One firm’s use of a measurement framework among its global corporate customers appears to have resulted in higher awareness and compliance,

Through surveys of more than 1,456 corporate customers (including 257,000 employees) on “security culture” via seven different dimensions, a cybersecurity firm has collected and analyzed three years’ worth of anonymized data (2019 to 2021) to make observations about its user bases’ security culture maturity levels.

What is security culture? It is the set of ideas, customs and social behavior of people in an organization that impact security. If divided into seven dimensions, security culture includes aspects such as: attitudes, behavior patterns, cognition, communication, compliance, norms and responsibilities.

Key findings from the report involving global customers of KnowBe4 include:

The five levels of corporate maturity in security culture defined
  • In the African user base, the data series shows a tradition and interest in security culture, especially in South Africa, where a higher level of security culture has been achieved.
  • In Asian customers, a wide variation of security culture has existed across nations. While Japan has been doing reasonably well, customers in countries such as  Malaysia and Indonesia have shown very low security culture index scores.
  • In the Europe customer base, both Sweden and Ireland have often been considered as technologically advanced. Along with customers of these two countries, those of Italy and Bulgaria have also had higher security culture scores across the three years of data.
  • In the USA, differences in security culture exist based on organizational size, where small organizations have been outperforming larger organizations.
  • Security culture in Oceania is showing that Australia and New Zealand are quite different from each other, and neither have been doing particularly well.
  • The Central and South America user bases are now beginning to measure security culture, with more countries from these regions added every year.

According to said Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4: “In the look at data over the last two to three years, security culture has improved across regions and industries overall. This was the most promising finding from our research and emphasizes that security culture should be viewed as a critical asset used to reduce risk and improve security.”