Security Dragon

Culture of Security

Guest Writer:  the Fox


Today, most of the cyber-attacks against companies are through their employees, who are in various ways enticed or tricked into helping. Yet, most of all security budgets go to technology. It is time for us to look at the whole picture.


Most people have heard of or been the subject of awareness campaigns aimed at getting people to change their behavior through increased awareness. However, the campaigns are rarely successful and a general example, which illustrates why, is that virtually all smokers are aware that it is dangerous but still smoke. Not even increased knowledge changes behaviors to any great extent.


To explain the difference between awareness, knowledge and culture, I usually use a cyclist and a traffic light. Awareness is then likened to seeing the crossing traffic and the red light at the top of the pole. Knowledge is to know that it is forbidden to drive against red, that there is legal support for it and that it can be both dangerous and expensive if I do it anyway. Culture can be likened to what I actually do there at the intersection and why. Is it worth cycling against red? Is there anyone in my environment who encourages me to stop (the police in the corner, the girlfriend on the bike next to or my son in the child seat?


An example of management system requirements from the Radiation Safety Authority:

§ 6 The management system must support and promote a culture which means that matters of importance to radiation safety receive the attention and priority that their importance requires.

I find it interesting that most of all road users stop at red if they are behind the wheel of a car, many fewer stops when they cycle and among those on scooters it is almost the exception. What happened to the culture when our laws are considered voluntary or that some consider themselves above them? What happens when he on the scooter comes to work and is expected to follow the company’s rules?


Awareness and knowledge are purely intellectual exercises while when it comes to security culture, the heart (in the form of commitment and morality) is also involved. Culture is also something that goes beyond the individual and to the group, it is common, and we create it together and destroy it together. An essential part of a culture is the informal norms. Since the managers are the ones who most often set the rules, follow up and give feedback, they also have the best conditions to change a culture. It is important that leaders encourage the behaviors that are desirable. Since the manager also has the most contact surfaces, you get a good leverage in culture building by letting the managers lead it.


The management’s best tool (in addition to encouragement) for managing the business and culture is the management system (the collection of instructions and guidelines). Utilize its potential and do not let it become a rounding mark.


Another powerful example, on the importance of using your management system, is that during 2023 Swedbank was fined by the Financial Supervisory Authority 850 million SEK because the bank did not follow its own routines for handling changes in IT systems. A good security culture rests on a handful of pillars:

  • the precautionary principle, of two alternatives, for example, always choose the safest
  • a questioning culture where identified risks and safety improvements are naturally highlighted
  • a fair culture where the one who questions gets praise and no scapegoats are appointed
  • one discourages unsafe behaviours in others and thanks the one who has the courage to say
  • a learning culture
  • everyone steps forward and takes ownership of safety.

What distinguishes a good security culture from an inadequate one:

  1. Is security on everyone’s agenda?
  2. Is security highly prioritized or is security broken down by a large production pressure?
  3. Does everyone dare to make their voice heard or have some silenced?
  4. Do you take in all / everyone’s perspective, or do you have a one-sided focus (technology)?
  5. Is there a useful written support for the most safety-critical tasks?
  6. Are you proactive and long-term or is “nothing has happened to us yet” taken as a sign that nothing will happen in the future either?
  7. Is risk understanding spread in the company or do you work in silos without a holistic view?
  8. Do you have openness, a questioning or a blaming culture?
  9. Do you learn from your and others’ mistakes or do you repeat them?

In addition to the organization becoming more resilient to threat attacks, there are several other reasons to build a culture for security:

  • Solutions (both technical and in the business) that are developed become safer
  • The resistance to disinformation increases
  • The insider threat decreases (the risk of someone falling decreases and it becomes easier to identify any insiders)
  • The risk of corruption decreases
  • Employees feel and perform better
  • It benefits profitability.

The latter are not least important for everyone deserves to feel good at work and - if we feel good, we perform well - and then it goes well for the business.

Security Dragon

The people behind The Security Dragon have combined 25+ years of experience within the security sector.