterprise, it is hard to see who gains benefit from it.
Security professionals are often heard to say that security is an enabler,24 not an
inhibitor. This means that secure information is a baseline requirement for any
enterprise to prosper. If the information that flows through an enterprise cannot be
trusted, then that enterprise will be unable to compete effectively.
As noted previously, this is all the more the case for those enterprises whose
business is the provision of information. For these businesses, service, growth and
productivity—to say nothing of profitability—are directly linked to the quality
of the information provided, and security is an attribute of quality. A culture
of security allows all stakeholders, from the lowest-paid employee to the chief
executive officer (CEO) to the investors, to see the alignment of business and
security objectives.
Even in enterprises whose products are tangible goods, there is valuable information
behind the products. Recipes, formulas, production processes, research, etc., are all
information that leads to the items such companies sell. They cannot take or satisfy
an order, find a product in a warehouse, or track delivery and payment without
information. Again, the quality of the information is a major contributing factor in
the success of the products.
A culture of security in concert with other aspects of a corporate culture is the

foundation of organizational continuity. To the extent that an enterprise experiences
the shocks of catastrophic events, its disaster recovery planning is certainly the
basis for ongoing success. A culture that values information and supports the
measures to preserve it and use it correctly is also more likely to be a continuing
institution than one that does not. A culture of security permits management to see
the benefits of security and not just the costs. More important, it leads an enterprise
to the appropriate level of security given the context of its business.
The words “context,” “appropriate,” “alignment” and “value” recur frequently in a

discussion of any culture. Where a culture is, is a question of security. Sadly, there
is an obstacle of ingrained negativity to be overcome in establishing what should
be a natural extension of any enterprise’s foundational principals: Do not betray
confidences, always live with integrity, prepare for the worst while expecting the
best, etc. In other words, integrity, confidentiality and availability are not addenda
to a corporate culture. They are always there.
Endnotes
1
Ibid., p. 12
2
Ibid., p. 8
3
ISO, ISO/IEC 27002, op.cit. p. 23
4
Powers, Burke; “Strategic Nimbleness as a Business Culture,” 2 August 2005,
http://strategicchange.blogspot.com/2005/08/strategic-nimbleness-as-business.html
5
Connor, Darryl R.; How to Create the Nimble Organization, John Wiley & Sons,
USA, 1998, p. 68-69. Note that Connor is referring to a culture of nimbleness, not
security. The point here is that one cannot exist without the other.
6
Ross, Steven J.; “The Vanished Perimeter,” Information Systems Control Journal,
vol. 5, USA, 2003. See also van Wyk, Kenneth; “How to Protect a Vanishing
Perimeter,” eSecurity Planet, 4 April 2005, www.esecurityplanet.com/views/
article.php/3494991/How-to-Protect-a-Vanishing-Perimeter.htm.
7
ISACA, e-Commerce Security: A Global Status Report, USA, 2000, p. 59-62, passim.
8
US National Institute for Standards and Technology (NIST), Standards for
Security Categorization of Federal Information and Information Systems,
(FIPS 199), USA, February 2004
9
ISACA, The Risk IT Framework, USA, 2009, passim.
10
The unprovability of programs is a concept associated with Edgar Dijkstra and is
also known as formal verification. There have been a number of academic studies of
formal verification as applied to security. For example, see Taha, Ahmed H.; “Formal
Verification of IEEE 802.16 Security Sublayer Using Scyther Tool,” Concordia
University, USA, 2009, http://hvg.ece.concordia.ca/Publications/Confrences/
N2S09.pdf. See also University of Birmingham, USA, www.cs.bham.ac.uk/research/
groupings/formal_verification_and_security/, and Research Center for Information
Security (Japan), www.rcis.aist.go.jp/project/softverification-en.html.
11
Op. cit, ISO, ISO/IEC 27001
12
British Standards Institute (BSI), “Business Continuity Management—Part 2:
Specification,” UK, 2007
13
Ross, Steven J.; “Certification and the Disappearing Perimeter,” Information
Systems Control Journal, vol. 6, USA, 2008
14
Institute of Risk Management, et al., “A Risk Management Standard,” UK, 2002, p. 2
15
Conference Board of Canada, et al., “A Composite Sketch of a Chief Risk Officer,”
Canada, 2001, p. 1
16
Ibid., p. 2. In this report, 45 percent of the respondents were in financial services.
Therefore, notably, 55 percent were in other industries.
17
Taleb, op. cit.
18
Featherby, James; “The White Swan Formula,” London Institute for
Contemporary Christianity, UK, 2009, p. 6
19
ISACA, “IT Audit and Assurance Guideline G4, Return on Security Investment
(ROSI),” USA, 2010, p. 2
20
Ibid., p. 4-6, passim
21
Ibid., p. 6-7
22
Ross, Steven J.; “ROSI Scenarios,” Information Systems Control Journal, vol. 3,
USA, 2002
23
Sethuraman, Sekar; “Turning a Security Compliance Program Into a Competitive
Business Advantage,” Information Systems Control Journal, vol. 5, USA, 2007
24
Just two of many applicable references are: Bardin, Jeff; “Security as an
Enabler,” 2007, http://blogs.csoonline.com/security_as_an_enabler, and
Thompson, David (chief information officer [CIO] of Symantec); “Security as an
Enabler” (podcast), http://blogs.csoonline.com/security_as_an_enabler.
4.0 Inhibitors to a Culture of Security

If a culture of security is as beneficial as described in the previous chapter, why do
enterprises not have the culture they need relative to the context of their operations?
The answer lies at the heart of security, which is intended to prevent negative
events from occurring. Does that make security itself an inhibitor of other gainful
activities within an enterprise or their enabler? The fact that there is discussion at
all of creating a culture of security is indicative that there is a widespread view of
security in the former light and a belief that steps can—and should—be taken to
move the viewpoint toward the latter.
In some societies, little children are taught that the police officer is their friend.1
Why is that message even necessary? Is it globally true? The message perhaps
unintentionally transmitted is that there is a reason to consider the police officer not
to be a friend. At best, the police officer is a crime fighter—at worst, someone who
is menacing to average citizens. If the imagery of policing is dominant in portraying
security of any sort, no less information security, it brings out the thought processes
imparted directly and indirectly from a very young age. The police officer is your
friend … and so is the information security officer.
The negativity toward security manifests itself in a number of ways. Rarely is

anyone opposed to security; who could favor insecurity? The antithetical viewpoints
arise over the extent, cost, reach, enforcement and application of security. There is
a legitimate point of view that security should be no more than the minimum
consistent with due diligence, that anything more creates an imposition on an
enterprise. This may be true enough, but it invites discussion and dissension on
what is the minimum; what is prudent; and, not the least of which, who is going to
pay for it.
To overcome the inhibitors to a culture of security, they must be understood and,

if they cannot be eradicated, at least neutralized. It is insufficient to simply insist
on security as a directive imposed from above. That approach may or may not
lead to security, but it certainly dampens any enthusiasm for a culture of security.
Successful creation of such a culture depends on all or at least most stakeholders
accepting and promoting security as something of benefit to themselves. It
necessitates creating an image of security to compete with the police officer, locked
safe, chains, etc. Security must be seen as an essential contributor to business and
not a necessary, but unwelcome, burden for an enterprise to carry.
4.1 Societal Culture
As noted in section 2.2.1, a culture of security is conditional to the culture within

the enterprise and even more so by the cultural assumptions of the broader
society within which an enterprise exists. The term “secure” may evoke different
images around the world, including the assurance that comes from believing that
no harm will come to individuals, homes, families and populations. With only a
little thought given to the matter, it is clear that those assumptions are not always
supported: Bad things do happen, all the time and in the least expected ways.
Where there is a long history of peace, prosperity and comfort, the expectation of
security, while unfounded, is, in actuality, supported by experience. Lives are led
securely because negative events of a serious magnitude happen rarely enough that
sanity allows people to live in blithesome ignorance of the threats around them.
The security of information within an enterprise is similarly conditioned by the

sense that its information is not under attack. Information resources are used
routinely by many people without incident. Much of the information would
seemingly be of little interest to anyone outside the enterprise. Sadly, many people
have had brushes with insecurity. Their personal computers acquired a virus, they
left a report on the bus, their networks were brought down by denial of service
(DoS) attacks, documents were taken from their desks, etc. At that point, their
happy illusions of security were shattered and they became aware of the need for
more exacting measures to protect their information. The seeds of a culture of
security may have been planted, but once the particular event was past, it was easy
to slip back into comfortable complacency.
Complacent forgetfulness leaves an opening for thought patterns that are perhaps
the most destructive to a culture of security, one that is, to a degree, prevalent
in many societies: Information wants to be free.2 People in many societies have
become used to having the greatest compendium of information ever assembled
available to them only a few keystrokes away. That expectation may be extended
in their mind to all information on the Internet and everywhere. Of course, all
societies keep a great deal of information secret and inaccessible. In dictatorial
nations, much political and economic content is censored and constrained. Even
in more liberal countries, information needed for national security is kept closely
guarded. If every country has the government it deserves,3 then those governments
impose security on the information they do not want their people and enemies to see.
If the government’s or the corporation’s leadership is understood to be repressive,
there is a powerful incentive to bypass any protection and controls that seem to get
in the way of whatever people want to do with the information they seek.
Where security is seen as the instrument of repression, there will indeed be a culture
of security, but that culture will be seen as a malignant one. Security in a society that
values freedom is not the enemy, but where the institutions of society are perceived
as existing for the purpose of limiting freedom, it is very difficult to build the trust
that a culture of security is supposed to nurture. The values of a society may propel
or inhibit the development of a culture of security as a positive contributor to an
enterprise’s success. Where security is viewed with suspicion in everyday life, it may
well be contrary to self-interest to assume that security is beneficial.
4.2 Lack of Organizational Imperatives
Just as the values of a society affect its culture of security, so do the values of an
enterprise influence its perspective on security. Commercial companies succeed
in the marketplace based on one or several strategies, such as better products,
lower price, greater customer service or higher fashionableness. Organizational
imperatives follow from these strategies: Make it better, cut costs, be more nimble
or get ahead of the curve. There have been numerous cases reported in recent years
in which “make it safer” has been an imperative, often after a product has been
shown to be unsafe.
When an enterprise’s product is information, security is understood to be a

strategic attribute of success, but it is difficult to obtain a consensus on the
relative importance of various aspects of security. Is it more important to
protect information resources from misuse or unavailability, from disclosure or
manipulation, or from privacy breaches or regulatory criticism? It is insufficient to
say “all the above” because security budgets are not infinite nor can all threats be
treated as equally credible.
For companies whose primary products are tangible and personally delivered
services, not information itself, the arguments for security become more tenuous.
Every investment in the security of information is one not made in new production
facilities, training or personnel. Even if information is intrinsic to making money,
it is often difficult to see how securing information is connected to the money
that is made. Where that connection is unclear, there is unlikely to be any clear
organizational priority for the security of information. In part, the purpose of a
culture of security is to make the identification of security with success more
evident. With perfect circular reasoning, there can be no culture of security where
security’s relationship with organizational success cannot be readily demonstrated
and understood, while the demonstrability and understanding of the link depends on
there being a culture of security.
Cutting through this dilemma necessitates clear imperatives for security. In

regulated industries, those obligations are externally imposed, although regulated
companies may differ on how far their requirements must take them. In all
enterprises—regulated or not, public or private, or profit-making or charitable—
there must be an executive commitment that necessitates the protection of
information by everyone if there is to be a culture of security.
It is easy to demonstrate the dedication to security in a negative sense. If someone

misuses information, there are penalties that may result in termination or
prosecution. However, it is harder to show in a positive fashion that acting securely,
much less believing in security, is personally beneficial to the individual. It is hard
to connect secure behavior to raises and promotions. Acting securely is a basic
assumption of employment, or so it may be believed. It is no more necessary to
emphasize keeping information secure than it is to prohibit breaking the furniture,
but it is evident when furniture is broken. There are metrics for sales, profitability
and service that are not available for security.
Therefore, the need for security is left unspoken in many instances. Silence is not
motivational. A culture would make explicit what is often assumed, but in the
absence of a vocal, compelling imperative for security from the top, it is difficult to
mobilize the enthusiasm and support of people throughout an enterprise. A culture
of security cannot grow in quiet darkness.
4.3 Unclear Requirements
Even if the overall imperative for security were distinctly understood within an
enterprise, the specific requirements to fulfill the implied obligations are often
unclear, at least to those who must articulate them, to say nothing of those who must
carry them out. In part, this is because the only clear “owner” of security is the head
of the information security department, often called the chief information security
officer (CISO). This individual may be responsible for the security of all information
in whatever form it may be, but in practice, the CISO focuses on information only in
electronic form. In most instances, the CISO reports within the business group of the
chief information officer (CIO) and is often oriented toward protective mechanisms
such as firewalls and virus filters, identity management software, encryption, and
access control. These are unquestionably important tools for data security, but
paradoxically, they may stand in the way of a culture of security.
The role of the CISO and all the measures put in place by the CISO to protect
information on computer systems and networks create the impression, in some
quarters, that security is the domain of the CISO and that no others need concern
themselves about it. The focus on the CISO security role is so intense that others
have no clarity about their participation and contributions to it. The users of
information look to the CISO to protect their information, as do executives,
operators, clerks, staff personnel, salespeople and the janitor. Security becomes
invisible because someone else, i.e., the CISO, is taking care of it. In the immortal
words of Douglas Adams, the way to make something disappear is to declare it to
be someone else’s problem (SEP). “An SEP is something we can’t see, or don’t see,
or our brain doesn’t let us see, because we think that it’s somebody else’s problem. ...
The brain just edits it out, it’s like a blind spot.”4 This, specifically, is a major
inhibitor to a culture of security.
Rarely will an executive make clear what is required of all parties within an
enterprise to protect its information. At best, there may be a broad goal, often stated
as “security is everyone’s job.” If it is everyone’s job, it is no one’s in particular.
Worse, “everyone” has no tasks assigned, no product to deliver and no metrics to
achieve. General business users of information may comprehend their roles and
keep their passwords secret, desks clean and lips shut, but most people simply
trust their fellow workers to use information responsibly. As previously stated, a
culture of security fosters trust, but trust, in the absence of a culture that would
produce adequate security, is simply blind faith. Faith has its place in the world, but
information security is not that place.
In an ideal culture of security, all personnel in an enterprise would understand the

value of the information they use and make their contribution to security to the
fullest extent required. Alas, such perfection is beyond mere mortals, but it is an
approachable, if not attainable, goal. This is an important point: A culture of security
is unlikely to produce perfection. Nothing can do that. However, a thorough culture
can make security as good as it can be—and, one hopes, as good as it should be.
4.4 Insufficiency of Awareness Alone
Much of the literature regarding a culture of security spotlights awareness as a

vital component of the culture. It is undoubtedly true that ignorance of security
will impede a security culture, but being conscious of security, by itself, is hardly
sufficient to propel such a culture. In fact, security awareness is actually more
nuanced. The term is generally used to mean an understanding of the:
• Fact that risk exists
• Threats that contribute to that risk
• Available countermeasures
• Individual’s role in exercising those countermeasures
Finally, and perhaps most important for the development of a culture, security
awareness implies a political argument: that security is actually a good thing for
the individual, an enterprise and society as a whole. For those already attuned to
security, it may be difficult not to see the validity of all these points. The challenge
in developing a culture of security is to communicate all of the concepts raised here
to people who actually do not comprehend any or all of them.
4.4.1 Comprehension of Risk

Most people who live in cities are aware that they face certain urban risks, and so,
at a minimum, they lock their doors. They believe that if they were to leave their
doors open, someone may steal their possessions (or worse). A door lock may not be
sufficient to stop a determined thief, but it is a prudent security measure. Therefore,
locking their doors becomes a routine part of going out and coming in. These people
know that keeping their possessions is good for them and have internalized at least
this simple measure of security.
There are places in the world where people do not lock their doors—they may not
even have locks—and only in exceptional circumstances do they feel unsafe. Outside
of the exceptions, they are right. They are not unaware of security; they feel secure
in the context of their own environments. Heightening their awareness of potential
threats—far away—would do little or nothing to alter their beliefs or behaviors.
Many enterprises feel like small villages to those who work there—where everyone
knows everyone; desks are left unlocked with papers strewn atop them; and no one
looks at other people’s computer screens, much less impersonate others by using
their passwords. Management encourages a sense of common purpose, togetherness
and trust. The cafeteria, company basketball team and holiday party all conspire to
make business feel like high school. It is not that people are unaware of threats to
the security of information; it is just that they cannot internalize a belief that they
themselves are at risk. A culture of security will not arise by raising their security
awareness. Their everyday experience will tell them that the person trying to do so
is a mad “Cassandra” (even if Cassandra was right).5
Security awareness does have a place within a culture of security, but reliance
on awareness to create such a culture is misplaced. It may be that an appropriate
security culture can be maintained by a good awareness program, but to change
a culture, all existing cultural measures must be reengineered.6 Thus, reliance on
security alone to create a culture of security results in inhibiting the very culture
desired. To return to the village where people do not lock their doors, the likeliest
reaction to a threat that affects the community would be to seize pitchforks and
torches and hunt the monster down. Once that particular threat is taken care of, the
villagers can return to their peaceful, trusting lives.
4.4.2 The Personal Experience of Security

In the context of information security, there have been repeated waves of just the
sort of reaction as exhibited by the previously mentioned villagers. Computer
viruses were seen as a deadly threat to information systems. Then, antivirus filters
were made available and people trusted these to protect them. Hackers were going
to bring enterprises to their knees, but intrusion detection systems and firewalls
reduced the sense of menace and again trust reigned. Over and over, awareness of a
particular hazard overwhelmed the general understanding that information resources

are perpetually at risk. Awareness of a threat may initiate action against it, but does
not, by itself, change the culture.
On the other hand, where there is a culture of security, appropriate action will
generally be taken against the most relevant risks, not just specific threats at a
particular moment. That is because the people who are the vessels for the culture
take risk seriously and internalize it into a system of behavior, not just a reaction to
individual perceived threats. There is no conscious decision on the city-dweller’s
part as to whether to lock the door. It is an ingrained action because the possibility
of harm is (or so it seems) self-evident. The countryside is not crime-free nor is
every building in every city under siege, but the rural and urban cultures form
attitudes and behaviors that, over time, prove themselves. People who live in rural
areas are often shocked when crime occurs; urban folk may live without crimes
affecting their own lives for years. Neither unexpected crime nor unanticipated
safety change attitudes and cultures, at least not in the short term.
There may be misuse of information resources occurring all around, but it is

invisible. No one takes information off a desktop, discloses private data or hacks a
web site in front of an audience. One of the great dilemmas of information security
is that, unlike tangible possessions, information can be stolen and not be gone. Only
when information that should have been kept confidential or private is known to
have been disclosed are people aware that it has been misused. Data may have been
leaking for months, but the victim recognizes the loss all at once. An internalized
understanding of the ongoing risk may lead to a change of culture; short-term
awareness of an event perceived as a singularity will not.
Even where a threat is well documented and apparent to all—such as with computer
viruses—awareness, by itself, does not lead to routine action. Antivirus filters
must be continually enhanced to recognize and erase new variants, but experience
has shown that people do not regularly download updates by themselves. They
know that they should back up their files in case a virus does strike, but that, too,
occurs only irregularly. They are not acculturated to the risk, even if they are aware
of it. Thus, modern antivirus filters update themselves automatically, and many
enterprises choose to employ systems to back up hard drives whenever users log on
to their central networks, without the intervention of the information owner or user.
The inhibition that awareness places on the creation of a culture is often caused
by the way in which the need for security is communicated. If the insecurity of
information is seen as harming the enterprise, then it would seem sensible that
members of the enterprise should take responsibility for it. However, when security
becomes the domain of the IT function and the CISO (SEP), others feel absolved
of responsibility. Security is not seen as something that should be addressed by
the individuals because they are not the ones who will suffer the harm, or so
individuals can come to believe. In fact, each staff member faces the possibility
of considerable personal damage, ranging from the disdain of colleagues through
career limitation to loss of employment (or worse). The punishment would be
justified, it may be thought, if the misuse of information were intentional, but errors
and omissions—“I lost my laptop” or “I left the disk on the plane”—while scary,
are not seen as necessitating the same drastic responses. A culture of security has
been created when people say “I need to protect the information I have” instead of
“IT needs to protect the information I use.”
To get to that point, people must see the personal benefit of security, that security
has a personal payback. Unfortunately, many people’s experience with security,
in the broader sense, may lead them to believe that security is not good for them.
If people’s only interaction with security is having someone on the CISO’s staff
tell them that they cannot do something they want to do, they start to see security
as a problem for them to overcome. If the process for gaining access privileges is
cumbersome and bureaucratic, they will look for ways to circumvent the system.
In short, if the interactions people have with the CISO and the information security
function is, in general, a negative one, then it is doubtful that they will accept an
awareness program from that same source. They will not participate in a culture
that imposes the burden for security on themselves rather than on the security staff
that is paid to build security.
It is important to reemphasize that all the foregoing does not mean that there is no
place for awareness of security in a culture of security; in fact, it is an attribute of
such a culture. However, mere awareness is not the same as a culture, and reliance
on it alone will simply stand in the way of creating one. It is necessary to bridge the
gap between perception of the problem of security and acceptance that the problem
is a personal one that requires personal action and involvement in the solutions.
4.5 Systemic Shortcomings
One of the great inhibitors to a culture of security is the nature of information

systems themselves. In the broadest sense, such a system is the means and methods
for acquiring and using information. In actual practice, for many people, it is the
combination of computer hardware, storage and communications that are used
to gather, process, store, disseminate and share information. Emphasis should be
placed on the sharing of information. The great advantage of information kept on
electronic systems is precisely that it can be obtained and stored one time, but used
many times by many people. Systems of physical assets do not work the same way;
if one person uses a tangible object, then another cannot do so at the same time.
Thus, if one wishes to retain sole usage of an asset, it must be protected for private
use. In information systems, security consists of safely allowing, not preventing,

many people and processes to use the same asset simultaneously. The paradigms of
security are completely reversed.
Of course, the security of the information comes from preventing those unauthorized
to see it or change it from doing so. However, a system is incapable of distinguishing
who is authorized to see and use what items of information. A system is established
as a means of carrying out specific operations according to specified rules. A
system does not have the capacity to know the value of the information or the
authority of a would-be user to access it. The system only “knows” that there is
data within it that can be transformed into other data in different forms by means of
prescribed processes. To people, the data may be transformed into information; the
transformative processes are transactions and programs. A system may be the means
of imposing security over the information by equating users with identifiers and the
ability to use information with access control lists.
It is people, though, who create the lists, and the lists are (or should be) consistent
with rules as to how the system works. A system is a mindless, mechanical
vehicle to store and transport information until and unless people are involved.
People are a part of information systems, whether they recognize and accept this
fact or not. To the extent that people conceive of themselves as distinct from an
information system, they will not be able to see themselves as a part of securing it.
In short, there must be an equation among users, usages and resources used for an
information system to have coherence.
Unfortunately, enterprises do not foster such comprehensive systems. Instead,

enterprises are divided in many ways: by their functions (divisions and departments),
financial relationships (profit and cost centers), hierarchy (management and staff)
and relationship with technology (technicians and users). These separations creep
into the very essence of information systems and into the definitions of “information
ownership,” “access privileges” and “information security.”
The semiotics of identity take on a generally unexpected reality. Public and private
sector institutions implement identity management as a way to bridge the gaps
among the users and the resources used. It is a way of controlling the interests of
the enterprise above those of the individual who may be trusted most of the time,
but not always, to use the information as intended. The seemingly dispassionate
granting or denying access to an information resource underscores the authority of
someone—who?—to make the decision. Where identity management is thus
pursued within a security matrix of controlled process and property, essentially, it is
even identical to access control.7 The control remains with the enterprises, and the
individual remains detached from the system. A culture of security cannot grow out
of such detachment.
4.5.1 Inability to Detect Variances From Policy and Culture

The enterprise asserting its ability to control access does so through the means of
policy. As stated in section 2.2.2, the rules may be formally documented, but the
actual behavior of an enterprise is its real policy. Once again, there is a gap that
is filled one way or another. The narrower the gap between the desired and actual
states of security-related policy, the likelier it is that a culture of security may arise.
Conversely, “do as I say, not as I do” is, in fact, a policy, but it is a destructive one
that leads to a culture of cynicism and disdain for security rules. There is always a
culture of security, but not always a good one.
The prescriptions of policy are easily seen. They are printed in manuals, displayed
on login screens and reinforced by management briefings. The gap between aspired
security and reality is less easily observed. Those who bypass the rules (that is,
those who violate stated policy) are, in fact, expressing their disaffection with the
authority of an enterprise to serve their interests. It does not seem to matter
whether the disparity of interests is factually supported; the tension occurs from
complexity, i.e., a lack of transparency. In defiance, some individuals “solve”
this by taking control of their personal identifier(s) and the identification of
what they “own” themselves. However much an enterprise wishes to state its
ownership of information and the importance of securing it, it is nonetheless stating
a relationship: The enterprise not only owns the information, but owns those
who would use it. The one-sidedness of rule making, i.e., an enterprise’s formal
domination of the relationship with correspondingly biased rules for identification
and access, undermines a healthy culture of security.8
In these circumstances, people would be foolhardy to make their enterprises aware

of the rules they are bypassing. Everyday behavior becomes so routine that it is
increasingly difficult to detect that policy is not being observed. In theory, the
disparity between policy and reality should be detectable by third parties such as
auditors and security professionals. However, there are no totally independent
observers; the mere fact that they are called on to examine the security of an
information system makes them a part of the system. In a social application of the
Heisenberg Uncertainty Principal,9 the act of observation changes whatever it is that
is being observed. This is not to fault auditors, but to recognize the nature of the
system itself.
If an enterprise’s culture is forgiving of policy violations, very bad results can

occur. Every business scandal is a reflection that formal posturing has separated
from reality. If the policy violations that pass unnoticed relate to security, then it is
highly likely that security incidents will occur over time. Everyone will point to the
policy and express shock that such a thing could have occurred, but it should have
been predictable.
The failure to detect policy variances is insidious to a culture of security. It allows

misappropriation of resources to become the norm within an enterprise. The
resources may be inappropriately, but benignly, used for a time, but experience has
shown that, inevitably, someone with more nefarious purposes will slip into the gap
and do something harmful. This is also part of a culture; one of the objectives of a
culture of security is to bring practice into alignment with proclamations.
4.5.2 Inability to Monitor and Enforce Compliance With the Culture

There is a more subtle variant on the problems of detecting failure to comply with
policy. There are rules of behavior in a culture that are rarely, if ever, written down
and are often not even recognized as being there. In a way, they are the same as
the culture of a social club. Members of a club are supposed to be cordial with one
another, respect one another’s property, not eavesdrop on private conversations and
dress well. In other words, the club culture is one of well-dressed mutual respect (if
not trust). Information learned at the club is intended to stay at the club. Members
should not take business advantage of information and relationships gained there.
Rarely are these rules documented, but they are real nonetheless, or at least real
in theory. In many cases, some members do not get along with others, use one
another’s golf balls and join the club only to further business relationships.
The club culture is, to a degree, self-enforcing. Even though the culture is not always
observed, there is tolerance for unacceptable behavior if it is discrete. Those who are
blatant in breaking the unspoken code can be frozen out of social circles or asked to
leave the club. Business enterprises are similar in that if people truly do not fit into a
culture, they may be fired or more likely encouraged to quit beforehand.
Where the culture in question is one of security, it is very clear that people can
suffer penalties for flagrant disregard if a security incident causing harm to an
enterprise can be traced to them. Is that really a culture of security, though? Surely,
actively harmful activities lead to explicit sanctions. Can the same be said for
giving insufficient consideration to security when the emphasis is placed on sales,
profit or growth instead?
An inhibitor to a culture of security is the lack of effective means to enforce

compliance with it, short of the drastic measures applied after a breach. It is nearly
impossible to tell if a person is committed to security, especially if that person
avows the importance of it. Being security-conscious is a habit of mind, and it is
very difficult to determine what is in another person’s mind. The subtle penalties for
violating the culture of a club do not apply. Whispered conversations and averted
glances are unlikely results from falling short of a culture of security. There are no
metrics for the amount of attention that should be given to security, especially in
comparison with other drivers. It is possible to show that someone is practicing
insecure behavior, but nearly impossible to prove the reverse.
Thus, in the absence of truly blatant failings, a culture of security is unenforceable.

It is obvious when sales, profit or growth have not been achieved, but not if security
is weak, unless there is a breach. It is a great deal more difficult to demonstrate
that a culture of security is in place and functioning well because it is so difficult to
show the reverse.
A culture cannot be enforced in the same way that a policy is enforced. Culture is
not a law, but a shared way of behaving based on assumptions, expectations,
attitudes and beliefs. Therefore, it must be self-enforcing. If one does not behave as
expected, it will be clear that that person is not part of the group. The individual’s
thinking and behavior will be seen as different from what is expected by the group.
Enforcement of a security culture is dependent on how important that aspect of the
culture is. If a culture says to do what has to be done to close deals and also says to
follow security rules, sales may win out because it is perceived to be more strongly
valued within the culture. All elements of culture are not weighed the same.
The value of powerful champions for security (other than the security professionals)
is that they provide the background for enforcement of a culture. There need not
be a valid, intellectualized rationale for heightened security if one can say, “Do it
because the boss wants it this way.” However, the personal perspective of a senior
manager is a weak method for enforcing a culture, especially if the champion does
not have the support of peers or leaves an enterprise.
4.6 Lack of Rewards
One of the aspects of a culture of security is informed risk acceptance. On the other
hand, uninformed risk acceptance—in actuality, intentional ignorance of risk—can be
used to justify any security shortcoming in advance of a loss. Worse for the culture,
it is impossible to prove that risk was imprudently accepted when a security breach
occurs. Thus, those who favor a strong security posture must justify investments in
countermeasures by demonstrating risk avoidance. Those who blindly and
thoughtlessly accept risk rarely have to justify their decision—after all, they have
accepted not only, risk but accountability—and they do not incur any costs. Their
bottom lines look better (until an incident occurs, which may be years later). The
security-conscious take all the personal risk up front. A culture of security is difficult
to build when people perceive that they can lose, but cannot win.
It is clear that those who bring in more sales or greater profit can be rewarded in
higher pay and bonuses, but what accolades and benefits come to the person whose
actions prevent an otherwise undetected security flaw from turning into a breach? It
can be shown that certain heroic efforts repelled an explicit attack, but not that regular
vigilance prevented that attack from occurring in the first place.10
The rewards of security for an enterprise can be more readily demonstrated in

reduced operating costs, elimination of redundant risk management activities and
resources freed up for more strategic initiatives,11 but what rewards come to the
individual who lives within a culture of security and whose attitudes, beliefs and
working methods are supportive of security? Perhaps more than any other factor,
the lack of a rewards structure for behaving securely inhibits the growth of a culture
of security.
There are a number of related reasons why it is so difficult to compensate people

for security. Each of them would be a significant impediment to building a culture
of security. Together, they constitute a barrier that must be overcome for such a
culture to flourish.
4.6.1 Security Professionals

It is not quite true that no one is rewarded for security. As previously noted in
section 4.3, many enterprises have CISOs and their staff who are dedicated to
security. Others have areas that perform some specific security functions such as
personnel screening, facilities management, compliance or investigations. They are
paid for doing their jobs and receive bonuses and promotions for doing them well.
(It should be noted that these professionals also have difficulty in demonstrating
the value of their contributions to their enterprises, but these problems are common
to all staff functions.) It is indicative that a certain level of functional security does
exist in these enterprises that such departments have been staffed and are relatively
protected. Security activities are rarely eliminated, but they may be curtailed in
adverse economic times. It is also significant that dedicated security professionals
are rarely promoted to the ranks of executive management; advancement in security
is not limitless.
To the degree that security professionals receive the credit for an enterprise’s
overall security posture, there is less incentive available for others who are focused
on operations, sales, production, distribution, etc., to act in a secure manner. To be
sure, there are penalties for insecure behavior, but the best that most personnel can
expect is that they break even with security.
4.6.2 Lack of Metrics

In large measure, the lack of obvious metrics for security deters a rewards structure.
“If it cannot be measured, it cannot be managed,” so without a solid way to
measure a culture of security, it is difficult to manage one into existence. This is
actually a second-order problem: It is difficult enough to measure the effectiveness
of security measures themselves and even more so to evaluate the underlying
culture. However, that does not mean that cultures cannot be measured.
Determining the key indicators of success, what to measure, how to measure it

and when certain levels of progress will be noted is a crucial part changing any
organizational culture, not least a culture of security. The inhibiting factor is
the neglect of hard measures of achievement and progress, which require the
identification of indicators of success in culture change and interim progress
indicators. “A data gathering system needs to be designed as does a time frame for
assessing the results. What gets measured gets attention, so the key initiatives and
outcomes must have metrics and measuring processes associated with them.”12
One solid example of a means of measuring a culture is the Organizational Culture

Assessment Instrument (OCAI).13 It offers a useful framework and a common
vocabulary that can be used as a starting point for discussions about organizational
cultures. For example, the OCAI examines attitudes concerning strategic emphases,
criteria for success and the “organizational glue.”14 These are not well adapted as
metrics for a security culture, but provide evidence that such an instrument could be
developed.
4.6.3 Failure to Measure Risk

The difficulty in applying metrics to the risks an enterprise faces is another aspect
of the measurement issue that inhibits a culture of security. It is intuitive that
security decreases risk, but it is far less clear by how much or what the actual level
of risk was in the beginning. Again, those who would advocate for security are left
without the tools to justify investments in security. It is fair to say that a culture of
security is measured by for what an enterprise is willing to pay and that without
metrics for the impact of investment on risk (ROSI), it is difficult to propel the
culture forward.
Unfortunately, the most common approaches to measuring continuity

risk are vague, subjective and difficult to use for guiding management
in budgeting for controls and countermeasures. Almost all are based on
the classic but simplistic formula:
Risk = Impact x Probability
… [which] is meaningful for those disruptions for which likelihood and

effects are known, or at least are predictable. As Taleb demonstrates,
it is specifically the rare, unforeseeable incidents that cause the
most damage.15
In effect, the most widely accepted method for measuring risk multiplies the
unknown (probability) times the unknowable (impact). Why multiplication and
not, say, exponentiation? Why omit other factors, such as credibility, resources,
scale, duration, mean time to repair or mean time to recurrence? In short, current
techniques for risk measurement strain credulity, which, in turn, undermines a

culture of security built on reduction of risk. Those who would support such a
culture have no demonstrable way of being rewarded for doing so, either.
4.6.4 Lack of Incidents

The one widely accepted indicator of a successful culture of security, or at least
of security controls, is a lack of incidents. This negative metric is ultimately
self-defeating because it lays the burden of proof on the miscreants of the world.
There are too many people in the world—hackers, crackers, virus writers, fraudsters
and script kiddies—who are trying to undermine the security of any enterprise
that lowers its barriers sufficiently to let the bad guys in. With modern tools and
perpetual vigilance, many, but not all, attacks can be successfully repelled.
If, over a period of time, there are no penetrations of an enterprise’s security

barriers, then its security professionals must have been doing a good job, or so it
would seem. However, if one attempt gets through, does that mean that they were
not doing a good job? A lack of incidents does not equate with the presence of
security, so it is a very poor way to justify security and a weak foundation on which
to base a culture.
If an enterprise accepts some degree of risk, then it is implicitly accepting that

the risk in question will in time be actualized. This may be combined with the
understanding that no security is foolproof and that there is a point of diminishing
returns in investing in security. As a result, depending on being rewarded for a lack
of incidents is a very poor wager indeed. What constitutes success: 1,000 repelled
attacks before one get through, or is it 10,000 or a million?
4.6.5 No Financial Connection

The converse of the number and associated cost of incidents that will occur is the
number and demonstrated savings of those that do not. It would be quite a trick to
show how much money an enterprise did not spend last year because of things that
did not occur. Salespeople can be compensated for their contributions to the bottom
line, but there is no basis for paying anyone for being secure. The lack of financial
incentive is a distinct inhibitor to creating a culture of security, even more so when
people seek positive rewards for negative achievements.
This is the metrics issue in another guise, but it does raise a specific dilemma.
Security can be justified not only on pure cost avoidance, but on the basis of
prudence and due diligence. However, prudence and diligence are baseline
objectives, the bare minimum of security. A culture of security is, in great measure,
an unwillingness to settle for just the minimum, but, instead, the appropriate level
of security. The baseline may not need justification, but everything beyond it does.
Marketing personnel can conduct studies to show that an increase in price will not
significantly reduce sales and, therefore, that the increase will go to the bottom line.
The champions of security cannot demonstrate that an investment of x will bring y
security, much less that spending 2x will bring 3y security.
4.7 What Is in It for Me?
The foregoing section dealt with the rewards to the individuals who may support
a culture of security, with the focus on monetary compensation. There are other
sorts of rewards that an enterprise can bestow that are important to the creation
of a security culture. These do not directly involve money that goes to the
individual, but rather organizational advancement in the form of budget, influence,
management attention and the regard of one’s fellow staff members. Some people
are motivated solely by their remuneration, but others also find incentive in these
other sorts of rewards. When someone asks of a champion of security, “What is in
it for me?” (WIFM), that individual asks a core cultural question that may entail
seeking monetary compensation, but may also may be much more.
4.7.1 Budget
In many enterprises, security is an unfunded mandate. It is simply assumed that all
personnel will conduct themselves and their business activities in a secure manner.
Where the work performed or the resources used are considered sensitive or at risk,
the workplace may be specially protected (as in a datacenter or a vault). Managers
may have offices and file cabinets so that they can conduct their activities literally
behind closed doors. However, many people who come in routine contact with
information resources work in open areas or cubicles or do not work in a business
environment at all.
There is a cost for the tools and techniques to allow them all to work securely, such
as virtual private networks (VPNs), remote access devices, encrypted hard drives,
privacy screens and content filters. Generally, these tools are purchased centrally
and distributed to all relevant personnel. The costs are often charged back. Even if
they are absorbed as a corporate expense, line management has little involvement in
the selection of products or their applicability to each manager’s business function.
If one size does not fit all, managers must either use the tools selected for them or
find budget to obtain better tools.
It is not unusual for a manager to ask WIFM when budget for security must be
balanced with money for salaries, business equipment or travel. The manager’s
department must bear the additional cost without seeing the direct benefit to the
department’s function.
4.7.2 Influence
The most important characteristic of cultural champions is their ability to influence
the decisions of their enterprises. Implicitly, the cause that they advocate for is one
that they believe is not appropriately valued. They put their political capital behind
something—in this case, security—to achieve an objective that they consider worth
backing. They do so in an environment in which many people may be championing
many causes, such as new products, higher pay, environmental protection or social
consciousness, all of which have merit.
Potential champions of security may well ask WIFM if the effort to build a culture
of security entails a cost that would reduce their influence on other matters. There
is a payback in prestige both within and outside enterprises for those who promote
good causes, which can expand a person’s influence. The proponents of security
rarely get hearty congratulations for a security breach that does not occur. No
matter how important security may be, it requires an investment in personal clout.
4.7.3 Management Attention

It is often said that security is a thankless task. That means that those who consider
security highly rarely hear their managers say “thank you” for it. To an extent not
frequently mentioned, gratitude from one’s peers and superiors is a major motivator
in the workplace. In many instances, secure behavior and attitudes are looked on as
evidence that a person does not “get it.” If an enterprise sees itself as a go-go,
make-the-sale culture, the person who counsels restraint and protectiveness is likely to
appear out of step and may receive attention from management, but not of the positive
sort. That person has reason to ask WIFM and not be vocal in support of security.
It takes a degree of political courage to try to alter the flow of an enterprise’s

culture, if not to stem the tide altogether. It is easy to wait for someone in a more
senior position to be the champion for security, but it is more challenging to be the
champion oneself.
4.7.4 Personal Regard

A person’s self-esteem is drawn from many psychological sources, one of which
is the respect of others. The regard of others surely flows to the people who are
good at their job, but may also stem from personality, helpfulness or even minor
achievements like hitting the winning home run in the company softball game.
Those who adopt a culture of security are rarely congratulated by their peers for
doing so. There may be an inner glow that one gets from doing the right thing, but
that may be all.
Worse, they may see the accolades bestowed on someone who achieved a short-term
goal by circumventing security. At that moment, WIFM is a very human attitude.
Endnotes
1
http://politedissent.com/images/jul08/policeman.html
2
Attributed originally to Stewart Brand. See Clark, Roger; “Information
Wants to Be Free…,” 24 February 2000, www.rogerclarke.com/II/IWtbF.html.
The complete quote attributed to Brand is more nuanced: “On the one hand
information wants to be expensive, because it’s so valuable. The right information
in the right place just changes your life. On the other hand, information wants to
be free, because the cost of getting it out is getting lower and lower all the time.
So you have these two fighting against each other.” Recognizing the value of
information and using “free” as “without cost” rather than as “liberated” is quite
different from the context in which the expression is usually used.
3
Joseph Marie de Maistre (French diplomat, writer, philosopher and politician,
1753-1821)
4
Adams, Douglas; Life, the Universe and Everything, UK, 1982, p. 29
5
A prophet in Greek mythology who was cursed so that her prophecies, though
true, were never to be believed
6
Schlienger, Thomas; Stephanie Teufel; “Information Security Culture—
From Analysis to Change,” International Institute of Management in
Telecommunications, University of Fribourg, Germany, 2003
7
Wiesse, Pieter; “Semiotics of Identity Management,” Sprouts Working Papers on
Information Systems, http://sprouts.aisnet.org/81/1/2006-02.pdf. , 2006, p. 4
8
Ibid., p. 33
9
The uncertainty principle in quantum mechanics, formulated by Heisenberg, that
the accurate measurement of one of two related, observable quantities, as position
and momentum or energy and time, produce uncertainties in the measurement of
the other, such that the product of the uncertainties of both quantities is equal or
greater than h/2∏, where h equals Planck’s constant.
10
See Taleb, op. cit., p. xxii – xxiv
11
Peacock, Marissa; “GRC Roll-up: The Mistakes and Rewards of IT Security
Compliance,” CMS Wire, 10 February 2010, www.cmswire.com/cms/enterprise-
cms/grc-rollup-the-mistakes-and-rewards-of-it-security-compliance-006652.php
12
Cameron, Kim; “A Process for Changing Organizational Culture,”
University of Michigan, USA, 2004, p. 9
13
www.hpcnet.org/cgi-bin/global/a_bus_card.cgi?SiteID=410037#x
14
Ibid.
15
Ross, Steven; “Effective Techniques for Risk Measurement,” SearchCompliance.
com, 22 July 2009, http://searchcompliance.techtarget.com/tip/0,289483,sid195_
gci1362498_mem1,00.html
5.0 Creating an Intentional Culture of Security
5.0 Creating an Intentional

Culture of Security
In a very real sense, a culture cannot be created; it just is. Although it cannot be
created, it can be intentionally shaped and directed. This existentialist statement
summons Sartre’s observation that “existence precedes essence.”1 Wherever people
gather in a common enterprise, there is a culture. Two people working together
toward a mutual objective necessarily have a culture between them of cooperation,
if not trust. They may cooperate poorly, indicating that their small culture is not a
good one, but the bond between them exists as a function of them “pulling on the
same rope,” so to speak. Their cooperative enterprise creates a “pattern of
behaviors, beliefs, assumptions, attitudes and ways of doing things” at least for the
interaction between the two of them.
Of course, a large enterprise that comprises many people in some sort of hierarchy
has a much more complex, nuanced culture than one between two individuals.
They do not create the culture in which they operate; it exists as a function of them
coming together with a shared (or overlapping) purpose. The existence of a culture
precedes a determination of whether it is strong or weak, beneficial or malign, or
good or bad. Therefore, a culture of security exists. The objective of those who
support it is not to create it, but to strengthen it within the broader confines of an
enterprise’s corporate culture.
Developing a strong culture is not a project. There is no distinct beginning, middle or

end. Indeed it is a never-ending process as various cultures clank and collide within
an enterprise. Nonetheless, there are discrete activities that can be carried out by those
who would enhance the security culture within their enterprises. The first is a
clear-eyed assessment of the current state of a security culture in parallel with gaining
an understanding of the intentions of management with regard to security. On this
basis, the gaps between expectation and reality can be observed, analyzed and
repaired. Of course, the reality may not lie in the words of management, but in their
actions when faced with security-related decisions. “Security is a strategic necessity
for the enterprise …” is an important statement, but less important than the “… but”
that follows it. By understanding where an enterprise’s leadership is willing to cut
back on security, one will find the path to improving a security culture.
It must be emphasized constantly that the decision not to make a resource—

information in this case—more secure is not of itself an indication of a weak
culture. The objective of a culture is not to maximize security, but to optimize it;
there are valid reasons to draw the line at a certain level of security, in keeping with
an enterprise’s needs, the sensitivity of its information and the size of its budget.
There are reasons to question where that line is drawn, and moving it upward is a
probable result—perhaps the benefit—of a culture of security. It is acceptable to

tie an enterprise’s security to its leadership’s appetite for risk, but not when that
appetite ventures into voraciousness.
The question remains as to how, once the deficiencies of a culture are known, to change
it in a positive direction. This not so much a matter of piling on more safeguards as of
changing minds, outlooks, attitudes and beliefs. Influencing decision making is one
thing; altering the framework of the decisions is quite another. The creation, if that is the
word, of a culture of security is to accomplish the latter.
5.1 Changing Perceptions of Security
The first and perhaps most important step in strengthening a culture of security is to
erase the negativism often associated with the subject. Security is often thought of,
at best, as the prevention of the occurrence of bad things such as fraud, disclosure
of private information or viruses. The imagery is of a police officer, a guard or a
locked door. Unfortunately, in many societies police officers, guards and locked
doors are emblems of repression and not very likely to inspire support for a culture
enshrining these images. Even in freer societies, the only contact most people
have with the police is when a crime occurs or when they are pulled over for
speeding. Guards and locked doors may keep valuable things safe, but they also are
impediments to free access. Most people do not enjoy being told what they cannot
do, even if they know they should not do some things.
To a degree, the proponents of security have brought this negativism on

themselves.2 When challenged as to the value of security, all too often, the specter
of evil hackers and determined fraudsters is brought out to frighten the questioner
into submission. The problem, of course, is that, after a while, scare tactics lose
effect. The incidence of security threats is not as prevalent as some security
professionals would like others to believe. In some part, the invocation of terrible
outcomes is a way of justifying a security person’s job. To a greater extent, the
possibility of security breaches becomes so real to some that it overcomes their
improbability. It is true that some very bad things could happen to information if
it were even briefly interrupted; that is why firewalls and virus filters are always
on. However, most people only rarely, or never, experience a security breach and
the endless repetition of what could happen, what did happen or what happened to
someone else wears thin.
Success in creating a security culture begins with altering the perception that
security is about negative events and, instead, associating it with the benefits to
people of moving freely, having access to everything they should have and knowing
(or having the ability to know) all that they would have a right to know. Security is
a positive attribute to those living without it. Security of information is also quite
positive for its owners; they care about who sees it and what is done with it. The
boundary between positive and negative is the decisions on who should and should
not do what. In information terms, those decisions are termed “access control,”
living by the rules of what information one can see or use.
Part of the difficulty with the perception of security, of living by the rules, is that the
rule breaker is often romanticized as a rebel, a pirate or even as an outlaw. These may
seem like dashing figures on the silver screen, but people are not nearly so impressed
by rebels, pirates and outlaws when they actually encounter them. The challenge is
to marshal the positive reality of security in support of a culture that values it. When
security is framed as trust, consistency, reliability, predictability and productivity, it
becomes easier to enlist others in a culture-strengthening exercise.
5.1.1 Branding Security

In many ways, altering the perception of security is a public relations campaign
and nothing is so valuable in such a campaign as a brand. It is a way of creating
an identity and establishing expectations as to the value of a product or service.
Brands and the way that they are portrayed have become so routine in 21st century
existence that they are hardly noticed. Their invisibility adds to their power; if
they are not consciously seen, it means that the message has become embedded
in people’s minds. Merely to mention a brand summons images: Coca-Cola®,
Mercedes-Benz, Apple®, Sony®, Microsoft®, Rolls-Royce, Louis Vuitton and
many other companies have been successful in creating names that are instantly
recognizable and trademarks that are a part of the popular culture not only in their
own lands, but around the world. They have meaning, and they make a promise to
the buyers of the products these companies make. Woe to the company that fails to
honor those promises.
As stated, security has established a very negative brand, which is not effective in
developing a positive identity for security. However, here have been successful
efforts to rebrand security as a friendly if ever-vigilant force for good. In the US,
the National Crime Prevention Council has adopted a hound dog dressed up like a
detective as their logo. His name is McGruff the Crime Dog®, famous for his advice
on how to stop crime before it happens and for his great sense of humor, as his
web site3 proclaims. The marketing of crime prevention is intentionally made
people-friendly to take the harshness away from this form of security.
The McGruff public education campaign is an example of what can be

accomplished with positive branding. It involves more than a cuddly logo. The
choice of words, the explicit and implicit promises made, and the value proposition
all contribute to security’s brand. So, in strengthening a culture of security, it is
advisable to take the steps involved in a branding campaign.
Determine the Message to Be Conveyed

It is critical that the message be well defined at the outset. The precise nature of the
message differs from industry to industry and enterprise to enterprise. Some general
guidelines can be applied universally—security:
• Adds value
• Enables activities
• Benefits both the enterprise and the individual
• Will help when things go wrong, but will not interfere when everyone is doing
what they are supposed to do
• Is fair to all
What should be avoided is any communication of the consequences of not

having security. That has been tried for years and has so dulled the senses of
those who have heard it that it is no longer useful, but, in fact, is deleterious to a
security culture.
Understand the Audience and Tailor Messages to Each Market Segment

There are different ways to communicate with senior management than with staff
or customers. It is important to differentiate to whom a brand must have meaning
and how that meaning is to be conveyed. For example, security should be portrayed
as supportive of organizational strategic goals for one group and as an aid to
getting work done effectively to another. In general, the guidelines shown in
figure 2 are applicable.
Figure 2—Message Format by Audience

Audience Security Message Format
Senior management Brief, to-the-point, strategic, graphic supported by some explanation
IT staff Thorough, tactical, showing benefits to a project or application
End users Graphic, personal, needing little explanation
New hires Welcoming, explanatory, sufficiently verbal to be clear
Create an Image for the Message

The image of security should portray a concept and definitely should not be
associated with the mission of a department or function, which would put distance
between that department and all others who may participate in a culture of security.
It should also express the meaning, value and sentiment of a message of assistance
and benefit. Again, there is no single image that is right for all circumstances, but
figure 3 provides some examples of positive and negative images.
Figure 3—Security Message Images

Positive Images to Consider Negative Images to Avoid
Keys, especially house or car keys Locks, safes
Hound dog, collie Bulldog, German shepherd
School crossing guard Police officer
Emergency worker Soldier
Shield Weapons
Clear, sunny weather Clouds, storms
Construction Destruction
Money gained Money lost
Flowers, fruit Creeping ivy, vegetables
Establish a Vocabulary for the Message

The terminology of security should be closely observed. When speaking of security,
it is far preferable to accentuate the positive aspects, minimizing if not eliminating
the negative. Certain terms should be avoided because they create a set of
assumptions that cannot always be satisfied. If security cannot be all-encompassing,
then it is foolish to promise, ensure or guarantee anything. Figure 4 details terms to
be used and avoided.
Figure 4—Security Message Terms

Terms to Use Terms to Avoid
Enable Forbid
Protect, protection Prohibit, prohibition
Allow, grant Deny, revoke, disallow
Value, value added Cost, costly
Access, accessible Prevent, prevention
Benefit Risk
Effective, efficient Permitted
Entitled Authorized
Capability, capable Limitation, limited
Advisory Warning
Open Risky, dangerous
Vigilance Monitoring
Invoke the Brand Repeatedly

Once the message has been crafted and the terminology refined, it should be
reinforced as regularly as possible, until it enters the corporate culture. It can be
distributed on correspondence, screen savers, posters, e-mails and conversation.
Security should be omnipresent, protective, safe and friendly.
5.1.2 Educating About Security

There is more to changing perceptions about security than creating a positive brand.
Personnel, particularly in management positions, need to understand security, not
just feel secure. Awareness programs have their place, but as stated in section 4.4,
they are insufficient by themselves. Many security awareness programs begin by
emphasizing threats and risks and then show how effective security can overcome
them. As stated previously, starting with the negative and moving toward the
positive works at the outset, but then becomes dulled over time. As an example of
emphasizing the negative, one well-known company has published guidance and a
tool kit for developing a security awareness program. Early in a sample presentation
offered, there is a slide that highlights crime statistics, thus starting off on the
wrong foot.
People need to be educated about security and their role in it, which is a great deal
more than being aware. However, education does not come simply in a classroom.
In fact, classroom training is useful for transferring skills, but not attitudes. People
may be educated in meetings, especially one-on-one, face-to-face meetings. It is
clearly infeasible to have personal meetings with every employee of a large
enterprise; what is necessary is to have such educational sessions with those who
show evidence of being potential champions and those whose positions should
require them to champion security.
One reason to educate people about security, rather than simply make them aware
of it, is that security awareness programs are unprovable. It cannot be shown
that awareness reduces the incidence of security breaches or lowers the cost of
countermeasures. So, when the inevitable attack does occur, some may feel that
the promise of security was not kept, which undermines security’s brand. It may be
expected that, after people have been educated (with regular reinforcement), they
should know about security, what its objectives and tools are, and what should be
their own responsibilities.
Those who would improve an enterprise’s culture of security should choose a

limited number of people to educate and then do so wisely and with many
overlapping techniques, including holding formal sessions; talking informally;
sending news items, articles and informal correspondence; and generally working
with them to improve the security culture. The latter technique is particularly
important. It has been shown that adults learn differently from children. Adults
must be motivated. In an organizational setting, they must be comfortable that the

learning experience will be a positive one for them. Thus, it is important to teach
the would-be champions about security because they are already felt to be well
dispposed to it. They must see the information they receive about security to have
value to them in their personal and professional lives and feel that they have control
over the learning experience—that it was their idea to seek out training rather
than having it imposed on them. In sum, they must see value in the education.4 If
security is portrayed positively, showing the value in the subject, it is easier to teach
people about their roles.
5.2 The People Who Make the Culture
The people in an enterprise make the culture, and hence, there is a need for strong
human resource practices and management. Enterprises should be able to attract
and train the right people, develop them, engage them and help them perform,
inspire them, and ensure that they are committed. As stated in the beginning of
this volume, a culture, in general, has been defined to include shared attitudes
and beliefs and a way of doing things that is common within an enterprise. In
particular, a culture of security is shown in BMIS to be transformational, a shift
from functional security (what people do) to intentional security (how people think
and behave). The transformation has four primary areas of application: technology,
process, people and enterprise. In one case study, the movement toward an
intentional security culture was shown in figure 5.
Figure 5—Shifting From a Functional to an Intentional Security Culture5

From Functional To Intentional
Technology
• Level of security provided by the technology • Technology used based on an assessment of
unclear the risk
• Security-related technology seen as disruptive • New security technology seen as a means to
and cumbersome to use enhance the sales process
Process
• Security brought in when there is a suspected • Security involvement in the earliest planning
breach phases of campaigns
• Security maintaining expert knowledge • Security sharing its knowledge and expertise,
developing broader security awareness across
the enterprise
People
• Security seen as an entity that enforces • Security seen as a partner that creates
compliance awareness and commitment
• Security seen as a functional expert • Security seen as a partner that transfers
security knowledge and expertise to its sales
customers
Organization
• Limited visibility or awareness of security • Regular updates about potential risk
issues • Security structure supporting customer
• Security structure focusing on technical processes
expertise
5.2.1 Intentionality
The defining factor in the transformation is that it is intentional. The term raises
the question whether the holder of the intent is the subject or the object. In the
first connotation, the intent is on the part of those who would create or strengthen
a security culture. In the other, it implies that the result will be to turn individuals
into the participants in the culture. The distinction may seem to be unimportant and
unnecessary in that both are required not only to create a culture of security, but to
see it take root. However, it does point the way as to who should champion an
intentional security culture and who should be involved in the transformation to it.
The problem with the first sense of intentionality is that it implies an actor,
someone who has an intention and acts on it. The act and the consequences are
closely tied. Something occurs because someone made it so. However, what
someone intends to do may not always work out as planned; a program to make
security more comprehensive may become so structured and bureaucratic that it
frustrates the original objective. On the other hand, it is impossible for the result of
an action to be intentional without the initial cause being intentional as well. Pulled
together, as was first seen by the British philosopher Jeremy Bentham,6 the intent
must be to produce something utilitarian—in this case, an enterprise that is and
behaves securely in a self-sustaining manner.
5.2.2 Finding the Champion

Someone must be intent on security if a security culture is to be strengthened, if
not created from whole cloth. In a typical enterprise, who shall the champion be?
There are a number of candidates including auditors, risk managers and security
professionals. Each has strengths and limitations as the prime mover for a culture
of security:
• Auditors (usually internal auditors, but not necessarily so) have a mandate to assess
a system of internal control. Managed access to resources, protection of information,
accountability and continuity are certainly features of internal control, so auditors
usually issue opinions urging improvements in security. However concerned they
may be, auditors are bound by independence from being active participants in the
development and operation of controls, but is a security culture, in itself, a control?
Put another way, is a culture something that can be audited? No matter how
supportive of a security culture, auditors are in ambiguous positions.
• Risk managers are attuned to the potential harm that a lack of security may
cause their enterprises. Some are primarily insurance buyers and seek only to
transfer risk, but more advanced risk managers look for a complete package of
risk transfer, acceptance and control. The controls in question for them, as for
auditors, include security. In fact, security may rank higher for risk managers than
auditors because risk managers focus on the sorts of high-impact, low-frequency
events that are typified by disasters or breaches of security.
In some enterprises, risk managers are among the foremost champions of a

security culture. However, some risk managers have difficulty seeing how
investments in appropriate security (as opposed to a minimum level) can reduce
the long-term cost to an enterprise. They think primarily of insurance premiums
and the cost that an enterprise incurs whether there is a security breach or not.
It seems self-evident that security breaches can cause significant financial
harm, but it is not proven that the cost of an incident is greater than years of
premiums without compensating claims. Again, contemporary risk managers see
the issue more broadly to include reputational harm and customer or employee
dissatisfaction, which they consider just as important as pure financial losses.
• Security professionals, especially CISOs, seem like the natural champions for a
culture of security. However, as discussed in section 4.3, the very effectiveness
of an information security department may be an inhibitor to the desired culture.
Moreover, the natural inclination of professionals to focus on the subject of their
discipline renders them somewhat partial in the eyes of those who may participate
in a culture of security. Surely, security professionals have a role to play, but it
is more likely to be in effecting changes in security processes to fit an emerging
security culture than leading the effort to strengthen one.
Thus, while these three candidates may have supporting roles in developing a
culture, they need others at a senior level to be the focal point. There is no one
position that is able to claim the mantle of security champion apart from those
mentioned previously. Much depends on the personality, seniority, political skill
and professional concern among those in the executive suite. Depending on the
enterprise, the champion may be the chief operating officer (COO), chief financial
officer (CFO), CIO, general counsel, or even the head of human resources (HR). Of
course, if several of these are already vying to drive their enterprise into a culture of
security, then much progress has been made already.
5.2.3 Objects of a Security Culture

As stated in BMIS, security is often seen as functional. Who then needs to see
it as an intentional aspect of a corporate culture? As stated previously, those
who are already involved in security and control have the intent, but evidently
not the ability, to cause a transformative shift of attitudes and behavior or else
the shift would have already taken place. At the same time, they do not need
to be convinced, either. The emphasis may be on senior management, middle
management or on all those staff members who routinely come in contact with
sensitive and critical information:
• Senior management may seem the obvious group whose attitudes toward security
call for change. They are the ones who set the tone at the top because they are the
top. It is the rare senior executive who would deny the need for security, but these
people also drive their enterprises toward sales, growth and profits. The objective
is to get enough mind share for security in the executive suite so that security has
a chance to hold its own against other imperatives.
Many executives only have time for security matters when there is a regularly
scheduled update or if there is a serious security breach. They are well attuned to
the need for security of the information in their own hands; by the time it gets to
their level, it is either so concentrated or so sensitive that the need for security is
self-evident. There is very little for them to do as a group, apart from having one
of their members champion security. As individuals, they need only think about
security a little more, consider how it affects them and what they could do more
securely. They do not need to be persuaded that security is a positive value to
their enterprises; they need to be convinced to convince others.
• Middle management is often the greatest stumbling block to a security culture.
Again, it is not because middle managers are opposed to it, but because they are
the ones who must formulate budgets and meet senior management’s demands.
They hear clearly, “Sell more, grow bigger and make more profits.” “Be secure”
often gets drowned out. Moreover, it is they who transmit their understanding
of what their management wants to their own staffs. If they feel the heat for
objectives other than security, they transfer it downward.
Do middle managers encourage their people to circumvent security? Probably not,

as blatant contradiction of policy would be insubordinate, but generally, they have
very little incentive to discourage circumvention, either. The tone may be set at
the top, but the music is played by those much further down the organizational
ladder, with middle managers conducting.
• Staff-level personnel must be the primary recipients of an intentional culture, if
only because there are so many of them. They are the ones who distribute the
mail, generate the reports, enter the orders, file the personnel records and carry
around vast amounts of information on their laptops. They touch information,
as a group, more than anyone. CISOs may build security, auditors may enforce
it and managers may expound it, but the staff needs to live it. The attitudes and
behaviors of the staff are the content of a security culture. If they do not buy in,
there is no sale.
Looking at the hierarchy in this manner, it becomes evident that, even if senior
managers believe in a culture of security, the message will not reach the staff if the
middle managers are not similarly supportive. The staff must be led to believe that
management champions are as sincere when they urge security as they are when
they urge sales. If the staff carries the substance of a culture, middle managers are
the catalysts who make the substance react.
5.3 Attributes of a Security Culture
How can an enterprise determine whether it has a robust, functioning culture

of security? In other words, how does it complete this sentence: “The culture
of security is strong if…”? It seems self-evident that such a culture exists if
the corporate culture includes respect for security, but this is a circular line of
reasoning. It is preferable to consider the attributes of a security culture and the
means toward obtaining or strengthening one.
5.3.1 Security Champions

The need for a champion has been discussed previously, but what do champions
actually do? First and foremost, they speak up, including in the board room with top
executives. When a new initiative is being discussed, the security champion simply
has to ask, “Is the information secure?” and half the battle is won. It is precisely the
act of laying security on the table among all the other determinants involved in a
decision—the more strategic the decision, the better—that makes a security culture
spring to life. Of course, no one is likely to say, “We do not need the information to
be secure.” Attitudes, assumptions and beliefs begin to move by putting security on
an equal footing with other considerations, and as they move, they also nudge along
behavior and ways of doing things.
As stated, asking the question is half the battle, which leaves another half to be
won. It is quite important that the same question be asked repeatedly, initiative
after initiative, project after project, until it no longer needs to be asked. Everyone
involved will think about security without being asked. In this way, a culture of
security goes from being intentional to being unintentional—so natural that it is no
longer thought about, but just done. It is even better if more than just the original
champion asks the question. That would indicate that the culture of security is
catching on at the highest levels.
Of course, asking the question is insufficient; it must also be answered. If the

consensus response is, “No, the information is not secure, but we do not care and
are going to do what we want anyway,” then the security culture dies before it
begins. Fortunately, few would be so foolhardy as to take that position, publicly
or privately. If, however, the reply is, “How secure does it have to be?,” then the
champion must be resolute. Security must be good enough to meet the enterprise’s
needs, explicitly tying security to overall organizational objectives. Finally, if
the initiative in question is reshaped in accord with organizational business
requirements, there is evidence that a security culture is taking root.
All of this conversation occurs at the highest levels, but champions must also
communicate it downward. They can invigorate those in their line of authority, but
the message must also be conveyed down the chains of the champions’ peers, some
of whom are not yet involved in a culture of security. As noted previously, senior
management proposes, but middle management disposes.
5.3.2 Budget for Security

Unless security is appropriately funded, there is no security. Where security does
not exist, neither does a meaningful security culture. Simply put, a culture of
security can be measured by what an enterprise is willing to spend for it. This
does not mean that an enterprise that has a security budget of US $1 million has
a security culture twice as strong as one that allocates US $500,000. No two
corporations or government agencies are exactly alike, and so, their financial
investments in security will differ based on their industries and relative sizes. As
was emphasized in section 2.1, a security culture can be viewed realistically only
within the context of an enterprise and the risks it faces.
There are more nuanced views of the correlation of budget and culture. For one
thing, the issue is not so much the money allocated for security, but how well it is
spent. If one enterprise’s security objectives can be met with less funding, then its
culture may, in fact, be superior to another that simply throws money at problems.7
It is also a matter of when the money is spent. When an enterprise first becomes
aware that its security is insufficient, at the onset of a demonstrable security
culture, it needs to spend more just to correct prior shortfalls. Since security is not
achieved overnight, an enterprise may spend more, but, at the time, be less secure.
The culture of security is more evident in the trajectory of improvement than in the
current state.
There is also the factor of how budgets are calculated and aggregated. One way, of
course, is to measure the money specifically allocated to an information security
function. This is meaningful, but incomplete. If security is pervasive within an
enterprise, there will be a security component to HR, facilities, operations, finance
and many other functions. It is true to say that an indicator of the strength of
a security culture is how widely an enterprise spreads its security investments.
Paradoxically, the stronger the culture, the harder it is to trace the money spent on
it. Measuring the total cost of security in an enterprise is a fascinating subject for
future research.
5.3.3 Broad Accountability

Beyond budgets, another attribute of a security culture is a broad base of participation
in securing an enterprise’s information resources. If “security is everyone’s job,” then
everyone must be accountable for security. In an enterprise where a security culture
has taken hold, roles and responsibilities for security are spelled out and individual
managers are answerable for their part of the total protection of information. Figure 6
suggests a possible distribution of accountability.
Figure 6—Possible Distribution of Accountability

Aspect of Security Accountable Function
Risk assessment Risk management
Security policy and standards Information security
Asset management Information security, physical security
Employee screening HR
Physical security or information Physical security, datacenter operations
Network data security Telecommunications
Spoken security Corporate communications, telecommunications
Data retention Datacenter operations, facilities
Monitoring and enforcement Internal audit
Access control Information security
Encryption Information security
Information acquisition, storage and disposal General counsel, privacy, facilities
Incident response Information security, physical security
Recovery and resilience BCM
Compliance Compliance
As shown in figure 6, many functions have a role to play. The overall

organizational culture of security is weak when more aspects of security are
concentrated in an information security department and when other functions have
less accountability.
5.3.4 Awareness and Education

It is in the context of broad accountability that awareness enters into the culture
of security. As stated previously in section 4.4, security awareness alone is not
enough. There is a significant difference between making people aware that there
is a need for security and that they have a specific role to play in achieving it. The
former is a half-formed wish. The latter is an attribute of a culture of security.
Making people aware of the parts that they are to play in securing an enterprise’s
information resources and holding them accountable for their roles are essential
for an intentional security culture. There is a positive decision to be made in
assigning responsibility to a particular function. Awareness occurs on multiple
levels. Someone in a position of relatively high authority must conclude that a
given function has a set of responsibilities. This person may be the aforementioned
champion or someone influenced by the champion. Managers of the functions that
receive the mandate must accept that they bear the designated responsibility, and
staff members should also be consulted on their roles. The gap between grudging
and wholehearted acceptance is filled by a security culture. It is the culture that
creates awareness and not the other way around.
Of course, just because someone has a responsibility does not mean that the
individual knows how to fulfill it; therefore, the person must be educated. This may
be achieved in a number of ways, including formal training, professional literature,
coaching, the use of consultants or delegation to specialists in the assigned roles. Most
likely, the educational process will incorporate all of these learning alternatives.
5.3.5 Policies, Standards and Guidelines

Staff needs a good understanding of the policies, standards and guidelines that the
enterprise has adopted with regard to security. This, of course, presupposes that the
policies, standards and guidelines exist; as previously stated, it is the province of the
information security function to make sure that they do. Even more so, they must
ensure that the policies, standards and guidelines are comprehensible, actionable and
enforceable. It would help if they were straightforward and simple, also. Standards
need to be intelligible to be followed. If a culture permits information security to
write them, it also requires that the people who receive them understand them.
(While it is difficult for CISOs to be the champions of a security culture, that is not
to say that they have no role in its strengthening. As stated previously, the function
is an instrumental force behind asset management, access control, encryption and

incident response and the development of policies, standards and guidelines. The
CISO’s role in the culture is to give substance to security.)
For example, a standard such as “symmetric encryption systems that utilize shared
secret keys for authentication and encryption must change these keys on at least
an annual basis” cannot be issued without explanation and education. What is
a symmetric encryption system? Is there an asymmetric system, and how does
it differ? What is an encryption system? What are shared secret keys (are there
unshared ones?), and why must they be changed?
The standard helps build security; the education in its meaning and use builds a
culture of security. The challenge is not whether the information security function
has the ability to draft policies, standards and guidelines, but whether it has the
communications skill to sell them.
5.3.6 Go/No-go Decisions

The crossroads of a security culture is whether anyone has the power to stop an
initiative from occurring on the grounds that it is not sufficiently secure. That
person may be the security champion or the CISO. It would be best if it were the
CEO, indicating that a culture of security had percolated to the very top of an
enterprise. If someone can halt an effort on the basis of security, then a security
culture can truly be said to exist.
This is not a power to be used lightly, and as with so much of a culture of security,
it must be applied in context. It is insufficient for a CISO to state by fiat, “This
shall not pass.” There must be a broadly accepted framework within which that
power may be exercised. Fortunately, that context is provided by the policies,
standards and guidelines that had been agreed on previous to the decision in
question. If a product or project does not live up to them, it should not be allowed.
Policies should be the least malleable; there should be little, if any, cause to go
forward if policies are violated. Standards usually contain waiver mechanisms that
apply to cases in which the business or a technology cannot support a requirement.
Guidelines, by their nature, are most open to interpretation. Thus, the mechanisms
are there for security to be the deciding factor for or against an initiative. Senior
leaders, if well informed, have the right to make decisions contrary to security
interests, but they also inherently accept accountability if overruling security
concerns backfires. Attitudes, not platitudes, are the stuff of a security culture,
and those attitudes manifest themselves when tough decisions need to be made.
From a cultural perspective, it is sufficient that security be grounds for not doing
something, with the blessing of management.
5.3.7 Rewards
If management must take the blame for poor decisions, it must also be rewarded for
good ones. As noted in section 4.6, the absence of rewards is an inhibitor of a security
culture. It is difficult, as noted, to equate the compensation for sales, growth or profits
with those of security. They cannot be measured on the same scale.
However, with the contemporary attention to risk management8 in finance,

government, extractive industries and power generation (to name a few affected
industries), it is easier to reward someone for good risk-related decision making.
(It is easier, but still not easy.) The role of senior executives is to make decisions,
so if a security culture induces these men and women to consider safety and
prudence as a part of their jobs, they should get something for it, in remuneration,
influence and respect.
The challenge is to translate the consideration of security downward. Many, if not

most, initiatives in an enterprise start from below and work their way up to senior
management for approval and budget. Those at the top should note where insecure
recommendations come from (and come from regularly)—not so much to punish
the malefactors, but as a basis for comparison with those who do not. If middle
managers see that poor recommendations are rejected, but that security ones are
accepted and funded, the message will be conveyed and the culture strengthened.
5.3.8 Rigorous Response to Breaches

It is important to remember that no matter how good the standards and the backing
to implement them, security-related incidents may still occur. When they do, an
enterprise must be swift and resolute in responding to and learning from them. Any
enterprise will respond when attacked, including the least secure and those with the
weakest security culture. It is not the response that defines the culture, but the vigor
and visibility with which it does so. The importance is not only doing the right
thing, but to be seen doing it.
Security breaches come in many forms. If one is the result of external forces (e.g.,
hacks or DoS service attacks), it pays to be very public in taking action against them.9
If nothing else, it would demonstrate to customers and staff alike that a company is
serious about security if it makes strategic or tactical changes to its business model
in the face of attacks. Equally important is to be visible in responding to internal
violations of security. When these are criminal matters, an enterprise should seek
prosecution. If they are breaches of trust or propriety, they should not be swept under
the corporate carpet. If security is seen as a part of an enterprise’s business, then it
needs to show that it means business when it comes to security.
5.3.9 Satisfied Customers

Nothing is as good for business as satisfied customers. Increasingly, enterprises
are demanding security and reliability from their suppliers. Some of this is driven
by laws defining business accountability, such as the US Sarbanes-Oxley Act or
Japan’s Financial Instruments and Exchange Law, known as J-SOX. These laws
induce companies to ensure that not only are they secure, but that the companies
with whom they do business are also.
There is little doubt that laws and regulations have helped enterprises improve their
systems of internal control and, in turn, their security cultures. However, an equally
important factor has been the interaction of companies in what has been termed an
“extended enterprise.”10 If there is to be an active collaboration among business
partners, each must be satisfied that the other has achieved at least a comparable
level of security as its own. Mutual interdependence breeds a joint concern for
security. If any party to a transaction feels that it is exposed, there is little chance of
success. Thus, each seeks assurance from the other so that together they may reap a
“variety of business benefits (e.g., enhanced customer loyalty, increased revenues,
reduced inventory, reduced time to market for new products, more effective
business processes, reduced costs, and/or increased profits).”11
Note the reference to customers in the preceding quotation. When entrusted with
people’s (or enterprise’s) information, customers do not demand security, but simply
expect it. It is, or should be, a routine matter that those who hold information need
to protect it. This may be backed up by law and regulation (e.g., the European Data
Protection Directive of 1995), but it is a manifestation of a culture of security among
customers that they ask for security and among vendors that they supply it. After all,
vendors are also somebody’s customers. It is quite clear that customers dissatisfied with
security will bring action (and strengthen a security culture). When there are satisfied
customers, the tie between security and revenues and profits is more demonstrable, and
thus, it is easier to tie rewards to security.
Each of the attributes of a culture of security, as described previously, seems

simple to implement. They almost seem self-evident. If that is the case, why is
strengthening a security culture an issue at all? Why is a strong culture of security
not present in all enterprises? The answer is that, while the individual attributes
may be easy to achieve, one by one, they all must be present for there to be a strong
culture. Enterprises cannot pick and choose. They cannot decide to have policies
without education, champions without budget or satisfied customers without
rewards to those who satisfy them. If it were that easy, every enterprise would have
a culture of security (and this volume would be unnecessary). The fact that many
enterprises have not accomplished all of the attributes indicates that there is a long
way to go to instill a cultural regard for security across societies. The situation
seems better than it was in many enterprises, but there is still quite a way to go.
Endnotes
1
Sartre, Jean-Paul; Existentialism and Human Emotions, Citadel Press, USA,
1957, p. 15
2
For example, the volume 2, 2010 issue of the ISACA Journal, dedicated to
security, has on its cover a stylized personal computer looking like a vault door,
with two combination locks and a large vault bolt.
3
www.mcgruff.org
4
Knowles, Malcolm S.; Elwood F. Holton III; Richard A. Swanson; How Adults
Learn, Elsevier, UK, 2005
5
ISACA, An Introduction to BMIS, op. cit., p. 21
6
Bentham, Jeremy; An Introduction to the Principles of Morals and Legislation,
UK, 1780, p. 82-83
7
Boesen, Thomas; “New Tools for a Corporate Culture,” Balanced Scorecard
Report, Harvard Business School Publishing, USA, November-December 2000
8
Discussions of risk management in society at large are too numerous to cite. One
that is indicative of the public consciousness of risk management may be found in
Brooks, David; “Drilling for Certainty,” New York Times, USA, 28 May 2010
9
For example, Google received much positive publicity about its decision to
change its business plans in the face of perceived security attacks. (See “Google,
Inc.,” New York Times, USA, 20 April 2010, http://topics.nytimes.com/top/news/
business/companies/google_inc/index.html?scp=15&sq=Google+security&st=
cse.) Less discussed was the effect of the decision on morale within the company.
10
See David, Edward Wilson; Robert E. Spekman; Extended Enterprise: Gaining
Competitive Advantage Through Collaborative Supply Chains, FT Press, UK, 2004
11
Ibid., p. 132-133
6.0 Positive Reinforcement

Creating a culture is one thing (if, indeed, it can be done). Strengthening a culture
is something else, and keeping it going and growing is a third. Management
influences behavior, if not attitudes, through measures designed to provide positive
reinforcement for desired conduct and negative reinforcement for that which it
wishes to suppress. Negative reinforcement, unfortunately, is a necessary part of a
culture, but one that raises, once again, the image of security that is best left out of
sight until needed. It is addressed in the next section.
The ultimate positive reinforcement, as stated previously, is the rewards that come
to the individual for treating information securely. There is an important distinction
here: Remuneration, advancement and influence come to people for what they
do to protect information resources and there can be no culture of security where
security is ignored. However, reinforcing a culture is different. It necessitates
actions to inculcate attitudes and beliefs, an organizational vision of how security
fits into its behavior, and a way of doing things.
The objective is to fuse the interests of the enterprise, the individual and security
into one organic whole. The enterprise may face circumstances in which security
seemingly runs counter to short-term goals, such as speed or flexibility in
responding to customer demands. An executive may think, “Who will know or care
if the rules are bent—not broken, to be sure—just a little?” An individual may see
security as an impediment, slowing things down and generating more bureaucracy.
A security culture reinforces itself by getting all within an enterprise to see that
security makes things better. This is the heartbeat that must be felt throughout an
enterprise: Secure is better.
Why is it better? If “secure is better” is the heartbeat of a security culture, then the
reasons it is better are a culture’s lifeblood. Secure is better because an enterprise’s
business depends on it. It is better because customers expect reliability. It is better
because it lives within tolerable risks. It is better because secure resources will not
be misused and will be there when needed. It is better because a secure anything is
better than an insecure anything.
The challenge for management is to build security into the way it thinks about and
runs an enterprise and by reinforcing all the positive attributes of a security culture
listed previously. It would be enough to make all personnel behave in a secure
manner, but the real goal of a culture is to convince them to think about what
they do for the business in a certain way, placing security, if not first, at least not
last. Thought patterns are best directed by emphasizing organizational goodness,
not the punishments that will be meted out for bad behavior. It calls for a liberal
application of honey with a dose of vinegar in reserve to spice it up.
6.1 Alignment of Information Security and Business Objectives
Unfortunately, many people do not see that a secure enterprise is a better enterprise.
That is because they see their own business requirements going in one direction and
security’s going in another, if not blocking their business objectives altogether. It is
insufficient to point out the risks these people are taking. They have accommodated
risk in their own minds. Whether they are rationalizing their ambitions or not, they
believe that there is something they want to do, generally to make more money for
a private-sector enterprise or improve service in the public sector, that they would
and could do except for the “silly” demands of security. For them, security is an
obstruction to overcome. By the time security becomes a consideration, it is already
too late. The information security function may prevail in stopping an insecure
initiative, but that will only deepen these employees’ suspicion of security and the
professionals who expound it.
It is curious that security is so often singled out as an obstructive element within

an enterprise. The accounting department is not considered an obstacle to progress
because it enforces standard ways of showing revenue and profit. The legal
department is not viewed as an impediment because it points out what is prohibited.
Risk management is not seen as a barrier because it says that someone’s project
or product is uninsurable. To be fair, many people do grumble about accounting,
legal or risk management departments, but there is greater recognition that these
functions are imposing restrictions set by external forces such as accounting boards,
legislatures or insurers and not creating difficulties themselves.
6.1.1 Security as an Obstacle

Rules and laws are both external and in the past tense. They are limitations that
come from outside an enterprise; no matter how much people may rail against
government or insurance companies, they recognize that the laws must be obeyed
and that insurance policies do not cover everything. However, they also expect
accountants, lawyers and risk managers to help them to accomplish what they want
to do. The American financier J. P. Morgan was reputed to have said, “I don’t want
a lawyer to tell me what I cannot do. I hire him to tell me how to do what I want to
do.”1 Why, then, do people not feel the same about security professionals?
It is largely because security does not deal in hard, documented facts such as laws
or insurance policies. Security looks to the future: what may happen, but has not
happened yet. Sometimes, security does deal with incidents, but once these have
been repaired, the next incident still lies in the future. Everyone has to accept
laws, standards and regulations that have already been issued, but people can hold
different opinions2 about what may happen in the future. Where a CISO may see
only the prospect of harm, a salesperson may see profit and discount the possibility
of an incident as so remote as to be dismissible.
When other staff functions manage alignment of a business with things that have
happened in the past, information security must manage the future. In reality, all
management should be oriented toward the future: the sales to be made, bonuses to
be paid and mistakes not to be made. In the same way that lawyers help their clients
to do what they want to do legally, security professionals can help their colleagues
to do what they want to do securely. The challenge to these professionals and the
secret of creating a security culture is to transform themselves from naysayers to
problem-solvers. They can demonstrate their alignment with the overall business by
assisting their colleagues to meet their own business objectives.
In fact, security professionals rarely see themselves as negative and do feel

that their role is to help their enterprises. They understand security so well and
so deeply that it puzzles them that others do not. They try to help others avoid
mistakes. Security people live within a security culture by predisposition, profession
and choice. However, they are cynical about what people in and outside of their
enterprises would do if security were not present and, so, put themselves on the
front line in the war against misuse and destruction of information. That is heroism.
What is needed for a culture is not heroism, but leadership to bring others along
with them instead of fighting the lonely fight.
6.1.2 Strategic Necessity

Security professionals may engage others by demonstrating that security is a
strategic imperative, the realm of senior management decision making. At a
strategic level, a security professional must be aware of the business of the
enterprise. Security is stronger at banks, for example, than at manufacturing
companies because, as Willie Sutton3 said, that is where the money is found. So,
security is acculturated in banks more so than other enterprises.
The CISOs of various industries cannot all achieve the same level of security; once
again, context enters the discussion. Security professionals can measure themselves
against others in their own industries. Using conferences, literature and personal
networks, they can learn what others are accomplishing in security and raise the
levels within their own enterprises. (A special challenge comes for those who lead the
pack in their own industries, but do not feel they have done enough. Perhaps they are
reaching for too much.) The interesting question that should be posed and answered is
whether the different appetites for risk, company to company, justify different degrees
of security. If so, security professionals must adjust their sights accordingly to remain
in alignment with their own enterprise’s goals. Not to do so is to oppose security to
the corporate culture, which is hardly conducive to reinforcing a security culture.
Security professionals in the private sector need to understand how their enterprises
make money and focus their attention there. Clearly, this entails security for the
systems that take orders, manage inventory and ship products. There are other
types of information such as formulas, trade secrets and new product developments
that are money makers also. A culture of security most frequently exists around
this latter sort of information. People accept that secret recipes and information
about the latest models needs to be secure. They have bought into a culture of
security, at least that far. That culture can be reinforced by extending it to other
types of information.
It is important that security professionals help their enterprises to recognize the real
extent of the risks they face. Simply put, some are targets for misuse of information
more than others. For example, information in the military and intelligence agencies
is more likely to be sought and misused than in civilian agencies. As mentioned, the
information in banks and other financial institutions is constantly under attack because
it has monetary value. A culture of security suffuses these types of enterprises
because the threats are clear. No one at the US Central Intelligence Agency (CIA);
UK Military Intelligence, Section 5 (MI5); or the Russian military intelligence
agency Glavnoye Razvedyvatel’noye Upravleniye (GRU) thinks for a moment that
security is a nonissue. In enterprises in which threats are not so evident, it may be
hard to see why anyone would misuse information about the seemingly uninteresting
products they make. However, if enterprises make revenue on their products and the
information about them supports profits, there will be someone who is interested in
stealing, revealing, modifying or destroying that information. The culture must rise to
the level of the threat for the safeguards to be appropriate.
Of course, there is a cost side to the risk equation. The best investments in security
are those that cost little and protect a lot. The best contribution of a security culture
to overall business objectives is the understanding that the right level of security,
in context, is a parallel objective of the business. Security devices and software can
be costly and protect against only a limited range of threats. A culture that leads to
understanding those threats costs very little and can be applied against the full array
of risks an enterprise faces.
6.1.3 Risk Management

Understanding risks is a necessary, but insufficient, precursor to an appropriate
level of security. A security culture is also a requirement so that security is
right-sized against real risks. Not all risks can be eliminated, nor should they be; a
tolerable amount is necessary for business to proceed. Culturally, this is generally
accepted. No enterprise tolerates stupid risks, at least not for long. All profitable
enterprises make money by taking smart risks. A security culture is not reinforced
by insisting on eliminating all risk, but by eliminating the stupid ones and providing
a fallback position if the tolerated ones turn out not to be so smart after all.
The essence of risk management—as opposed to risk mitigation, reduction or

elimination—is in the grey area between clearly foolish and clearly acceptable
risk. Human nature being what it is, there will always be people who propose to do
something that makes no sense and can only lead to sorrow. Management should be
adept enough to see this and stop them before they move forward. Unfortunately,
it is not so easy to see which risks are so acceptable that it would be foolish not to
take them. If the possibility of harm to information is never realized, then the risk
was a smart one—or was it? Was it just a matter of luck so that, if the same risk
were taken over and over, it would turn sour eventually?
Bad things that may happen do not always occur. The frequency of occurrence
(not the probability) is the measure of risk acceptability. Something that goes
wrong once in 10 times is surely unacceptable. Something that goes wrong once in
a million times may be acceptable, except for enterprises that perform millions of
risk-bearing transactions every year. Even for those who do not face risk as often, it
must be accepted that the one-in-a-million occurrence could happen today.
There is a virtual cycle between risk management and a security culture: the more
people in an enterprise who appreciate the nature of the risks they face, the more
likely they are to incorporate security in their attitudes concerning their business
and the more acculturated they are toward security, the more they will appreciate
the appropriate amount of risk they can take. In short, risk management reinforces a
culture of security. Nonetheless, in many enterprises, risk management is no stronger
than its security culture, so they both need to be elevated. In fact, it may be axiomatic
that where a security culture is strong, risk management is also strong.
In recent years, so many seemingly “smart” risks have proved to be foolish that
there is greater acceptance of risk management in enterprises around the world.
For the most part, the areas of risk that have caused the most harm do not concern
information. However, gross miscalculations in such diverse fields as warfare,
finance, petroleum and construction have heightened overall awareness of risk,
which can be leveraged for security’s sake. It is notable that the term “information
risk management” (IRM) is gaining currency. Some CISOs style themselves—or
report to—information risk managers. Much of the literature on the subject of IRM
addresses the same points as have been made about a security culture: alignment
with organizational goals, senior management support, visibility for security and
incentives for secure behavior. One study even states that the risk mindset—much
the same as a culture—must change for “information risk [to be] part of every
business discussion.”4 In these terms, it is easy to see the symbiosis between a
security culture and risk management.
6.1.4 Security Procedures Embedded in Daily Operations

In its definition of a security culture, BMIS strikes a balance between what people
think (beliefs, assumptions and attitudes) and what they do (a pattern of behaviors,
ways of doing things). An appreciation of risk and respect for security are all well and
good, but mean little if people do not act on what they believe. Even more, a culture
of security may be considered entrenched in an enterprise if people act securely
without thinking about doing so. People do not awaken and think, “I will be secure
today.” Rather, they follow routine procedures that become so engrained that they do
not even realize that they are following them—or that they are being secure.
For example, in the financial services industry, one group of people consists of
traders and another performs all the posttrade activities to execute the trades. The
functions are incompatible. Were a trader to carry out the posttrade activities, there
would be a significant breakdown in separation of duties. No one would cross
that line without realizing that, to do so, a fraud would be committed a fraud.5
The information that the two groups use is the same, but they use it at different
stages of a trading life cycle. Security is enforced by an access control system
that permits traders and operations personnel to see and act on the information
only at the required stages. Also, the access control system may be backed up by
an identity management system that recognizes all the people in a group called
“Traders” and another called “Trade Executors.” The point of this little treatise
on trade processing is that no one in a financial institution gives a second thought
about whether to carry out activities securely. This is simply the way in which the
job is done. Despite the occasional fraudster who finds a way around the system,
thousands (perhaps millions) of people are involved in trading every day, with
attitudes and behaviors enveloped in security without their even thinking about it.
An interesting question is how people become acculturated to following secure

procedures and acting securely when they are new to a function. Does someone say,
“This is how we keep this function secure,” or are people simply instructed on how
to do their jobs, with security already built in? If the latter, then someone at some
time must have considered security in devising those procedures. Was that person (or
people) part of a security culture, or were the risks so evident that anyone would have
built security into the procedures?
There have been trading activities going on since the dawn of humanity that were
formalized during the Renaissance and passed down to the present day. A notable
turning point occurred when trading systems were automated in the second half of
the 20th century. At that time, security had to be built into a series of programs and
user operating procedures. Not all security decisions were as simple as the separation
of duties described previously. Limits, approvals, reporting, correction, controls
and many other aspects of business life have to be encapsulated in programs and
procedures. Even in an activity such as trading in which the need for security is so
evident, decisions can and have been made that strengthen or weaken overall security.
The manner in which those decisions are made is indicative of the strength of a
security culture. Including security professionals as advisors or even as designers
reinforces a culture of security. The same may be said of auditors, although they
would rarely design controls they may have to audit, and of risk managers, who may
be called upon for their insights into the risks in a business function.
6.1.5 Management Reward Structure

Much has been said in this volume about rewards as a means of strengthening
a culture of security and of the metrics for determining whether rewards are
warranted. There is a vital aspect of rewarding people as a means toward solidifying
a security culture: People, especially middle managers, need to know that secure
behavior will be rewarded. That, in turn, means that senior managers must make
their intentions clear. Senior management must encourage the implementation of
security safeguards with all the budgetary support that it implies and must also
promote the attitudes that constitute a culture of security.
In other words, to be rewarded in pay, promotion, respect and clout, managers must
not only do the right things with regard to security, but also be seen to be doing so
willingly, supportively and intentionally. They must be proactive in considering
security as a part of their jobs, insisting on secure solutions to day-to-day problems.
They should find themselves in accord with security professionals on most matters
and should not be constantly negotiating for less security in each new project and
system. Senior management should be aware of the attitudes and approaches taken
by middle managers and reward them accordingly.
If a business manager and a CISO disagree on the extent of security needed, should
the CISO always be considered to be correct, and how does a senior manager know
whether a middle manager is being obstructive to security or standing firm for the
appropriate level of security? To the first question, it is clear that CISOs are not
always right and that they sometimes are more extreme in their drive for the most
secure operations possible, losing sight of the business context in which security
is to be implemented. It is as incumbent on CISOs to learn to think like business
managers as it is on business managers to think like CISOs. That said, most CISOs
are not overly extreme all of the time (or else they will not be in their positions for
very long). A particular disagreement between the two means little, especially if the
difference of opinion is conducted in a collegial manner, but a pattern of conflict
is another matter entirely. Senior managers should be attuned to such behavior and
reward or reprimand accordingly.
One of the roles of senior managers is the resolution of disputes among their
subordinates. They can tell who is involved the most often and how often those
people are supported or denied in their arguments over security. (To be sure,
a senior manager may also act outside a security culture, but if the culture is
to be built around security in context, it is senior management that bears the
responsibility of establishing that context.) Senior managers do not need to rely
solely on their own judgment in determining who is and is not supportive of a
security culture. They know who is criticized in audits on a regular basis, who is
out of tune with colleagues and who is running the greatest risks.
Establishing the reward structure for a culture of security does not need to take the
form of a written set of metrics. In fact, to define a culture solely on the basis of a list
of dos and don’ts would unnecessarily constrain it. A quiet word in the corridor, a
note on an annual review or a supportive e-mail may do quite as well. The important
thing is for everyone to know that someone above is aware of the cultural temperature
of an enterprise and will take active measures to reward those trying to raise it.
6.2 Balance
Tightrope walkers have many skills and attributes: style, courage, determination,
showmanship and a little bit of magic. They definitely have a culture of security
that consists of balancing poles, nets and years of practice. What they have most
of all is balance. If building a security culture is not quite so treacherous as
tightrope walking, it calls just as much for balance. It requires some organizational
acrobatics, the ability to change direction and overcome inertia, and a solid central
position that does not shift when conditions do.
6.2.1 The Burden on Security Professionals

Perhaps the most important part of balancing, in cultural terms, is just getting
along well with others. Those who support a security culture must convince others
and transform their thoughts and actions. This is rarely achieved by pounding the
boardroom table. Persuasion is a gentle art that calls for the proponent to demonstrate
(more so than explain) that security is beneficial to others who are not quite so
certain. As much as anything, it requires the supporters of a culture of security to
have a firm, internal comprehension of what makes information secure and why the
information should be secure in the first place. The demonstration of the value of
security must be given in terms to which each recipient will understand and relate.
Balance is needed because some position, action or initiative is so weighted to

one, insecure side that a counterweight needs to be applied. Therefore, it requires
the proponent of security to be able to recognize the other person’s goals and
objectives and apply just the right amount of countering force. The focus must
be as much on the recognition as the force. Imposing security over the objections
of a salesperson, an accountant, an operations manager or an administrator may
build greater security, but may just as easily undermine a culture of security. It
is not a question of winning or losing, but of understanding the greater long-term

goals of an enterprise. Security professionals, empowered as they are to keep an

enterprise’s information safe from misuse, must, at the same time, visualize how
that information is and can be put to profitable use.
This ability to see the matters from another person’s viewpoint is a difficult skill to
master. It is the essence of organizational balance, especially for those who are entrusted
with the responsibility to keep information safe. In the information security functions of
many enterprises, there is a history of battles won, but mostly lost, and of slow progress
to push the front forward to overcome the forces that would sacrifice safety for meager
gains. The use of military terms in the previous sentence is intentional, and for those
security professionals who think in those terms, it is destructive of a security culture.
Security of business information is not a war, and implementing security is not a matter
of wins and losses. Those who think back on the introduction of a new application or
technology and are still upset because management did not support a particular security
initiative have to put all that behind them.
Each issue has to stand on its own merits in context and with balance. The imagery
of battle is counterproductive precisely because, even if security is not a war, one’s
fellow employees are allies in the fight. Security professionals need to ask themselves
what would be a “win” for the others in their enterprise who have its welfare at heart
just as much as they do. Security can be achieved by forcing a particular safeguard or
restriction to be put in place, but the imposition of organizational force undermines a
security culture.
Security professionals must learn to think like salespeople, accountants, operations

managers or administrators and to understand what drives and compensates them.
They should seek to achieve the objectives of both a business unit and a security
department. True organizational balance will be achieved when a CISO can be
promoted to a revenue-generating role and a business unit leader can be promoted
to CISO. In many, perhaps the vast majority, of enterprises, this balance is a long
way off in the future.
To some extent, the problem lies with security professionals’ lack of understanding
(and some would say, of interest) in how a business actually works and how a
private enterprise makes money. This is, in most cases, overstated; most security
professionals have a very good comprehension of the workings of their enterprises,
gained through business impact analyses and risk assessments. What many lack is,
in the words of the poet, the ability to see themselves as others see them.6 In too
many enterprises, the information security function is not well liked, even where it
is respected. As explained in section 4.0, security professionals are sometimes seen
as organizational cops and not friendly. They still have the obligation to do the right
things for the security of an enterprise’s information; they must learn to put things
their way, but nicely.

6.2.2 The Burden on the Enterprise

Security professionals cannot forego their responsibilities for the sake of nicety,
though. They are as likely to fall from the tightrope by giving away too much as
giving too little. Throughout every enterprise, people must realize—and many
do—that business has undergone and is still undergoing profound change in only a
generation. Information is available in ways never before encountered: in greater
quantities, at less cost, in less time and anywhere in the world. Protecting it is a
tireless job in a battle—here the imagery is appropriate—against unknown, unseen
forces, some of whom may appear to be friends.
In short, information truly is at risk and enterprises are at risk of not controlling
their precious information. This recognition needs to be engrained in every
company, government agency and charitable institution today. Technology has
altered the balance of security everywhere. The sheer amount of data is growing at
incredible rates, more than 50 percent year over year.7 In previous years, data were
measured in megabytes, then gigabytes and then terabytes. Industry analysts now
talk in terms of petabytes—that is thousands of trillions of bytes of information.
The information flows quickly as well. It is routine for large enterprises to have
communications lines of megabits per second. Even home users of the Internet are
seeing speeds of many megabits per second.
Information does not just fly, it walks as well. In many enterprises, there is a
growing understanding of the vast amount of data that move through society on
laptop computers; compact disks-read only memory (CD-ROMs); Universal Serial
Bus (USB) drives; backup tapes; and, yes, paper. In many cases, data do not
leave the protected perimeter of an enterprise’s data processing systems through a
security breach, in which someone accesses data without authorization, but, rather,
through transportation of data accessed in an authorized manner. This is not a new
concern, but the increased ubiquity and capacity of readily transportable media
have magnified the problem.8 Enterprises must be cognizant of the change in the
dynamic of securing all that information.
This also raises the urgency for strengthening a culture of security. Business leaders
cannot sit idly by, waiting for the CISO in their enterprise—if there is one—to
save the day. Enough has been said already about the need for champions who
are aware of the problem of securing so much information. The CISO’s task is
to communicate the magnitude of the problem and to present solutions that the
business can accommodate, and it is up to the leadership of each enterprise to heed
the warning.
In other words, if the balance point for security has changed, so, too, has the center
of gravity of a security culture. There are issues on which security professionals
can bend and others in which any bending will lead to rupture. Although there is

room for accommodation in some matters, the center must still hold. It is up to
security professionals everywhere to identify the breaking point for the information
in their enterprises. A security culture, too, is a fabric that can bend in some
places, but must be stiffened so as not to tear. For example, there is much room for
compromise as to which roles need access to which information to perform at an
optimum level, but there is no space for a breakdown in separation of duties. Some
latitude may be given to system administrators to have privileged access to many
servers and operating systems, but the ability to bypass supervision and control with
regard to programs and data is not negotiable. Information owners can deliberate
on how critical their information is to their business and, therefore, how quickly it
needs to be restored after a disruption. They cannot scrimp on cost by foregoing
recoverability altogether. Also, once they have decided on the sensitivity, criticality
and risk of their information, they cannot quarrel with the cost of the necessary
safeguards and controls to protect it to the level they have determined.
In many enterprises, it is felt that information owners are all in favor of security,
recoverability and control—until they hear the price of achieving it. If there is to be
a culture of security in an enterprise, it must be based on openness and cooperation
in finding the balance between the need and the cost of security. Security
professionals generally strive to provide decision makers with accurate and relevant
information of risk and costs, and information owners must not adjust their
risk-related decisions based purely on cost. That is not to say that affordability
should be taken out of the assessment of the appropriate level of security; cost is a
factor of appropriateness. However, the risk does not change whether the price of
safety is high. By analogy, many people buy the maximum amount of insurance
they can afford and accept the fact that, if the insured event occurs, they may not
be fully recompensed. Enterprises with a serious security culture make the right
choices, not always the ones that provide the highest level of security.
6.3 Convergence of Security Roles
The distinction between security professionals and business leaders is, of course, a
false one. Those in the information security function are part of the business, and
many parts of an enterprise participate in security. As BMIS notes:
To maximize [ROI], all security functions (information security,

physical security, etc.) should be aligned with and support each other.
Nonaligned security functions are wasteful and hinder the identification
and mitigation of cross-functional risk.9

However, there are many others who play a part in information security, whether
they have a security title or not. (See section 5.3.) Each participant must be in
close contact with the others to build, in ISO’s terms, an information security
management system—not an information security department. Risk management,
HR, physical security, datacenter operations, corporate communications,
telecommunications, general counsel, internal audit, compliance, privacy and BCM
all have a part to play in securing information. It would be easy to think that all
these different organizational functions taken together would form the nucleus of a
security culture.
They would, if they recognized one another for their different roles in security.
Unfortunately, in all too many cases, they do not. A notable example in many
enterprises is the divergence between what should be closely entwined functions:
information security and BCM. Continuity and security are simply two points on
a spectrum of risk management. If the risk involved to information is one or more
events or conditions that create losses (financial, surely, but data losses as well), all
sources of those events or conditions should be understood as being the same, or at
least closely related. “Business continuity” is generally used for a loss caused by
a physical event (e.g., a disaster), and “information security” is generally used for
a loss caused by a logical event (e.g., a virus). As long as confidentiality, integrity
and availability are used as a definition of security, then business continuity must
be included. There is a definite convergence of interest between the two. Moreover,
the risk to availability stems from more than the possibility of disasters, which
occur rarely, but with enormous impact. Losses are caused by fires and earthquakes,
but they are also caused by downtime of any sort.10
Why do these two functions not work more seamlessly together? Why, for that
matter, are the different components of security not more closely aligned? The
problem is politics; the solution is a culture of security, which would, as BMIS puts
it, allow “for the convergence of security strategies,”11 operations, supervision and
reporting. The most useful contribution senior management can make to a security
culture, aside from intentionally championing its existence, is to ensure that all
those with converging security responsibilities reinforce one another rather than
needlessly, heedlessly fighting for their own “turf” at the expense of one another
and the detriment of the security cultures in their enterprises.
6.4 Automated Cultural Tools
There is a place for automation in the establishment of a security culture. This

seems surprising because culture seems to ride above technology, not encompass
it. However, in an era with mobile phones, personal digital assistants (PDAs),
laptop computers, e-mail, social networking, instant messaging and e-books, it is

hard to recognize a contemporary culture that is not heavily influenced by technical

tools, methods and assumptions. Much of the business world has come to expect
information to be available instantly, in every degree of detail, anywhere and
anytime. The security of all that information and the role technology may play
in it should be obvious.
There is a process that enterprises can follow that will allow them to approach
complete absorption of security into a corporate culture even if they never
completely get there. It implies that the cultural environment is not static; at
the same time as requirements are issued (or become obsolete), systems are
being introduced, upgraded or discarded. The process calls for vigilance and
responsiveness. When an enterprise needs to respond to an internal or external
stimulus (e.g., a reorganization, an acquisition, or a new law or regulation), it needs
to instigate action regarding security. The first step is to analyze the requirement,
which can rarely be done by security professionals alone. It necessitates
involvement by those who own or use the information in question; often by legal
counsel; and, in some instances, by senior management.
The culture then needs to adapt to fit the requirement to the enterprise. Depending
on what it is, the CISO may lead the way or perhaps someone in an enterprise
closer to the impact of the change. Analysis must be performed to determine
whether an enterprise is already doing what is required everywhere and without
exception. At this point, the change is subject to automated tools for project
management, reporting, budgetary impact and role management. None of these are
automation of the culture as such, but together, they influence what the culture of
security is and what it is to become.
As simple of a requirement as the regulation to “assign a unique name and/or

number for identifying and tracking user identity”12 can have significant cultural
impact. It implies that every user of every system is individually known and
identifiable, that everyone’s activity with regard to information is known, and that
people are accountable for what they do with the information they encounter. This
has huge cultural implications, and honoring the regulatory requirement involves a
certain set of assumptions and attitudes about who uses what information for which
functions. The automation that enables this manifestation of a security culture is,
in this case, identity management software. The technology involved contains a
number of elements, as shown figure 7.13

Figure 7—Identity Management Elements
Authoritative
Source Identity
Business Events/Triggers
Applications and Data

Repository User
Employee Provisioning
Attributes
Attributes
Customer Attributes
Business
Partner Access
Management
Enterprise Identity Role Architecture
Protection
The identity repository is, essentially, a directory of everyone known to the

enterprise who may have access to information, a cultural artifact if ever there
was one. Provisioning associates people with resources, and access management
enforces those entitlements (and restrictions) at the time of access. However, the
most important element, from a cultural perspective, is the authoritative source.
It is metadata, information about information, that states who should have access
to what. A management structure is implicit when it has the authority to make
those determinations and, by extension, to exclude everyone everywhere who is
not included.
The point of the previous example is that there are technologies that have cultural
impact on security. In implementing technical tools, enterprises come face to face
with the fact that they need to tailor their cultures, security being not the least
aspect, to work effectively with their technologies. At the same time, technical tools
become instruments for the development of a security culture.
6.4.1 An Architecture for a Security Culture

It is possible to use automation to support a security culture through the use of tools
that enable management to understand and control the interaction among people,
processes and technology that constitute a corporate culture.14 The tools (or more
properly, a tool kit) have a logical architecture with three major layers:
• Repository—Serves as the system of record
• Business logic—Manages the execution of the processes and analytics
• Presentation—Provides the views, dashboards and interfaces to management

Repository Layer
The repository is more than just a data warehouse of laws and regulations. It
consists of components that interact in such a way as to provide the raw data that
need to be acted on by the business logic to make a culture comprehensible. Tools
that make up the repository include:
• Databases of relevant information about the enterprise, including the management
structure, identity management, infrastructure and applications, location and use
of information, and networks
• A compliance requirements database that contains the complete range of laws,
regulations, policies, standards, guidelines and directives to which an enterprise
is subject. There must be a normalizing structure to enable users to learn about all
the requirements for access control, identification, recoverability, etc.
• A database of cultural documents, closely linked (perhaps the same as) the
compliance requirements database, containing the actual language (translated
as necessary) of the policies, standards, guidelines, management dictates, laws,
regulations, etc.
• A policy interface that harmonizes naming standards, control processes, metadata,
technology elements, etc. This interface is needed to apply all the other information
in the repository to a given matter at hand: making all the pieces and parts of an
enterprise and its technology fit together in a manner that supports a security culture.
Business Logic Layer

Where the components of the repository are data stores, those of business logic are,
naturally enough, application programs. These constitute the engine that figures out
what a security culture is and, instance by instance, determines whether it has been
achieved. They include:
• A workflow management tool that organizes the sequence of cultural actions.
It directs and escalates the activities that occur from the time a requirement is
recognized until it is either satisfied or a decision is taken not to accede to it. It is
also the mechanism for tracking notifications, alerts and incomplete work items.
• A self-assessment tool that provides an interface that enables management
to input parameters and receive back a report of the state of the culture. The
tool should be able to evaluate individual aspects of a culture (e.g., security
accountability, rewards, budgets) or the strength of security within an entire
corporate culture. It has to be driven by a rules-based engine and applied against
all the data in the repository.

Presentation Layer
As it may be deduced from what has been said previously, it is no easy task to put
together all these components in a way that can be readily used by people. The data
generated by the business logic have to be interpreted and digested to a level that
makes appropriate actions clear and measures whether those actions have been or
are being taken in a timely fashion. The presentation layer has two components:
• A portal to enable users to navigate through all the data, services and reports
offered by the foregoing components. This portal should also have connections
to related systems such as configuration management, access control and identity
management.
• A dashboard that will enable managers at all levels to monitor the security culture.
It should facilitate ad hoc queries and reporting.
The cultural tool kit described does not stand alone. It needs to fit within the
process, enterprise and governance addressed previously. The set of tools that
is needed in one industry is not necessarily the same as those for others.
Manufacturing companies, for example, may be more concerned with personnel
safety than would be banks, which, in turn, may be more focused on uninterrupted
availability of IT systems. Just as surely as there is a body of law and regulation in
each industry around these issues, there is a broader set of attributes (see section
5.3) that should be the lens through which management views its security culture.
As with any set of tools, the quality of use is more important than the quality of the
tools themselves. The uses of automated tools are limited only by the imagination
of the user, but these can be categorized in such a way as to lead to effective growth
of a security culture:
• Managing a culture begins with recognizing that a culture exists. This requires
identification and documentation in the repository of all the attributes of a security
culture. It also implicitly requires that missing elements be identified and filled
in over time. This requires local personnel to recognize new and altered attributes
and requirements and enter them into the repository. Logging the entry should
initiate a workflow of evaluation, prioritization and assignment of responsibility.
• A cultural tool kit consists of more than programs and databases that labor to fix
things that no one recognizes as broken. When done correctly, the tool kit can
be used to reinforce the assimilation of the culture of the enterprise through the
details of security in system development, configuration management, datacenter
operations, vital records management and other aspects of using information.
This programmatic aspect of a culture of security is a reflection of enterprise and
governance as recognized through the evidence it leaves behind.
• Finally, a security culture is not an objective unto itself, but the inclusion of attitudes
and behaviors into the full array of day-to-day activities that make up a business.
The tool kit makes it possible to scan, monitor, anticipate, respond and learn over
time. It should be obvious that a cultural tool kit can be used to make an enterprise
more in tune with its internal and external obligations, but not all at once.
This is a generic description of software that is often labeled as governance, risk and
compliance (GRC). GRC itself is not a security culture, but it is impossible to have
a functioning culture of security if GRC is not managed. As a general statement, the
vendors of commercial GRC software products do not emphasize the cultural aspects
of what they are selling. However, their products cannot be implemented without
considering their cultural implications and an enterprise’s security culture can be
ratcheted up by using such tools.
6.5 Stakeholder Feedback
Former New York (USA) mayor Ed Koch was famous for asking “How am I
doing?” of every citizen he encountered. As an elected official, responsible to the
people of the city, it was appropriate for him to ask such a question. So, too, this
question may be asked of those who would support a security culture. Interestingly,
it is not clear who should ask and who should answer. There are cultural and
political ramifications in both the query and the response.
In every enterprise, as previously stated, a security culture exists whether or not

it is an intentional one. However weak or strong it may be, it does not belong to
anyone. The champions may drive it, the CISO may define it and the auditor may
enforce it, but it is not theirs. It “belongs”—if that is the right word—to everyone
in the enterprise who participates in it. Thus, to ask, “How am I doing?” is to
inherently admit that a culture exists, that the questioner feels a part of it and that
reinforcement is being sought about what is being done.
The question demands an answer. Internal auditors and, to a lesser extent, security
professionals are empowered to answer, but the best that they can do with regard
to culture is observe and comment on patterns of behavior. Unless they are mind
readers, they have no ability to determine the beliefs, assumptions and attitudes of
others. Yet, a state of mind can be read through what people say, how they say it, to
whom they say it, under what circumstances they say it, and at what potential cost
in influence and respect it is said. In short, if a person wants an answer to “How am
I doing?” with regard to a security culture, that person should not only act securely,
but speak up about it.
“How am I doing?” is a very different question from “How are we doing?” The latter
is a question that should be asked foremost by boards of directors, which have a
fiduciary interest in the security of the enterprises they serve. They should, and often
do, inquire about the state of security, but less often about how security is viewed,
spoken of and acculturated. In one industry in one country, the responsibility is
clearly stated: “Information security should be supported throughout the institution,
including the board of directors, senior management, information security officers,
employees, auditors, service providers and contractors.”15 All of these people should

have a firm grasp of what the stakeholders are doing with regard to security and
should attempt to impute intent from actions.
Stakeholder feedback should be sought out, but in a culture in which all are
participants, who is not a stakeholder? Reactions should be sought from the
ultimate stakeholders, the customers (or the citizenry, in the case of a public sector
enterprise). There is some information that is purely proprietary to an enterprise,
such as strategic plans, financial reports and product evaluations, but a great deal of
information in every business is actually someone else’s orders, records, personal
data, medical history, literary preferences, travel plans, etc. The people in question
have a very real stake in the security of their information and the way in which it is
used by the people in enterprises that have been provided that information. Today,
many enterprises are seeking assurance on security and recoverability from their
vendors, and the nature of their questions should, in part, inform their own security
culture and those of the respondents. However, senior managers, especially those
who elect to be champions of a security culture, should be asking their business
partners, “How are we doing?” Security should be a part of the question.
Endnotes
1
“Business: Concerning Morgan,” Time Magazine, USA, 21 March 1927,
www.time.com/time/magazine/article/0,9171,730161,00.html
2
The American sociologist and senator Daniel Patrick Moynihan said, “Everyone is
entitled to his own opinion but not his own facts.”
3
Willie “The Actor” Sutton was a small-time American bank robber. He was not
very good at his trade and kept getting caught. When he was asked why he kept
robbing banks, he replied “Because that’s where the money is.” See US Federal
Bureau of Investigation, www.fbi.gov/libref/historic/famcases/sutton/sutton.htm.
4
Johnson, M. Eric; Eric Goetz; Shari Lawrence Pfleeger; “Security Through
Information Risk Management,” Dartmouth College, USA, http://mba.tuck.
dartmouth.edu/digital/Research/ResearchProjects/JohnsonRiskManagement_
Finald.pdf
5
This was precisely what occurred in the massive fraud that brought down the
Barings banking firm in 1995. (See “Bank of England Cites Fraud in Barings
Collapse,” New York Times, USA, 19 July 1995). The same thing is alleged in the
case at Societé Generale in 2008.
6
Burns, Robert; “To a Louse,” Scotland, 1786, the actual line is “Oh would some
power the giftie gie us, to see ourselves as others see us.”
7
“Disk Storage Systems Market Rebounds to Double-Digit Growth Across All
Segments in First Quarter, According to IDC,” Press release, 4 June 2010,
www.idc.com/about/viewpressrelease.jsp?containerId=prUS22368310&sectionId=
null&elementId=null&pageType=SYNOPSIS
8
Ross, Steven; “Data Plumbing,” ISACA Journal, vol. 6, USA, 2009

9
ISACA, An Introduction to BMIS, op.cit., p. 13
10
Ross, Steven; “Converging Need, Diverging Response,” Information Systems
Control Journal, vol. 2, USA, 2006
11
ISACA, An Introduction to BMIS, op.cit., p. 13
12
Health Insurance Portability and Accountability Act (US), § 164.312(a) (2) (i)
13
Ross, Steven; “Identity Architecture,” Information Systems Control Journal,
vol. 3, USA, 2004
14
Much of the material in this section is adapted from Ross, Steven; “Automating
Compliance,” Information Systems Control Journal, vol. 5, USA, 2007.
15
US Federal Financial Information Examination Council (FFIEC), “Information
Security,” USA, July 2006, www.ffiec.gov/ffiecinfobase/booklets/information_
security/01_security_process.htm


7.0 Negative Reinforcement

The fact that information seems secure does not necessarily indicate that there
is a functioning culture of security, but it is clear that where security is lacking,
the security culture is lax, ineffective and counterproductive. If people within
an enterprise (and outside, for that matter) have access to information that they
have no business using, leave the office with proprietary data, routinely disclose
personal information and commit other information sins, then the security culture
is a negative, harmful one. It is a clear indication that no one in the enterprise’s
leadership has any intention of strengthening the culture, either. In this sort of
enterprise, a champion must arise to recognize the risks and to take active measures
to reverse course. (See section 5.)
Known shortcomings in security, at the level of either specific safeguards or

the program as a whole, must be remediated. If there is evidence of intentional
disregard of security provisions, management must take action. Where there is
malicious intent (e.g., fraud, sabotage) almost all enterprises will terminate the
individual involved and will (or should) instigate criminal prosecution. This goes
well beyond what may be described as negative reinforcement of a security culture;
they are matters of prudence and common sense.
From the cultural perspective, there is a need to eliminate attitudes and behaviors
that are harmful to security. It is easier to manage actions than thoughts, and if all
people always acted in a secure manner, no matter what they thought, the issue
of the culture would be moot. However, that is not human nature; the thought
instigates the deed. Both need to be addressed, and a security culture must be
advanced by counteracting insecurity in both word and action. At some point,
negative reinforcement involves discipline, but that cannot be the only basis of
an effective security culture. This simply reinforces the perception of security as
a negative force. Rather, just as positive reinforcement consists of management
practices to promote desired attitudes and ways of doing things, negative
reinforcement entails prevention of unwanted behaviors and thinking.
It is significant to remember the distinction between policy and culture. What

management intends an enterprise to do is stated in policy; what it actually does is
its culture. The objective of management reinforcement, both positive and negative,
is to bring the two into alignment. All those involved in fostering a culture of
security, from senior management to the most concerned staff member, should
take part in both accentuating the positive and eliminating the negative. It must be
recognized that positive reinforcement is easier. Most managers would prefer to
commend secure behavior rather than reprimand the opposite, but they know that
both praise and punishment are parts of the job.

It is important to note that all managers need to be involved, not just a CISO. It is
tempting to use security professionals to frighten people into surly submission to
security requirements. In the long run, though, it undermines a security culture, as
noted previously, and no security professional should accept that role. Culturally,
it is quite different to say that people should behave securely so as not to run
afoul of the information security department as opposed to doing so because it is
management’s expectation—a part of their jobs. This is the difference between
functional and intentional security, as described in section 5.2.
7.1 Perverse Incentives
Perverse incentives are “measures that have unintended and undesirable effects which
go against the interest of the incentive makers. They become counterproductive in the
end.”1 It is not unusual to read about, or even experience, this sort of conundrum, but
in security, as in many other endeavors, the possibility of an action having an equal
and opposite—but very much undesired—reaction is an ever-present possibility.
Humans being human, these things will occur; it is up to those who manage within a
security culture to be sensitive to the occurrence of such incentives and to stamp them
out when they occur.
The most common example of a perverse security incentive deals with passwords.
In many instances, enterprises attempt to make passwords “tougher” by making
them longer. It is not unusual to see a system-enforced requirement for passwords
to be eight characters long.2 So-called “hard” passwords also may call for
capitalized letters, special characters and numerals. However, research has shown
that such conglomerations of digits, letters and symbols are very difficult to
remember, so people write the passwords down and sometimes post them near their
workspaces so that they will not be locked out and have to call a help desk, which
incurs both lost productivity and a cost for a password reset.3 The very purpose
of passwords, to authenticate user identities, is, thus, completely undermined by
attempts to enhance them.
This has the destructive cultural effect of encouraging people to act in a manner that
is clearly beneficial to themselves (i.e., higher productivity), directly at the expense
of security. Saying one thing while doing another does create a way of doing things,
but that pattern is the exact opposite of what the basis for a security culture may be.
Most parents know the “do as I say, not as I do” trap. This makes it especially
important that management at all levels in an enterprise avoids the temptation to
bypass security measures for its own convenience. In many, if not all, enterprises,
there is already a cultural divide between management and staff. Demonstrating that
security is for the “little people” while the leadership can ignore it without penalty

sends a defeatist message about that enterprise’s culture of security. The necessary
negative reinforcement is to hold executives to the highest standards of compliance.
In particular, security professionals should never bypass security.4
Bruce Schneier, the noted information security specialist, has addressed the topic of
perverse incentives:
I regularly see security decisions that … seem to make absolutely no

sense. However, in every case, the decisions actually make perfect sense
once you understand the underlying incentives driving the decision.
All security decisions are trade-offs, but the motivations behind
them are not always obvious: They’re often subjective, and driven
by external incentives. And often security trade-offs are made for
nonsecurity reasons.5
To avoid creating perverse incentives, managers should look at security demands

in a broad context. If, using the previous example, an enterprise wishes to
strengthen its passwords, it should consider the balance between seemingly better
authenticators and the potential for misusing them. When, in practice, passwords
are written down and left visible, the initial objective is proved faulty and should
be revised. In some cases, notably in Italian law,6 strong passwords of eight diverse
characters are an external requirement. Where that is the case, special care must
be taken to recognize the force of law, but also to counsel all personnel on the
importance of keeping their passwords safe.
7.2 Vigilance
US president and revolutionary patriot Thomas Jefferson said, “The price of freedom
is eternal vigilance.” Although an enterprise’s security culture is important, it cannot
be compared with the concept of freedom, but vigilance is the price of both. Not
only do enterprises need to watch for shortcomings in security itself, but they must
also constantly observe themselves and look for signs of reversion in the culture.
As difficult as it is to strengthen a security culture, it is all too easy to backslide and
return to old, bad habits for all the reasons expressed in section 4 and more.
7.2.1 What to Watch

For what should enterprises look, and who should do the looking? At one level,
they must monitor security-related activities such as identification, authentication,
attempted virus attacks, data leakage and the like, but they must also be on the
lookout for any diminution in the culture. There is no such thing as a “perfect”
security culture; conditions change, personnel change, and there are always
strengths and weaknesses. Each weakness has the potential to undermine security as

a whole while, at the same time, being an opportunity for improved management.
Unfortunately, cultural weaknesses are rarely self-correcting. It is impossible
to break out of a downward slide without deliberate management attention. An
enterprise with an intentional security culture must constantly manage it.7
The first things for which to look are those that an enterprise does not have:
a dedicated information security function, security policies and standards,
enforcement mechanisms, automated security safeguards, or tight access controls.
(Of course, if these do not exist, it is difficult to substantiate the claim that an
intentional security culture exists at all.) Assuming that these are present, a leading
indicator of cultural weakness is the number of disputes concerning security that
must be resolved by senior management. If each new initiative, system or product
causes a confrontation between security professionals and business leaders, there is
clearly something amiss.
The matter of balance comes into play. CISOs are not always right, but they are
not always wrong, either. If the majority of disagreements are settled in favor of
greater security, it signifies that greater awareness and training are required in
certain business areas. Training should not be seen as negative reinforcement, but
when it is remedial training, it clearly has a negative impact. However, if senior
management regularly overrides security, then perhaps the security professionals
have lost sight of the overall business objectives, are out of step with management’s
directions, or have simply lost balance and underestimated the enterprise’s risk
appetite. Here the negative reinforcement is much more direct; always being
overruled generally leads away from compensation; promotion; influence; and,
ultimately, employment.
A security culture may be weak if there are constant disagreements between

information security and the business. Perversely, there may be a problem if there are
no disagreements, either. If nothing reaches the ears of senior management, it is likely
that the information security function is getting along by going along. There is little
value to a guard dog who sleeps through break-ins, and there is little purpose to a
security function that permits every requested deviation from security requirements.
Much more difficult to deal with, but perhaps more insidious, are casual
conversations that downplay the importance of security. If people discuss
information concerning a customer, client or patient in a public space, they are not
only violating implicit policy, but they are undermining the enterprise’s security
culture. If they carry home sensitive information on a CD-ROM or thumb drive,
they are not only leaking data, but diminishing the culture of security. When
someone shares a password, the security culture suffers. As bad as these sorts
of activities are, from a cultural perspective, it is even worse when someone—
especially a manager—approves such behavior.

This sabotage of a security culture can be stopped, but only if managers and
colleagues are vigilant about doing so. It may seem difficult for an enterprise to
stop such attitudes and actions, but in recent years, it has been done with regard to
differences in race, gender and sexual orientation. Through training; admonition;
and, above all else, negative reinforcement, cultures around the world have
changed. If unacceptable behavior and speech have not been eliminated, they have
been reduced. If enterprise cultures have been transformed with regard to long-held
prejudices, changing minds about security should be even easier.
7.2.2 Who Should Watch

Internal auditors can and should be among the first line of vigilance with regard
to a culture of security. They are, after all, paid and trained observers. Their
focus is generally on the enterprise system of internal control. While, in the
accounting literature, culture is not defined as a part of that system, BMIS does
tie an intentional security culture to business “objectives, operating and regulatory
environment, potential threats, risk impacts, operational flexibility, and resilience.”8
It can hardly be argued that regulations, threats, risks and resilience are not a part of
a system of internal controls, so it follows that auditors should be paying attention
to the enterprise security culture.
It would be extremely difficult to conduct an audit of a culture, but it is not as

hard to “take the temperature” of the culture using the audits of an enterprise’s
departments and information systems. Auditors may question the considerations
of security in business processes and systems. They may examine the quality
of security safeguards. They may even ask the information security department
about its experience with the department or system. Most important, they should
determine the actions management has taken when security-related problems have
been noted. These should not include only major security matters such as frauds;
management already knows about the reaction to those. What is indicative of a
security culture is how departmental management reacts to taking data home,
leaving information on desktops and sharing passwords and to the myriad “little”
security breaches. The auditor’s overall impressions, certainly supported by factual
evidence, should be reported to senior management. Many see audit comments as
a form of negative reinforcement. If so, negative reinforcement of this sort should
help strengthen a security culture.
At a different level, it is up to every manager to be watchful about a culture of

security. Idle talk of theft, fraud or discrimination should not be tolerated, and
hallway conversations that demean management’s insistence on security should not
go unchallenged. Colleagues should have the same attitude. In this case, security
(culture) really is everyone’s job.

What should people do if local management is openly unsupportive of security, or

worse, if they are asked by management to do something in violation of security
policy? It is easy, in the abstract, to say that anyone in that situation should refuse,
report the manager upward and blow the whistle. Negative reinforcement may
come down very quickly; unfortunately, it may come down on the person who says
refuses. That person also has a form of reinforcement. Being put in such a situation
is grounds for considering alternate employment.
7.3 Automated Detection
If poor security is indicative of a poor security culture, then security failures are
leading indicators. These would not be outright security breaches, but all the little
(and some not so little) deficiencies in security that, if left uncorrected, may result
in a true breach over time. For example, an incorrectly entered password means
nothing by itself, but with a culture defined, in part, as a pattern of behavior, then
a pattern of incorrectly entered passwords may mean that a culture of security has
failed to reach into some part of an enterprise. The same may be said of standards
violations, unapplied patches, sensitive papers left on desktops and ill-considered
conversations in public places. At the very least, these show that someone was not
paying attention at the awareness sessions. At worst, such patterns may indicate a
deliberate ignorance of security requirements.
Automated monitoring tools can be employed to monitor the health of a security

culture and to take corrective action where required. Of course, these software
products only monitor the use of electronic information, but that covers a lot. Access
control and intrusion detection systems, for instance, generally provide reports on
failed access attempts, privileged user access, access attempts outside normal business
hours, attempted rule violations and other indicators of security-related activity.
In some cases, these reports and shorter-term alarms signify an attempted external
attack. While important, they are not necessarily relevant to a security culture, but in
other instances, they may show that there are certain organizational units that have a
disproportionally large percentage of the identified problems.
In monitoring the reports, it is possible to apply the “systems thinking” approach as

described in BMIS to detect areas in which deficiencies in management oversight,
training, staffing or communications are leading to cultural weakness. At the very
least, concentrations of security-related problems should call for further investigation.
If one looks solely at the safety of the information involved, monitoring reports can
be misleading; after all, if invalid access attempts failed, then the information in
question is unharmed. However, these may also demonstrate causes and inclinations
that are tied more to weaknesses in a culture than in a set of safeguards.

If the root cause proves to be ineffective training, then the security education
program can be enhanced. If certain individuals are ignoring or bypassing
security, they should be shown the possible repercussions of their actions and be
reprimanded. If it is management that is at fault, then deliberate reinforcement
of the tenets of security should be made. Moreover, managers must be shown
the correlation between the so-called “silly” requirements of security and an
enterprise’s overall risk profile.
7.4 Alerts, Alarms and Triggers
While automated tools can assist in the vigilance required to maintain an effective
security culture, there is more to it than reviewing computer-generated reports.
Management9 at all levels must be attuned to the possibilities for weakening the
culture and be prepared to take appropriate action. To do so, managers need to be
aware of the indicators of backsliding. Some should raise concern, others should
instigate corrective action and still others should be a routine part of assuring that a
culture of security remains strong.
At a certain level, a security culture is a system (a management system, to be sure)

that processes inputs and maintains itself. (See section 2.2.5.) Thus, the system
itself should contain mechanisms to alert management if there are problems, signal
the need for immediate action and provide maintenance routines. Viewed in this
manner, a culture of security may be thought of as self-sustaining. This would be
erroneous: A culture may be a system, but it is not a machine. It requires constant
attention from its participants—senior managers, champions, middle management
and staff.
7.4.1 Alerts
Audit comments on a security culture are an effective means to keep management’s
level of awareness of the culture high, but audits are periodic affairs and occur only
after the fact. There should be indicators produced within a culture that can show
management where trouble spots may be arising and what to do about them before
they become troublesome. One means of doing so would be a “dashboard” related
to a security culture. (See section 6.4.1). The concept of a dashboard relates to that
of key performance indicators (KPIs). These are quantifiable measurements that can
be traced over time to show progress or regression.
When key performance indicators are properly developed and

implemented, they should provide employees specific roles and
responsibilities, clear goals and objectives, and outline how they
contribute to the overall success of the company. Key performance
indicators can strengthen the organizational culture [emphasis added]
of a business through common goals and shared values.10

What, then, are those goals and values that can be measured quantitatively?
The simplest is an enumeration of the major projects and initiatives occurring in

an enterprise that highlight the involvement of the information security function
in them. (In fairness, the information security function may not be the only one
whose participation should be measured. The time and effort of functions such
as risk management and internal audit should be tracked as well, but information
security’s functions are the surest to be security-related.) It is not necessary that
there be a quota for security professional involvement. The important measurements
are whether that participation occurs at all and whether it is sufficient to provide
more than token input. One does not need a quota to recognize that just a few
hours of information security’s time on a multimillion dollar, euro, yen, ruble, etc.,
information system development is insufficient. Also important is the timing of that
involvement; as a general rule, it may be said that earlier is better.
In figure 8, management should be able to discern that there is insufficient

contribution by information security in projects 2 and 5, regardless of the nature
of the projects. In project 2, there seems to be consideration of security only at the
end of the project, when it would be very difficult to effect changes, if required.
In project 5, there has been no information security participation at all, nor is any
planned. The consideration given to security, as evidenced by the involvement of
security professionals, is clearly greater in the other projects, but out of context,
it cannot be discerned whether this is appropriate. If, for example, project 6 is the
establishment of an encryption scheme, then information security should be even
more involved than it is. With a dashboard such as this, management can be alerted
to the necessity of possible corrective action. The very existence of such cultural
reporting is negative reinforcement of a security culture.
Other dashboards may show the incidence of security-related incidents in production

systems, the number of guest accesses to areas with highly sensitive information (e.g.,
patient records, contract files), and revisions to disaster recovery plans following
tests and actual incidents. While any one report may alert management to a potential
problem, as in the previous example, it is the accumulation of information over time
that is the most enlightening in terms of maintaining a security culture. Analysis of
these dashboards will show trends and identify potential trouble spots in terms of
certain departments or types of projects or information. (Note: The implication is
that dashboards should be graphic in nature. This is not necessarily true, and in some
cases, information on a culture of security may be better conveyed in a table or in
words. However, graphic representations are generally the most powerful.)

Figure 8—Sample Information Security Involvement Dashboard
January June December

Project 1
Project 2
Project 3
Project 4
Project 5
Project 6
Percent of Project complete Percent of Project incomplete

Information security involvement Planned information security involvement
7.4.2 Alarms
In some cases, action must be taken at once to correct a growing problem. The
clearest case is the existence of actual security violations. These should be tracked
and reported to determine whether there is a pattern to the attacks and inappropriate
actions. Combating actual security weakness is the objective of an information
security function, but by itself, is not a cultural KPI. A measure of a security
culture would be the budget in terms of staff time and capital outlay to eliminate
a weakness once it is exposed and the time taken between an alarm and the
corresponding response.
Another sort of alarm that is a KPI of a security culture is the disputed requirements
for security that are elevated to a senior level (see section 7.2), in which cases,
management must actually make security-related decisions. A dispute in and of
itself means little, but there are several matters to be aware of: how often these
disputes occur, from where they stem and how difficult it is to resolve them. If
nearly every project results in management intervention, then it is indicative of
problems, not only with the process for resolution, but in the culture itself. A
different story is told if disagreements arise routinely in certain sectors and not
in others or if disagreements regularly occur with the same type of information
(research, financials, personnel records, etc.). These should be alarms for
management to take a closer look at certain policies and people regarding those
sorts of information.

Disputes should be difficult to resolve. The fact of disagreement means that

honorable people have looked at the same facts and come to different conclusions,
necessitating senior-level resolution. If problems are cleared quickly and easily,
it indicates stubborn resistance on one part or another. If it is always the same
person or function exhibiting that obstinacy, it is a clear signal to management that
something must be done, not only to prevent recurrence, but to shore up its culture
of security.
7.4.3 Triggers
There are planned and unplanned cultural triggers that necessitate management
action. The former are generally associated with the passage of time. For example,
management should consider an assessment of an enterprise’s security culture on
a regular basis, perhaps every few years (more or less dependent on the overall
corporate culture and the sensitivity of the information involved). This implies that
management is aware of a culture of security, recognizes its importance and supports
maintaining it at a high level. Where that is not the case, some party (i.e., information
security, the security champion, internal audit) may perform such an assessment
on its own, presenting the results to management and, one would hope, triggering
both further analysis and, ultimately, decisive action. A formal assessment is not a
necessity for creating an intentional culture of security (see section 5), but depending
on its findings, it may provide a badly needed “wake-up call.”
It may be more valuable to initiate a security culture assessment on more than a

regularly scheduled basis if it appears that a culture is slipping. There is a
dangerous period between management’s support for a security culture and the time
it becomes ingrained in an enterprise. Performing a study to see how well a culture
of security is taking root may trigger corrective action by management if it is not
moving smoothly or rapidly enough.
The most important unplanned trigger is a pattern of weakness in a culture of

security that management sees, but does not understand. Individually, the
weaknesses may be anomalies, but if the same problems keep recurring, always
stem from the same sources or result in unacceptable losses, there is usually some
underlying cause leading to those problems. Further analysis may be required. As
a general term, this is referred to as “root cause analysis.” The cause of a cultural
weakness may be a lack of training, management oversight, communication, or staff
energy. On the other hand, the cause may be systemic or technological, the end
result of what are actually a deep-rooted series of problems that come to light only
when an end result is observed.
Not every issue is a momentous problem; many are simply the result of one-time
human error. These are easily corrected. The first step is to determine which
anomalies are triggers for root cause analysis. The frequency that constitutes a

trigger is a determination heavily influenced by industry, geography, risk profile

and other factors.
Typically, a root cause analysis will not result in an explanation that “A occurred
because of B.” Often, B was caused by C, which was caused by D, etc. For that
matter, it is not always the case that an event has a single cause. Therefore, it is
important to clarify the chain of causation leading to a defect. It is always necessary
to validate whether the negative KPIs in question are accurate; it may be that the
problem is in the measurement, not the process itself. The responsible person or
people should be interviewed to gain an understanding of the reason for the
cultural shortcoming.
The causes of a cultural weakness may not be clear, especially if it requires working
backward from effects to causes. Essentially, this necessitates asking, “If A had not
occurred, would B have happened?” in an iterative fashion. The causal chain should
be examined at each step to see whether the action suspected of causing the ultimate
cultural weakness did, in fact, contribute. At the end of the root cause analysis
process, it is necessary to reach conclusions as to the underlying causes of cultural
weaknesses. While it is important not to allow root cause analysis to become a search
for someone to blame, it is equally important to find and fix existential problems.
Affixing blame is self-defeating; it leads to the conclusion that the problem is caused
by ineffective people rather than dysfunctional processes or technology.
It is important to note that identification of a root cause provides the opportunity for
leverage. The resolution of a problem at its source may have wider ramifications
further down the line, but there are times when the cause really is individuals acting
in ways that are counter to an intentional security culture. In those cases, negative
reinforcement is called for, rather than simply blame.
7.5 When All Else Fails
If a security culture is to have any meaning, there are times when it is necessary to
take decisive and punitive action against those who determinedly defy everything
for which the culture stands. Notwithstanding all that has been said before in this
volume, security cannot always be positive, upbeat, supportive and reassuring.
Those who run counter to the culture must be warned of the consequences of their
actions and receive those consequences if behavior does not change. Behavioral
modification is sufficient; it is unrealistic to enforce changes in attitude. However,
generally, when people act differently, their hearts and minds do follow.
There are two analogous cultural changes in the business world that can be used
as examples of the effective use of negative reinforcement: smoking and sexual
harassment. It is true that these have not developed in the same way and at the

same speed in all parts of the world. There are still nations where people routinely
smoke in the office, and the treatment of coworkers is not the same everywhere.
Nonetheless, in many countries, management has made a commitment to the
health of employees and banned smoking in the workplace. Those who were told
to change their actions were, in the most literal sense, addicted to a behavior that
was harmful to themselves and those around them. There was resistance at first,
but change has been accomplished. In Spain, where there is a higher percentage of
smokers than in the rest of Europe, the smoking ban has been effective as applied
to public buildings and workplaces. Nonsmokers have no problems in government
buildings, airports, offices and so on.11 In Germany, some still smoke at work,
but only behind closed doors in their private offices.12 In China, progress against
smoking has been slower, “but even there, the smoking ban is mostly targeting
offices and public working areas.”13 The same may be said of all corners of the
globe. Culture can be changed if it is enforced.
As a cultural issue in the workplace, sexual harassment is both different and the
same as that of security—different in that:
Even within a single culture, the definition of sexual harassment is

often misunderstood and is the subject of considerable debate in legal,
psychological and human resource management literature, both [in the
US] and abroad.14
However defined, harassment, like misuse of information, is morally

indefensible and, in many cases, is criminal. Nonetheless, it was a fixture in
many societies and continues as such in some even today, but it is changing
due to stern and deliberate management action.
The point is that cultural attitudes and behaviors were forced to change by
public mores, to be sure, but also through certain managers saying that this is
unacceptable. Despite the cultural differences as to what constitutes permissible
behavior, a consensus has arisen that:
[A] work environment should not be offensive, uncomfortable

or embarrassing, even to the culturally based sensibilities of an
employee (to the point of impairing his/her work) would not violate
the boundaries established by majority values and traditions; it would
certainly not undermine the order and stability of the society.15
This understanding did not simply occur haphazardly in businesses and government
agencies. The spirit of the times did change, but managers made it happen in
their enterprises by making it clear that certain behaviors and attitudes were
impermissible and taking forceful action to stop them.

If cultural change can be made to happen through decisive responses to such
ingrained habits as smoking or harassment, it can work in defending a culture of
security. People did not stop smoking in the office simply because management
made them aware of the dangers nor did people stop mistreating their colleagues
because management said it was not nice. Change occurred because external and
internal forces brought management to the realization that these behaviors had to
cease and that policies to that effect had to be enforced.
7.5.1 Penalties
In some cases, it is not enough to reward good conduct. There are times when
penalties must be exacted for bad behavior. As applied to security, those penalties
range from reprimands to prosecution. The latter, of course, is reserved for very
bad behavior indeed: fraud, espionage, sabotage or theft. While criminal cases
are necessary when there are crimes, this actually does little to improve a security
culture. It is, in the minds of many, the exception that proves the rule. They do not
see themselves as criminals, and for the most part, they are not. To base security
on extreme cases leads to complacency for those in the middle. One of the tests of
criminality is intent, and most people who do not participate in a culture of security
intend no harm—they just cannot be bothered.
When management, through the auspices of a CISO, promulgates security policy,

there is an implicit commitment to enforcement, which, in turn, means that those
who flout the policies must face the consequences. If there are no consequences,
there is no policy and, by extension, no security culture. The repercussions do not
need to be severe, or at least not for first (and minor) offenses. A stern word from
a superior is often quite enough to make people mend their ways. If the superior is
not in synch with a security culture, then that individual should receive the rebuke
and so on, up the line. The closer the line gets to senior management, the greater
the role of the security champion to stiffen spines.
If a warning is insufficient, then more drastic action needs to be taken. People who
violate security policy by sharing passwords, disclosing sensitive information,
reading prohibited records or bypassing access restrictions should be told bluntly
that these actions are impermissible and that a memorandum will be added to
their personnel file or some such permanent record. Such a statement indicates
that the acts were noticed; that the offenders were rebuked; and, most important,
that the acts will have effect over time. The time in question may be when raises,
bonuses and promotions are given out. If people believe that they will be penalized
in material ways in the future, behavior (and maybe even attitudes) will change.
Regardless of what caused the violation, unless fired, the offenders need to be
reeducated in security policy and its importance.
Therefore, it is necessary that threats be realized, or at least be seen as being

realized. If, for example, a salesperson has been reprimanded about use of
information, but has had an excellent body of sales, it is not necessary to dock
commissions or bonuses. A statement at a regular review that the bonus would
have been greater were it not for security-related problems will go a long way
to bringing that salesperson into a culture of security. If there are still repeated
instances of insecure behavior, then there can be actual monetary penalties.
7.5.2 Defiance
What of the people who deliberately refuse to follow security policy or to act in a
secure manner? There is no point in reminding them of the potential harm in failing
to secure information resources. They have indicated that they do not care. They,
too, are a part of an intentional culture of security; one that is dismissive, disdainful,
disobedient and defiant. These are not the people who violate security requirements
inadvertently. They see themselves apart from an enterprise’s expressed intent to
promote security, believing that it only interferes with some “higher purpose.”
These people are the most destructive of a security culture. If management fails to
counter their defiance, then management implicitly buys into their higher purpose. It
avails nothing to appeal to the organizational commitment of those who defy security
requirements; they have placed their own goals in front of the enterprise’s. The issue
is no longer security, but insubordination. That is exactly how smoking bans and
antiharassment policies have taken effect. Management no longer debates the relative
merits of a policy; it simply says that this is the policy and it must be observed.
This tough line is not drawn all at once. There should be a period of time in which
people learn how to behave under the security policies. As with nonsmoking
policies, the level of top management support is directly correlated with the speed
at which the enterprise becomes compliant. Where senior management strongly
supports security (or smoking or harassment prohibition) policies, they move ahead
without resistance. Once compliance with security policies is considered the norm,16
an intentional, positive security culture has been achieved. Those who refuse to
conform to normative behavior have to be removed from an enterprise.
The real proof of a security culture comes when otherwise valuable employees are
let go for refusing to protect the information with which they come in contact. This
is not a routine occurrence; many security cultures do need strengthening. However,
termination for cause does exist, and in the military and intelligence fields, it is
understood that compliance is mandatory. This attitude is also spreading to the
fields of education, health care and financial services.17
7.5.3 Career Impact

The message of negative reinforcement is that insecure actions are not only bad in
and of themselves, but they are bad for careers. There really is no positive way of
conveying that message. People will adapt to a security culture when they see that
doing otherwise will cost them money, advancement and opportunities. Negative
reinforcement does not need to be as draconian as termination or loss of income.

Within a corporate culture, the regard of one’s peers is a mighty incentive. (See
section 4.7.) Just as obtaining the respect of others is a response to WIFM, losing
that respect can be motivational as well.
Being the person who causes a security problem should result in more than snide
comments at the water cooler. For example, reports of security and privacy
breaches due to loss of physical media (one aspect of data leakage) are so numerous
that they barely make the news.18 When they do happen, the people responsible
receive unwanted attention from their superiors. They also become participants in
an intentional culture of security, but only too late.
Endnotes
1 “Metrics—Perverse Incentives,” Test Side Story, 23 June 2010,

http://testsidestory.wordpress.com/2010/06/23/metrics-perverse-incentives/
2 European University Institute, “Strong Password Policy,” Italy, 20 July 2009,
www.eui.eu/ServicesAndAdmin/ComputingService/Documentation/
PolicyDocuments/StrongPasswordPolicy.aspx#One
3 Smith, Richard E.; “Password Expiration Considered Harmful”, Cryptosmith,
USA, 15 June 2002, www.cryptosmith.com/sanity/expharmful.html
4 As with every rule, there is an exception. Security professionals may actively
override safeguards, with management approval, when not to do so would cause
more harm than good.
5 Schneier, Bruce; “How Perverse Incentives Drive Bad Security Decisions,” Wired,
Condé Nast, 26 February 2009, www.wired.com/politics/security/commentary/
securitymatters/2009/02/securitymatters_0226
6 Personal Data Protection Code, Legislative Decree no. 196 of 30 June
2003, p. 168, in English translation at www.garanteprivacy.it/garante/
document?ID=311066
7 Bettinger, Cass; “Managing Your Corporate Culture for High Performance,” Cass
Bettinger & Assoc., 2008, p.2, www.cassbettinger.com/Articles/Managing_CC_
for_High-Performance.pdf
8 ISACA, An Introduction to BMIS, op. cit., p. 13
9 The term “management” is used in this section without specificity. It does not
necessarily mean senior management; it could be a CISO, a risk manager or a
department head. Implicitly, it is the appropriate level of management in a given
organization, based on the context of its risks and operations.
Thornton, Shane; “Definition of Key Performance Indicators”, eHow,
10
www.ehow.com/about_5142698_definition-key-performance-indicators.html
“Smoking Spain—A Really Tough Smoking Ban in Spain, or Not,” Culture
11
Spain, 23 July 2010, www.culturespain.com/living-in-spain/smoking-spain-

%E2%80%93-a-really-tough-smoking-ban-in-spain-or-not

Tracie Marquardt; “Smoking Ban in Germany,” Bella Online, 2010,

12
www.bellaonline.com/articles/art16340.asp
“Future of China’s Smoking Ban Looks Hazy,” Wall Street Journal, USA, 26 July
13
2010, http://blogs.wsj.com/chinarealtime/2010/05/14/future-of-china%
E2%80%99s-smoking-ban-looks-hazy/
Zembroff, Jennifer; “Cultural Differences in Perceptions of and Responses to Sexual
14
Harassment,” 2005, www.thefreelibrary.com/Cultural+differences+in+

perceptions+of+and+responses+ to+sexual...-a0166350028
Ibid.
15
Harris, Jeffrey S.; “Clearing the Air—Enforcing No Smoking Policies in the

16
Workplace,” HR Magazine, February 1993, http://findarticles.com/p/articles/

mi_m3495/is_n2_v38/ai_14152258/pg_3/?tag=content;col1
See examples, including Wright State University, USA, “Security Violations,” Feb.
17
1993, www.wright.edu/rsp/Security/S3stndrd/Adjudica.htm#Security Violations;

Ivinson Memorial Hospital, “Sanctions for privacy and Information Security
Violations,” www.ivinsonhospital.org/docs/HP015_Security_Violations.pdf, USA,
2007; FIA Card Services, “Terms of Use,” http://disclosures.fiacardservices.com/
terms/index.html#terms, USA, 2008.
The Wright State document is notable for describing the particulars of just the sort
of defiant behavior discussed here:
• Leaving a classified file or security container unlocked and unattended either
during or after normal working hours
• Keeping classified material in a desk or unauthorized cabinet, container, or area
• Leaving classified material unsecured or unattended on desks, tables, cabinets or
elsewhere in an unsecured area, either during or after normal working hours
• Reproducing or transmitting classified material without proper authorization
• Losing your security badge
• Removing classified material from the work area in order to work on it at home
• Granting a visitor, contractor, employee or any other person access to classified
information without verifying both the individual’s clearance level and need-to-know
• Discussing classified information over the telephone, other than a phone
approved for classified discussion
• Discussing classified information in lobbies, cafeterias, corridors or any other
public area where the discussion might be overheard
• Carrying safe combinations or computer passwords (identifiable as such) on
one’s person, writing them on calendar pads, keeping them in desk drawers, or
otherwise failing to protect the security of a safe or computer
• Failing to mark classified documents properly
• Failing to follow appropriate procedures for destruction of classified material
A few recent cases have. See Wilson, Tim; “Two Major Breaches Caused
18
By Loss Of Physical Media,” Security Dark Reading, 14 July 2010,

www.darkreading.com/security/privacy/showArticle.jhtml?articleID=225800186

8.0 How Good Is Good Enough?

A culture of security is made up of many elements, including champions,
management, staff, policy, rewards and penalties. All of them are needed to effect the
transition from an unintentional or negative culture to one that is simply functional
and, finally, to one that is intentionally strong and supportive of overall business
goals. As has been emphasized repeatedly in this volume, the culture must align with
the context of an enterprise’s business and be balanced between too great and too
little of an emphasis on security. Consideration of context and balance means that no
two enterprises have precisely the same intentional security culture. With different
business models, people, processes and information resources, there is no reason to
think that they could or should be identical.
If management wishes to develop an intentional culture of security, it follows

that management’s intentions should be well thought out from the beginning.
Unfortunately, cultures do not evolve that way. If an appropriate security culture
could be ordered on demand, there would be no need for any champions or policies.
It could simply be obtained, not developed. At some point, a culture reaches a
desired point and then the emphasis shifts from creation to maintenance. It is often
hard to tell whether one is at the crest of a hill until one has gotten there.
Management has the more difficult task of having to understand just how secure its
information needs to be to establish a culture at the right level. Clearly, information
in an intelligence agency calls for more security (and a tighter culture to protect it)
than in a bank, which may need more security than a pharmaceutical maker, which
may need more than a manufacturer of shoes; etc. In short, managers, CISOs,
auditors and others need to confront the question: How good is good enough?
Figure 9 offers some metrics that may be applied to that decision. No enterprise
wants to have a culture that could be called “lagging” in security (or at least
no enterprise should want one). Yet, there are too many enterprises with senior
management that exhibit no support for security, middle managers who are
actively hostile to anything that limits their ability to do whatever they want, and
complacent staff and systems that show no evidence of security in their design or
operation. Although a security culture does exist in these enterprises, “lagging” is
too nice of a word for to describe it.

Figure 9—Security Culture Maturity Model

Partially
Role Lagging Aware Effective Effective Leading Edge
Senior Uncaring Caring, Funds a Involves Involves
management but more security security security in
concerned program in tactical strategic
about cost decision decision
making making
Middle Actively Concerned, Respects Involves Sees security
management opposed to but bypasses security as security as a
most security security when long as other professionals competitive
requirements it seems to goals can be in major advantage
hamper goals met initiatives
Staff Unconcerned Concerned, Follows Considers the Thinks about
but inactive security rules security of security
information before using
while using it information
IT Does not build Builds minimal Builds required Seeks the Anticipates
security into security into security into assistance the need for
systems systems systems of security security in
professionals the systems it
in building builds
security into
systems
Security Are only Write policy Implement Advise Advise
professionals administrators security management management
safeguards on tactical on strategic
issues issues
An enterprise that is aware of the need for security, but does not do enough to
achieve it, is little better. One could argue that having good intentions, but ignoring
them, is worse than having no intentions for security at all. If anything positive may
be said about an enterprise at this level of cultural maturity, it is that a champion is
more likely to emerge in one of these than in one totally oblivious to the need for
security and a culture supportive of it.
If no enterprise would or should want to find itself in these categories, it is less

clear how much more it would want to do to have an acceptable culture. Having a
partially effective security culture is enough for many enterprises. After all, there
is a funded security program that implements safeguards that managers adhere
to most of the time. This is, in many ways, a restatement of a functional security
culture. (See section 5.2.) For a certain sort of enterprise—one with few people,
little information and even less of consequence, minimal information systems and
a generous appetite for risk—a “partially effective” security culture may well be all
that is needed or desired.
There are nuanced decisions to be made between a fully effective security

culture and one that may be classified as leading edge. Many of them deal with
expectations. When challenged, manufacturers may say, “We are not a bank”;
bankers may say that they are not the government; civilian agencies that they are
not the military, etc., and the military accepts that it must have a leading-edge
security culture. Security is, after all, the business of the military. If an enterprise is
content to have an “effective” security culture, does it need to meet all the attributes
stated in figure 9? Would it be sufficient to have a staff that follows the rules if that
is balanced by an attuned IT function that builds in enough security into the systems
it implements that it mitigates the necessity for considering the importance of the
security of information while using it? The answer is a definite maybe.
The metrics for a culture are not so well and sharply defined that anyone can say
that only this practice, this belief or this attitude would make the best culture of
security, as opposed to one that is merely good enough. In these circumstances, it
is too easy to make the best the enemy of the good. Yes, managers should want a
culture that will support the appropriate level of security in their enterprises, but it
is possible to overreach as well. The objective is not to keep building an intentional
security culture indefinitely nor to get to a certain point and then stop. Rather,
enterprises should always be aware of potential slippage, be vigilant and keep trying
to do better. In short, within the context of any business, the ideal security culture
will never be attained or, if it is, it will need to change with changing contexts.
8.1 Getting There
There is a cycle to the development and maintenance of an effective culture of

security within an enterprise and of the governance of the information within that
enterprise.1 It is, at the same time, a matter of positive reinforcement and insistence
on management’s requirements, no less than it is of moving management to
articulate those requirements.
As with any endeavor, there are distinct phases to the implementation of a security
culture. The first phase is always a dawning recognition that something should
be done. Then, there is the doing followed by the effort to sustain that which
was done. In the case of a security culture, it is a cyclical process because it is
never-ending.
ISACA has published a model for implementing IT governance, as shown in the

figure 10. It is an inexact guide for implementing an intentional security culture,
but there is considerable overlap between creating an effective IT governance
structure and a supportive culture. It may even be argued that effective governance
of IT, if not organizational information as a whole, cannot be accomplished without
a culture that accepts governance.

Figure 10—Seven Phases of the Implementation Life Cycle
entum
going? 1 What a
he mom re th
pt ed
kee Initiat
rive
we rs?
do view s e pr
ow Re tivenes ogr
am
ec me
eff
7H
Establ
is
stai
n to ch h des
Su ang ire
2W
e
Def opport
re?
efits
6 Did we get the
ine
Recog
here a
r
nito
Fo
Mo and need nise
rm team
probleities
Realise ben
ate act to
approach ew
alu
es
re we now?
impl
ev
Embed n
un
ementation
Operate
Asseent
e
curr te
ms and
measur
sta
and
ss
I m p o ve m
imp
rg n e
De a
ta e t
fi
le m
r
en
te
t
m e te
en t s
co ca
ts B u il d
O p d us
i m pro
ut u ni
ve m e nts
an
er
ap
e
m
m
at
Exe
e?
e Co o
dm
5H
to b
cu
I d e n tif y r o l e
oa
ow
te
a nt
la
er
players
n fin
p
do
ew
De
we
ow
ge
th e
ed
er
t
re ? Pla n pro gra m m e Wh

3
4 W h at n e e d s to b e d o n e ?
• Programmeandmanagement
Source: ISACA, Implementing • Change enablement
Continually Improving • Continual
IT Governance,
(outer ring)
improvement
USA, 2009, figurelife
5 cycle
(middle ring) (inner ring)
Using the IT governance model as a guide, the stages of attaining a desired,

intentional culture of security may be seen as follows.
8.1.1 Establish the Need for Change

The only way to have an intentional security culture, quite obviously, is to
intend to have one. This implies recognition that the culture that exists within
an enterprise does not measure up to the desires of those in a position to change
it, the champions. It is not an easy moment when someone realizes that the way
things are, perhaps the way things have always been, is not as they should be.
This moment may come about because of an incident, a personal encounter with
ineffective security or an observation of another enterprise. What typifies this
mental transformation is not only recognition that something is wrong with the
culture, but also that it can be changed in a positive direction. Moreover, the

person experiencing this breakthrough accepts personal empowerment to make a

difference, takes on the role of “change maker” and convinces others to join the
campaign—thus, are champions made.
Creation of an intentional security culture is not a one-person affair, no matter how

well-intentioned the initial champion may be. It requires the active involvement of
many people in positions of influence, if not authority. Widening the group that sees
the need for positive change to a culture is a matter of persuasion and advocacy. It
arises far more from interpersonal relationships than from management direction.
The circle of champions will not constitute, in any real sense, an implementation
team. The champions will not hold regular meetings, produce any documents or come
up with a project plan. They will act as a group to build a new consensus within the
enterprise, and to that end, they must reach a consensus among themselves. Some will
be more aggressive and some more accepting of existing attitudes and ways of doing
things. To be effective, they must be able to articulate a common vision of what an
intentional culture would look like, how it would work in practice and how it would
affect the interests of others within that enterprise.
As in so many aspects in the development of a security culture within an enterprise,

a balance must be attained. If the intended, strengthened security culture is too
aggressive in making changes, it will inevitably lead to unintended consequences
that will undermine its attainment. At the same time, if the imperative for change is
too feeble, then the security culture will remain essentially as it is.
8.1.2 Communicate the Desired Vision

At some point, preferably sooner than later, the definition of the desired cultural
changes must be communicated to those not (yet) converted. Some will be puzzled
by the need for change, others will give lip service to proposed enhancements simply
because of the eminence of the champions, and still others will be hostile. Each
must be spoken with in their own terms. The unifying element is the benefits to the
enterprise and to each individual. As stated in section 5.1.1, the message must be
crafted to appeal to the interests of different audiences, “their behavioral profiles and
information requirements, communication channels, and principles.”2 In general,
the expanded group of champions and supporters need to communicate not only the
benefits of an improved security culture, but also the risks of leaving it as it is. The
champions should portray the desired state and the road map for getting there.
8.1.3 Achieve Initial Objectives

It should be apparent that any culture, of security or otherwise, cannot be
transformed all at one go. The desired changes must be implanted and expanded a
little at a time. That is not to say that there cannot be “quick wins.” Management
that is supportive of an intentional security culture should identify the most

important revisions and also those most readily achieved. For example, it may
be thought that protecting data from unintended leakage, the greatest risk to an
enterprise, is the highest priority for implementation. Unfortunately, it may be quite
difficult to prevent well-meaning personnel from taking sensitive information home
to work on after hours, much less to stop deliberate theft of information. Therefore,
despite the priority of data leakage prevention, it may not be achievable in the short
term. Something less critical, such as a clean desk policy, may be more enforceable
and, hence, easier to attain in short order.
8.1.4 Strike a Balance

As has been continually emphasized throughout this volume, a balance of interests
within an enterprise is essential to implementing an intentional culture of security.
As different aspects of management’s intended improvements to that culture roll
out, they will inevitably bump up against other, competing interests. Those will
have to give way somewhat to security, but not in all cases and not always to
the same extent. Solutions will be rolled out, and during this process, mentoring
and coaching will be critical to ensure uptake among all those affected. The
change requirements and objectives that have been set when the initial champion
recognized the need for change should be revisited to ensure that they were
adequately addressed—or need to be revised.3
8.1.5 Institutionalize the Intentional Security Culture

Over time, the enhanced culture of security will become the new norm. Behaviors,
beliefs, assumptions, attitudes and ways of doing things will have been reshaped,
and stakeholders will not even realize that they are participating in a culture that
is intentionally supportive of security. This does not imply that slackness is now
permissible, but rather that the drive for change can be relaxed once change has
been achieved.
8.1.6 Sustain the Intentional Security Culture

It should not be inferred that an intentional security culture will be self-perpetuating.
It requires attention by auditors, risk managers, information security professionals
and even the champions, as required when backsliding becomes evident.
Sustainment calls for both positive and negative reinforcement, as described
in sections 6 and 7. Moreover, business, technology and legal changes must be
reflected in the culture, making it endlessly cyclical. As shown in figure 11, the
cycle of implementing a security culture is very much like that of implementing
IT governance.

Figure 11—Security Culture Life Cycle
Es
Champions
tab
n.
lis
tai
ht
s
Su
he
Senior
ne
ed
Management
.
Middle
Management
Widen the circle.

Institutionalize.
Staff
St
te
rik
ica
ea
m un ion.
ba
m vi s
lan
Co the
ce
.
Achieve initial
objectives.
8.2 Conclusion
A security culture is more than a policy, although it needs a security policy to

give it form and substance. It is broader than management, although it needs
to be managed. It is more than individual attitudes and beliefs because it is the
interaction among many attitudes and beliefs that give a culture life. It is more than
the awareness of the need for security because, no matter how aware an enterprise
may be, its security culture means nothing if the proper safeguards are not funded,
implemented and maintained. A culture of security is not an end in itself, and it is
the end result of many efforts to secure an enterprise’s information resources. It is
about IT, and it is about more than just electronic information. It is ephemeral, but
real; it is hard to identify and easy to recognize. A security culture is both more and
less than security itself. It says more about what people are than what they do, and
what they do is the basis of a culture. A culture of security is the result of change,
and it makes change happen. It is the end result of the actions of many; it starts
with an individual making a decision to act and think in a secure manner.

Endnotes
1
ISACA, Implementing and Continually Improving IT Governance, USA, 2009,
p. 35-36
2
Ibid., p. 36
3
Ibid.

ISACA Professional Guidance Publications

Many ISACA publications contain detailed assessment questionnaires and work program that
provide valuable guidance. Please visit www.isaca.org/bookstore or e-mail bookstore@isaca.
org for more information.
Frameworks and Model

• The Business Model for Information Security, 2010
• COBIT® 4.1, 2007
• Enterprise Value: Governance of IT Investments: The Val ITTM Framework 2.0, 2008
• ITAFTM: A Professional Practices Framework for IT Assurance, 2008
• The Risk IT Framework, 2009
BMIS-related Publication
• An Introduction to the Business Model for Information Security, 2009
COBIT-related Publications
• Aligning COBIT ® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit, 2008
• Building the Business Case for COBIT ® and Val ITTM: Executive Briefing, 2009
• COBIT ® and Application Controls, 2009
• COBIT ® Control Practices: Guidance to Achieve Control Objectives for Successful
IT Governance, 2nd Edition, 2007
• COBIT ® Mapping: Mapping of CMMI® for Development V1.2 With COBIT ® 4.1, 2011
• COBIT ® Mapping: Mapping of FFIEC With COBIT ® 4.1, 2010
• COBIT ® Mapping: Mapping of ISO/IEC 17799:2000 With COBIT ®, 2nd Edition, 2006
• COBIT ® Mapping: Mapping of ISO/IEC 17799:2005 With COBIT ® 4.0, 2006
• COBIT ® Mapping: Mapping of ISO/IEC 20000:2005 With COBIT ® 4.1, 2011
• COBIT ® Mapping: Mapping of ITIL® V3 With COBIT ® 4.1, 2008
• COBIT ® Mapping: Mapping of NIST SP 800-53 With COBIT ® 4.1, 2007
• COBIT ® Mapping: Mapping of PMBOK® With COBIT ® 4.0, 2006
• COBIT ® Mapping: Mapping of SEI’s CMM® for Software With COBIT ® 4.0, 2006
• COBIT ® Mapping: Mapping of TOGAF 8.1 With COBIT ® 4.0, 2007
• COBIT ® QuickstartTM, 2nd Edition, 2007
• COBIT ® Security BaselineTM, 2nd Edition, 2007
• COBIT ® User Guide for Service Managers, 2009
• Implementing and Continually Improving IT Governance, 2009
• IT Assurance Guide: Using COBIT ®, 2007
• IT Control Objectives for Basel II, 2007
• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and
Implementation of Internal Control Over Financial Reporting, 2nd Edition, 2006
• ITGI Enables ISO/IEC 38500:2008 Adoption, 2009
• SharePoint® Deployment and Governance Using COBIT ® 4.1: A Practical Approach, 2010
Risk IT-related Publication

• The Risk IT Practitioner Guide, 2009

Val IT-related Publications

• The Business Case Guide: Using Val ITTM 2.0, 2010
• Enterprise Value: Getting Started With Value Management, 2008
• Value Management Guidance for Assurance Professionals: Using Val ITTM 2.0, 2010
Academic Guidance
• IT Governance Using COBIT ® and Val ITTM:
– S tudent Book, 2nd Edition, 2007
–C aselets, 2nd Edition, and Teaching Notes, 2007
– TIBO Case Study, 2nd Edition, and Teaching Notes, 2007 (Spanish translation
also available)
–P resentation, 2nd Edition, 2007 (35-slide PowerPoint deck on COBIT)
– Caselets, 3rd Edition, and Teaching Notes, 2010
– City Medical Center Case Study, 3rd Edition, and Teaching Notes, 2010
• Information Security Using the CISM® Review Manual and BMISTM:
–C aselets, 2010
–M ore4Less Foods Case Study, 2010
–C aselets and More4Less Foods Case Study—Teaching Notes, 2010
Executive and Management Guidance

• Board Briefing on IT Governance, 2nd Edition, 2003
• Defining Information Security Management Position Requirements: Guidance for
Executives and Managers, 2008
• An Executive View of IT Governance, 2008
• Identifying and Aligning Business Goals and IT Goals: Full Research Report, 2008
• Information Security Governance: Guidance for Boards of Directors and Executive
Management, 2nd Edition, 2006
• Information Security Governance: Guidance for Information Security Managers, 2008
• Information Security Governance—Top Actions for Security Managers, 2005
• IT Governance Domain Practices and Competencies:
– Governance of Outsourcing, 2005
– Information Risks: Whose Business Are They?, 2005
– IT Alignment: Who Is in Charge?, 2005
– Measuring and Demonstrating the Value of IT, 2005
– Optimising Value Creation From IT Investments, 2005
• IT Governance and Process Maturity, 2008
• IT Governance Roundtables:
– Defining IT Governance, 2008
– IT Staffing Challenges, 2008
– Unlocking Value, 2009
– Value Delivery, 2008
• Managing Information Integrity: Security, Control and Audit Issues, 2004
• Understanding How Business Goals Drive IT Goals, 2008
• Unlocking Value: An Executive Primer on the Critical Role of IT Governance, 2008

Practitioner Guidance
• Audit/Assurance Programs:
– ApacheTM Web Services Server Audit/Assurance Program, 2010
– Change Management Audit/Assurance Program, 2009
– Cloud Computing Management Audit/Assurance Program, 2010
– Crisis Management Audit/Assurance Program, 2010
– Generic Application Audit/Assurance Program, 2009
– Identity Management Audit/Assurance Program, 2009
– Information Security Management Audit/Assurance Program, 2010
– IT Continuity Planning Audit/Assurance Program, 2009
– Microsoft® Internet Information Services (115) 7 Web Services Server
Audit/Assurance Program, 2011
– Mobile Computing Security Audit/Assurance Program, 2010
– MySQLTM Server Audit/Assurance Program, 2010
– Network Perimeter Security Audit/Assurance Program, 2009
– Outsourced IT Environments Audit/Assurance Program, 2009
– Security Incident Management Audit/Assurance Program, 2009
– Social Media Audit/Assurance Program, 2011
– Systems Development and Project Management Audit/Assurance Program, 2009
– UNIX/LINUX Operating System Security Audit/Assurance Program, 2009
– VMware® Server Virtualization Audit/Assurance Program, 2011
– Windows Active Directory Audit/Assurance Program, 2010
– z/OS Security Audit/Assurance Program, 2009
• Creating a Culture of Security, 2011
• Cybercrime: Incident Response and Digital Forensics, 2005
• Enterprise Identity Management: Managing Secure and Controllable Access in the
Extended Enterprise Environment, 2004
• Information Security Career Progression Survey Results, 2008
• Information Security Harmonisation—Classification of Global Guidance, 2005
• Monitoring Internal Control Systems and IT, 2010
• OS/390—z/OS: Security, Control and Audit Features, 2003
• Peer-to-peer Networking Security and Control, 2003
• Risks of Customer Relationship Management: A Security, Control and Audit Approach, 2003
• Security Awareness: Best Practices to Serve Your Enterprise, 2005
• Security Critical Issues, 2005
• Security Provisioning: Managing Access in Extended Enterprises, 2002
• Stepping Through the InfoSec Program, 2007
• Stepping Through the IS Audit, 2nd Edition, 2004
• Technical and Risk Management Reference Series:
– Security, Audit and Control Features Oracle® Database, 3rd Edition, 2009
– Security, Audit and Control Features Oracle® E-Business Suite, 3rd Edition, 2010
– Security, Audit and Control Features PeopleSoft, 2nd Edition, 2006
– Security, Audit and Control Features SAP® ERP, 3rd Edition, 2009
• Top Business/Technology Survey Results, 2008

Practitioner Guidance (cont.)

• White Papers:
– Cloud Computing: Business Benefits With Security, Governance and Assurance
Perspectives, 2009
– Data Leak Prevention, 2010
– E-commerce and Consumer Retailing: Risks and Benefits, 2010
– Electronic Discovery, 2011
– New Service Auditor Standard: A User Entity Perspective, 2010
– S ecuring Mobile Devices, 2010
– Security Information and Event Management: Business Benefits and Security,
Governance and Assurance Perspectives, 2010
– Social Media: Business Benefits and Security, Governance and Assurance
Perspectives, 2010
– Virtualization: Benefits and Challenges, 2010

WCCS Creating A Culture of Security 31mar2011 Research

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WCCS Creating A Culture of Security 31mar2011 Research

Uploaded by

Copyright:

Available Formats

Creating a

by Steven J. Ross, Risk Masters

ISACA Board of Directors

Guidance and Practices Committee

2.0 A Culture of Security in Context......................................................................... 17

3.0 The Benefits of a Culture of Security................................................................. 39

4.0 Inhibitors to a Culture of Security...................................................................... 57

5.0 Creating an Intentional Culture of Security...................................................... 75

7.0 Negative Reinforcement....................................................................................... 113

8.0 How Good Is Good Enough?.............................................................................. 129

ISACA Professional Guidance Publications.......................................................... 137

Page intentionally left blank

Page intentionally left blank

Our information security department keeps getting more tools, but as a

Security policy is one thing. Reality is another.

Sure, I support security, but if there is going to be a company to secure,

I am so overwhelmed with all the passwords I have to remember; I just

I know that I am not supposed to have access to this information, but

Management has authorized acquisition of monitoring tools, but they

The missing element is a culture of security, defined in BMIS as a pattern of

understand the culture of the enterprise because it profoundly influences what

Even in enterprises in which there are many of the components of security—staff,

Achievement of that level of security will not happen by itself—self-generated

Once established, an intentional culture of security tends to be forgotten—not the

1.1 Hard and Soft Security

It is a fallacy to consider the technology and mechanics of security as being hard,

1.2 Whose Culture Is It?

A culture of security does not belong to an information security department any

Certain functions—such as information security, internal audit, risk management

Page intentionally left blank

2.0 A Culture of Security in Context

2.1 Doing vs. Believing

It is insufficient simply to do what is required because those crafting the requirements

2.1.1 Ambiguity and Inconsistency

Moreover, there are inherent internal contradictions in the definition of “security”

2.2 Culture in Context

Unfortunately, each part of an enterprise sometimes becomes so captivated by its

There are some enterprises in which security, in one form or another, is of

2.2.1 Societal Culture and Security

Multinational companies and those enterprises that do business internationally

and heritage? A culture of security cannot be imposed; it must be created on the

2.2.2 Organizational Culture and Security

Every enterprise has a culture of security. The security needs of commodity

It is possible to achieve a level of security appropriate for a given enterprise without

2.2.3 Personal Culture and Security

If culture cannot be imposed organizationally, neither can it be achieved by

2.3 Security in the Context of Culture

The meaning of a “culture of security” is not intuitively obvious. Perhaps “culture”

For example, the international standards on information security define “security”

However, it is precisely the looseness of the definition of information that makes it so

These questions of valuation do not need to be answered with precision, and

and unless it is confronted with an unintentional or malicious threat. Even unlikely

2.3.1 Security as the Basis of Trust

2.3.2 Security in the Prevention of Fraud and Misuse of Information Resources

Fraud prevention is still an element of security, at least in environments in which

Fraud and misuse of information are indicators of the shortcomings of security. It

2.3.3 Security and Risk Mitigation

for the establishment, implementation, operation, monitoring, review, maintenance

A systematic approach to information security risk management is

Data do not need to be manipulated to be false or erroneous. Information may be

Risks to Information Not in Electronic Form

electronic information, buy products and services with electronic information,

It is important to remember that risk is unpredictable. To a certain degree, with a

“The Security—Privacy Paradox: Issues, Misconceptions, and Strategies; A Joint

Thompson, L.; R. Hastie; Judgement Tasks and Biases in Negotiation, 1990.

ISO, ISO/IEC 27005, op.cit., p. 3. There is considerable debate about the