Security Roundup: KB4-CON, Proofpoint M&A, Exabeam and More
Security culture was a big topic at this week’s KB4-CON, KnowBe4’s second annual user conference, which brought nearly 1,000 attendees to balmy Orlando, Florida.
KnowBe4 describes security culture as what happens with security when people are not being watched, and whether they are making smart security decisions. How difficult is security culture to gauge and change?
The topic was addressed by Kai Roer, co-founder and CEO of CLTRe, a Norway-based company that developed a framework and methodology of measuring culture as it relates to security. He gave a presentation on the topic during KB4-CON.
We spoke with Roer to learn more about security culture. He said everybody now is talking about security culture, but very few know what it actually means.
“According to our research, there are seven dimensions of security culture, or those parts of culture that influence security,” he said. “Those are attitudes, behaviors, communication, compliance, cognition, norms and responsibilities. Each of these dimensions are interconnected with each other, so if you change one of them, you will also influence the others.”
The good news is, if you change norms, that will have a direct impact on attitudes and behaviors, Roer said. The challenge has been how can norms be changed and “how can we do that in a controllable way,” he said.
“It’s the same with all of the dimensions,” he said. “How can we change communication, for example, in such a way that we get the results that we want?”
CLTRe’s assessment starts with a questionnaire given to all employees within an organization, and then analyzing the results to measure its security culture.
“What we do is ask very specific, tailored questions to, for example, figure out whether or not they keep a clean desk,” Roer said. “Our questions are designed in such a way that it’s reporting your own behavior, but it’s also reporting that behavior that you see in the organization. The reason we do that is social psychology, where you are more likely to reflect that behavior, those thoughts and ideas, of those of your peers, rather than hanging onto your own in that group. And when we are talking about culture, your own opinion and observations are really important.”
According to CLTRe, poor security culture accounts for three in four breaches. It can lead to such things as users being more susceptible to phishing attacks, unauthorized data sharing, and leaving their computer without first locking it.
Security awareness is a necessity, but to make it work across organizations and control it, “you need security culture, which encompasses behaviors, awareness, attitudes, norms, policies, all of those things, and then you get a platform like KnowBe4, which allows you to control and manage that culture across your organization,” Roer said.
Also at KB4-CON, Katie Brennan, KnowBe4‘s technical content director, shared the most interesting phishes of the past year. Cybercriminals play on users’ emotions and use current events, whether political or …