Can cybersecurity culture be measured, and how can it drive national policy?

Background

NorSIS has studied what they term cybersecurity culture in Norway. The purpose of their study has been to help designing effective cybersecurity practices and to understand what security regulations Norwegians will typically accept.

The study wants to measure culture, a concept that does not easily lend itself to quantification or simple KPI’s. The attempt is based on a survey sent to a group of people that is representative for the Norwegian population.

The key insights sought by the study are summarized in 4 research questions:

  1. What characterizes the Norwegian cybersecurity culture?
  2. To what degree does cybersecurity education influence behaviors and awareness?
  3. How do Norwegians relate and react to cyber risks?
  4. To which degree do individuals take responsibility for the safety and security of cyberspace?

 

wp-1489524275511.jpg

Thanks to Bjarte Malmedal for sending me a nice hardcopy of the report he wrote with Hanne Eggen Røislien – you should follow him on Twitter for insightful security discussions!

 

The cultural dimension

NorSIS does not fall into the trap of reducing culture to behaviors alone but attempt to treat the cultural dimension as a set of norms, beliefs and practices influenced in various ways. They define 8 core issues that influence the cybercultural fabric of society:

  • Collectivism
  • Governance and control
  • Trust
  • Risk perception
  • Techno-optimism and digitalization
  • Competence
  • Interest
  • Behaviors

The discussion of these core issues that follows is sensible and logic. Then the authors summarize some results from their questionnaires, mapping answers to the 8 core issues. For example they report that only 18% of the respondents say they have little interest in IT and technology.

Competence and learning

Surprisingly, the report states that 59% of respondents report having received cybersecurity training sometime the last 2 years (without specifying any further what this entails). They also look into how people prefer to learn about security.

The authors take the perspective that many children are not receiving the cybersecurity guidance they need because only half the adult population has received cybersecurity training.

The report also states that it is unlikely that training will typically relate the security of cyberspace as a whole to the security of individual devices.

Risk perception

A key finding in the report is that 7 of 10 respondents think they expose themselves to threats online. They further associate the risk exposure with external factors rather than their own actions. Further 6 of 10 people feel confident about their own ability to identify what is and isn’t safe to do online.

The highest fear factors are found when doing online banking and using online government services. This is perhaps because it is during these activities the users are interacting with their most sensitive data.

Behavioral patterns

Most people report that they think about how safe a website is before using it and only 18% say they don’t think about this. The ability to actually assess this is most likely varying, and 61% report they feel competent to do such assessments.

Another interesting finding is that people report deliberately breaking security rules at work; 14% in the private sector, 8% in the public sector, and men report doing this more than women.

Risk-taking behaviors should be expected in any large group of people, and the self-reported numbers are reasonable when compared to other studies about motivation and willingness to follow corporate norms.

Study conclusions

The report draws up some main conclusions based on the data gathered. One is about education, where the authors feel confident that positive security behaviors correlate with security education. They argue that it should be a government responsibility to educate the population about security, ie by making it a part of school curriculum.

Regarding the surveillance-privacy tension in cybersecurity governance, the authors conclude that people mostly support giving police authority and the tools to fight cybercrime but they do not believe they will get any help by going to the police. Only 13% of victims to cybercrime file a police report.

They further propose policy for government action; primarily strengthening security education in the school system, and giving law enforcement further tools to fight cybercrime.

My thoughts on this

This report provides an interesting piece of work, in many aspects confirming with data assumptions security professionals tend to make about people in general, and perhaps the “typical user”.

The research questions asked at the outset of the report are perhaps implicitly answered through data and interpretations of those data. I will try to add my impression based on the report, and based on my personal experience from the corporate world.

What characterizes the Norwegian cybersecurity culture?

Norwegians are tech savvy – in the sense that they use technology. The report indicates that a lot of people are confident about their own use of technology, and most people believe they can assess what is safe and not safe to do online. When the report drills down into some behavioral aspects, there are issues that may paint a somewhat different picture.

  • People still use the same password on many services, although many report sounder practices. It is not unlikely that this self-reporting is skewed because people answer what they know they should be doing, instead of what they are actually doing.
  • People feel at risk when using online services, but still most people do not back up their data more often than every month, 15% report they never back up data, and 10% say they don’t even know. If the “correct answer” bias is affecting the results here, the situation is likely worse than this in practice. Think about the question: “how often do you check the oil on your car?”. Most people would like to say they do this regularly, like every month – but we all know that is not true.

The question asked about backup was actually how often people back up data that is important to them. I have a suspicion that a lot of people have never thought about what data is important. Is it the pictures of the grandchildren? Is it your financial documents, insurance papers, etc? Is it the recipe collection you keep in Microsoft OneNote? Most people will never have thought about this. A lot of people also believe nothing bad can happen as long as they store their files in the cloud. Beliefs are thus often formed without the competence needed to form informed decisions about value and risk.

My conclusion is that Norwegians are feeling quite confident about their own security practices, without necessarily having very good practices. Overconfidence is often a sign of insufficient know-how, which for the population as a whole is probably the case.

To what degree does cybersecurity education influence behaviors and awareness?

The effectiveness of cybersecurity education is a big area up for debate, especially in the corporate world, and it has also be discussed at length in academia. You can read about my take on when awareness training and when it actually works can be found here: https://safecontrols.blog/2017/02/16/when-does-cybersecurity-awareness-training-actually-work/ .

Awareness training is often about practices – knowing what to do. Then comes motivation and the habituation of that information – how can you make theory into practice, how can you make a conscious effort into habit and second nature? I think two important things are at play here that we tend to underestimate; building on a feeling of responsibility for the collective good (which is also one of the 8 core issues of cybersecurity culture as defined in the NorSIS report), and creating skills that lower the effort barrier for secure practices. People who feel the use of IT is difficult are unlikely to change their existing habits before the “difficulty barrier” has been reduced.

This is where schools can play a role, like NorSIS suggests – but that is also a major challenge based on the current state of affairs, at least in Norwegian schools. I have been arranging an after-school activity on coding for elementary school pupils a couple of years (mostly based on Scratch, and some Python). What is very visible in those sessions is that socio-economic backgrounds correlate to a very large degree with children’s technical know-how. A lot of the teachers also lack the know-how and perhaps interest to be an equalizing factor when it comes to technology as well, although political efforts do exist to make technology a more central topic in schools. In this regard we see Norway currently lagging behind other similar nations, like Sweden or the United Kingdom, where IT plays a bigger and more fundamental role in education.

How do Norwegians relate and react to cyber risks?

People worry about cyber risks, and they worry more the older they get. Another interesting aspect is that people are worried about being subject to online credit card fraud, whereas using debit or credit cards online is one of the behaviors with lower perceived risk scores in the study. Further, using online banking is seen as a low risk activity – which correlates well with banks being seen as “secure”.

Ironically, “using email” is only perceived as slightly more risky than using online banking – in spite of social engineering through e-mail being the primary initial attack vector for 30 years, and still going strong.

They also conclude that having received cybersecurity education does not necessarily change how people perceive online risks, and that this is at odds with how many security professionals view the effects of awareness training. This does not come as a surprise – changing feelings by transfer of facts is not likely a good strategy, and risk perception at the personal level is typically based on feelings, as the report also correctly states. Changing risk perception requires continuity, leadership and the challenging of assumptions among peers – it requires the evolution of culture, and that is a slow beast to move. Training is only one of many levers to pull to achieve that.

To which degree do individuals take responsibility for the safety and security of cyberspace?

Creating botnets would be really hard if all devices were patched, hardened and all users careful to avoid social engineering schemes. This is not something most people are thinking about when they dismiss the prompt to update their iOS version for the n’th time.

Most people probably don’t realize that it is the collective security of all the connected devices combined that make up the security landscape for the internet as a whole. Further it is easy to fall into the thinking trap that “there are so many computers that my actions have no impact” – more or less like the “my vote doesn’t count” among voters who stay at home on election day.

NorSIS sees education as a possible medicine, and that is definitely part of the story. Perhaps should that educational bit be distributed among many different curriculums – languages, social sciences, IT, mathematics – to help form consensus about why individual actions count for the safety of the many.

Summary of the summary

  • The NorSIS report on Norwegian cybersecurity culture is an ambitious project trying to highlight how society as a whole deals with security practices, beliefs, education and perceptions
  • The report indicates that interest and motivation is a key driver of positive security behaviors, and of know-how
  • There is an indication that education works in driving good behaviors.Security training seems to be less effective in changing risk perception. This should not be surprising based on knowledge about change processes in corporate environments: transfer of knowhow is not enough to change attitudes and norms.
  • There is a clear recommendation to increase security competence through the educational system. This seems well-founded and something all nations should consider.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s