About the Authors viiiAcknowledgments xiiIntroduction xxvPart I: Foundation 1Chapter 1: You Are Here 3Why All the Buzz? 4What Is Security Culture, Anyway? 8A Problem of Definition 9A Problem of Overconfidence 11Takeaways 12Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13A View from the Top 14Telling the Human Side of the Story 15What's the Cost of Not Getting This Right? 16Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19Your People and Security Culture Are at the Center of Everything 20The Implication 22Getting It Right 24Takeaways 25Chapter 3: The Foundations of Transformation 27The Core Thesis 29The Knowledge-Intention-Behavior Gap 29Three Realities of Security Awareness 31Program Focus 31Extending the Discussion 33Introducing the Security Culture Maturity Model 33The Security Culture Maturity Model in Brief 35The S-Curves 36The Value of the Security Culture Maturity Model 37You Are Always Either Building Strength or Allowing Atrophy 37Takeaways 38Part II: Exploration 39Chapter 4: Just What Is Security Culture, Anyway? 41Lessons from Safety Culture 42A Jumble of Terms 44Information Security Culture 45IT Security Culture 45Cybersecurity Culture 46Security Culture in the Modern Day 46Technology Focus 47Compliance Focus 48Human-Reality Focus 49Takeaways 51Chapter 5: Critical Concepts from the Social Sciences 53What's the Real Goal--Awareness, Behavior, or Culture? 54Coming to Terms with Our Irrational Nature 55We Are Lazy 56Why Don't We Just Give Up? 60Security Culture--A Part of Organizational Culture 61Takeaways 62Chapter 6: The Components of Security Culture 63A Problem of Definition 64The Academic Perspective 64The Practitioner Perspective 65Defining Security Culture 66Security Culture as Dimensions 67The Seven Dimensions of Security Culture 69Attitudes 69Behaviors 69Cognition 69Communication 70Compliance 70Norms 70Responsibilities 71The Security Culture Survey 71Example Findings from Measuring the Seven Dimensions 72Normalized Use of Unauthorized Services 73Confidentiality and Insider Threats 74Last Thought 74Takeaways 75Chapter 7: Interviews with Organizational Culture Experts and Academics 77John R. Childress, PYXIS Culture Technologies Limited 78Why Is Culture Important? 78Why Do You Find Culture Interesting? 79Is There a Specific Definition of Culture That You Find Useful? 79What Actions Can Be Taken to Direct Cultural Change? 80Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 81How Does a Culture Evolve (or How Often?) 82Professor John McAlaney, Bournemouth University, UK 82Why Is Culture Important? 83Why Do You Find Culture Interesting? 83Is There a Specific Definition of Culture That You Find Useful? 83What Actions Can Be Taken to Direct Cultural Change? 84Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 85How Does a Culture Evolve (or How Often?) 85Dejun "Tony" Kong, PhD, Muma College of Business, University of South Florida 86Why Is Culture Important? 86Why Do You Find Culture Interesting? 86Is There a Specific Definition of Culture That You Find Useful? 87How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 87Michael Leckie, Silverback Partners, LLC 87Why Is Culture Important? 88Why Do You Find Culture Interesting? 89Is There a Specific Definition of Culture That You Find Useful? 90How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 90What Actions Can Be Taken to Direct Cultural Change? 91Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 93How Does a Culture Evolve (or How Often?) 93Part III: Transformation 95Chapter 8: Introducing the Security Culture Framework 97The Power of Three 99Step 1: Measure 100Know Where You are 101Decide Where You Want to Be 102Find Your Gap 104Step 2: Involve 106Building Support 106Different Audiences 108Step 3: Engage 109Rinse and Repeat 111Benefits of Using the Security Culture Framework 111Takeaways 112Chapter 9: The Secrets to Measuring Security Culture 113Connecting Awareness, Behavior, and Culture 115How Can You Measure the Unseen? 116Using Existing Data 116The Right Way to Use Data 119Methods of Measuring Culture 119Observation 120Experimentation 121Interrogation (Surveys and Interviews) 121A/B Testing 122Multiple Metrics, Single Score 124Trends 125A Note Regarding Completion Rates 127Takeaways 128Chapter 10: How to Influence Culture 129Resistance to Change 130Be Proactive 131The Complexity of Culture 133Using the Seven Dimensions to Influence Your Security Culture 134Attitudes 134Behaviors 136Cognition 138Communication 140Compliance 141Norms 143Responsibilities 144How Do You Know Which Dimension to Target? 146Takeaways 147Chapter 11: Culture Sticking Points 149Does Culture Change Have to Be Difficult? 150Using Norms Is a Double-Edged Sword 151Failing to Plan Is Planning to Fail 152If You Try to Work Against Human Nature, You Will Fail 153Not Seeing the Culture You Are Embedded In 155Takeaways 156Chapter 12: Planning and Maturing Your Program 157Taking Stock of What We've Covered 158View Your Culture Through Your Employees' Eyes 159Culture Carriers 160Building and Modeling Maturity 161Exploring the Data 162Culture Maturity Indicators 162Level 1: Basic Compliance 165Level 2: Security Awareness Foundation 165Level 3: Programmatic Security Awareness & Behavior 166Level 4: Security Behavior Management 167Level 5: Sustainable Security Culture 168There Are Stories in the Data 170A Seat at the Table 174Takeaways 175Chapter 13: Quick Tips for Gaining and Maintaining Support 177You Are a Guide 178Sell by Using Stories 179Lead with Empathy, Know Your Audience 180Set Expectations 184Takeaways 185Chapter 14: Interviews with Security Culture Thought Leaders 187Alexandra Panaretos, Ernst & Young 188Why Is Culture Important? 188Why Do You Find Culture Interesting? 189Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 190Dr. Jessica Barker, Cygenta 193Why Is Security Culture Important? 193Why Do You Find Culture Interesting? 194What Actions Can Be Taken to Direct Cultural Change? 194What Is Your Most Interesting Experience with Culture? 195Kathryn Tyrpak, Jaguar Land Rover 195Why Is Culture Important? 195Why Do You Find Culture Interesting? 196Is There a Specific Definition of Culture That You Find Useful? 196How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 196What Actions Can Be Taken to Direct Cultural Change? 197Lauren Zink, Boeing 197Why Is Culture Important? 198Why Do You Find Culture Interesting? 198Is There a Specific Definition of Culture That You Find Useful? 199How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 199Mark Majewski, Rock Central 200Why Is Culture Important? 200Why Do You Find Culture Interesting? 200Is There a Specific Definition of Culture That You Find Useful? 201How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 201What Actions Can Be Taken to Direct Cultural Change? 201Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 202How Does a Culture Evolve (or How Often?) 202Mo Amin, moamin.com 203Why Is Culture Important? 203Why Do You Find Culture Interesting? 203Is There a Specific Definition of Culture That You Find Useful? 203How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change? 203What Actions Can Be Taken to Direct Cultural Change? 204Is There a Success or Horror Story You'd Like to ShareRelated to Culture Change? 204How Does a Culture Evolve (or How Often)? 205Chapter 15: Parting Thoughts 207Engage the Community 208Be a Lifelong Learner 209Be a Realistic Optimist 210Conclusion 211Bibliography 213Index 217

PERRY CARPENTER, C CISO, MSIA, is an author, podcaster, thought leader, and cybersecurity expert specializing in security awareness and the human factors of security. His research focuses on marketing, communication, behavior science, organizational culture management, sociology, and more.KAI ROER is the author of several books on security and leadership, a keynote speaker, and a thought leader in the security culture field. In addition to his research, he is an entrepreneur and the inventor of technology and frameworks that transformed the information security industry.