With 85% of data breaches caused by social engineering or human error, creating a company-wide security culture has risen up the agenda for many organisations. However, the phrase can be problematic in itself – as definitions vary, with some even equating it to security awareness training. KnowBe4 says it wants to change this and recognise the multi-faceted nature of security culture. For the first time, KnowBe4 has defined security culture as “the ideas, customs, and social behaviours of a group that influence its security”; and to support this, the company has created the Security Culture Maturity Model. Using this definition of security culture, based on data-driven empirical evidence, it addresses the notion that people’s influence will have an impact on the technology and security controls chosen by the organisation, but technology does not tell the whole story. Humans need to be at the centre of everything.
In KnowBe4’s Introducing the Security Culture Model whitepaper, readers will get insight into the billions of data points used to inform its model and learn how to apply these to their own organisations to get a more accurate handle on security culture. It establishes five different maturity levels based on a variety of factors:
- Level 1: Basic Compliance
- Level 2: Security Awareness Foundation
- Level 3: Programmatic Security Awareness & Behaviour
- Level 4: Security Behaviour Management
- Level 5: Sustainable Security Culture
“Security culture is a concept that is often discussed but rarely understood,” said Kai Roer, chief research officer, KnowBe4. “This new and groundbreaking maturity model will provide organisations with the ability to gain more insight into where they stand regarding security-related maturity. The KnowBe4 Security Culture Maturity Model will equip security leaders with a definitive guide based on decades of research in this area to help them advance their security culture by levelling up their efforts.”
Perry Carpenter, chief evangelist and strategy officer, KnowBe4, continued: “I am particularly excited about this model because it has the potential to offer the world a data-driven, real-world look into the evolution of security culture maturity. We have defined scores of ‘Culture Maturity Indicators’ (CMIs) that, when evaluated in aggregate, allow this model to operate with unparalleled precision. Another critical factor we had in mind when developing this model is that we want it to serve the world; not just KnowBe4 customers. Of course, KnowBe4 customers will benefit from having added precision because their data can automatically feed the model, but we are also developing sets of measurement tools, worksheets and more that anyone will be able to benefit from.”