Security Culture Improving Globally

Security culture, a workforce’s shared attitudes, perceptions and beliefs towards cybersecurity, has improved globally, according to KnowBe4 research.

The 2022 KnowBe4 Security Culture Report looked at the seven different dimensions of security culture across regions and industries worldwide. Those include attitudes, behaviors, cognition, communication, compliance, norms and responsibilities.

The report includes responses from more than 257,000 employees in 1,456 organizations globally who are also KnowBe4 customers and have completed the security culture survey.

Key findings include:

• In the United States, differences in security culture exist based on organizational size, where small organizations are outperforming larger ones.
• In Africa, there is a tradition and interest in security culture, especially in South Africa, where a higher level of security culture was achieved.
• In Asia, a wide variation of security culture scores across nations exists. While Japan is doing reasonably well, countries like Malaysia and Indonesia show an alarmingly low security culture index score.
• In Europe, both Sweden and Ireland are often considered as technologically advanced. Along with these two countries, Italy and Bulgaria also had higher security culture scores.
• Security culture in Oceania is showing that Australia and New Zealand are quite different from each other, and neither is doing particularly well.
• Central and South America are now beginning to measure security culture, with more countries from these regions added every year.

Roger Grimes is data-driven defense evangelist at KnowBe4.

“We have not finished analyzing all the data yet, but in general, any smaller group of people is easier to control than a larger group of people,” he said. “Larger groups of people have a wider initial viewpoint, different experiences and different biases. Smaller groups, where you have a higher percentage of direct individual friendships and relationships, can make sharing a culture easier.”

Everyone, large or small, is invested in reversing the trend once they understand the issue, Grimes said. It’s also a matter of maturity, regardless of size. It takes time to realize there is a big, common problem like social engineering and phishing attacks or just general insecurity.

Ransomware and other cyberattacks making big headlines helps raise awareness, he said.

“The doubling of cybersecurity insurance and all the things cyber insurers require is another big stimulant,” Grimes said. “On top of that, the U.S. president routinely talks about it on national television as well as an incredibly timely and valuable government agency, the Cybersecurity and Infrastructure Security Agency (CISA). So, it really is a whole country effort, from individuals to national government agencies all trying to help change the culture. Sometimes it only takes a village, and sometimes it takes a nation and national culture change. We are all in on that concept.”