Defining Security Culture

Peteris Treijs,
project manager, State Information Network Agency, Latvia

There are several OECD documents concerning information security and

security culture:
OECD Guidelines for the Security of Information Systems and
Networks: Towards a Culture of Security, adopted as a
Recommendation of the OECD Council at its 1037th Session on
25 July 2002.
Implementation Plan for OECD Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security
(02-Jul-2003).
The Promotion of a Culture of Security for Information Systems
and Networks in OECD Countries (16-Dec-2005).
OECD Guidelines for the Security of Information Systems and
Networks: Towards a Culture of Security, Questions and Answers

Neither of the mentioned papers contains comprehensive, clear-cut

definition of the concept Security Culture.
Why authors of these papers avoided defining security culture and
preferred to confide in the intuitive understanding of the term?
Organization culture is like pornography it is hard to define, but you
know it when you see it, Ellen Wallach.
However, if we are going to create security culture in our organisations
we have to make clear to ourselves:
What the security culture means?
- What makes the difference between applicable security legislation,
regulations, standards, policies, rules or instructions and Security
culture?

Quotation from article Creating A Security Culture published by Animal

Liberation Front:

Those who belong to a security culture also know what behavior

compromises security and they are quick to educate and reprimand
those people who, out of ignorance, forgetfulness, or personal
weakness, partake in insecure behavior. This security consciousness
becomes a "culture" when the group as a whole makes security
violations socially and morally unacceptable within the group.
The last clause of the quotation is essential actually it answers the
question what makes the difference.

Safety and Security are different stuff; however there are a lot of
similarities between them:
- both are linked with risks and
- lack of both may cause considerable, even catastrophic damage.
Concept of Safety culture is more mundane and much more widely
used. Safety rules and instructions are ever-present. Safety is the top
priority in areas like shipping, nuclear energy industry etc.

The International Atomic Energy Agency gives the following official

definition of Nuclear Safety Culture:
Safety Culture is that assembly of characteristics and attitudes in
organisations and individuals which establishes that, as an overriding
priority, nuclear plant safety issues receive the attention warranted by
their significance.
And further we read: Safety culture has to be inherent in the
thoughts and actions of all the individuals at every level in an
organization.
Concept of attitudes included in the definition is of crucial
importance. It makes the difference.

Replacing safety by security we can get to workable statements for

Security culture:
Security culture is that assembly of characteristics and attitudes in
organisations and individuals, which establishes that, issues of
security of information systems and networks, as a high priority,
receive the attention warranted by their significance.
Security culture has to be inherent in the thoughts and actions of all the
individuals at every level in an organization.
Actually it is another wording of the above-mentioned requirement to
make security violations socially and morally unacceptable.
This kind of security culture definition is in reality just a statement of a
goal, which, if reached, is the best guarantee for information and
information systems protection .

Creating and/or changing organisations culture is a very difficult longterm managerial task, and security culture is no exception, it is part
and parcel of the overall corporate culture.
So we are confronted with the difficult task of changing corporate
culture.
Writing security standards, policies and instructions alone does not
create culture.
We are not going to discuss all aspects of establishing the desired
culture in organization; we shall only emphasize those, which are of
particular importance in the area of information security.

In the OECD Guidelines awareness is mentioned as the first principle.

Being aware of importance of security, of the risks and available
safeguards is of crucial importance.
But requirement of awareness is closely linked with competence and
knowledge in the area of information security at all levels in the
organization.
Without adequate knowledge no real awareness is possible.
As ICT is fast changing industry it means that maintaining security
culture has to be linked with permanent learning process.

The effect of insufficient competence at the level of individual users is

quite obvious the individual himself becomes the weak point in the
whole system of information and information system protection.
For example, if a person did not manage the very fundamentals of
public key cryptography, he or she may be unaware of situations when
his or her actions (when using digital signature) may cause serious
risks.
It is completely unacceptable that people, whose position or occupation
clearly requires competence in these matters, promote incorrect
understanding, for instance, of issues around digital signature.
Announcements like digital signature is in your smart card or you
will receive your digital signature from certification service provider
send utterly wrong messages about the very essence of digital
signature.

Whatever simplifications are used (for the sake of convenience or

briefness) they should not lead to wrong understanding of the subject,
because those, who do not possess the respective knowledge, are
learning from what the allegedly competent (official) person says.
Insufficient competence at the level of political appointees in
government and/or governmental organizations results into slow and
inefficient process of establishing the necessary security institutions, like
Public Key Infrastructure, Computer Emergency Response Teams or
Computer Security Incident Response Teams.

The level of necessary competence depends on the role person

performs in the Information society, but it is clear requirement of
Security culture that the respective adequate competence is ensured
and maintained at all levels.
It is indispensable prerequisite of both the Information society and
Security culture

Tank you for attention