Without the right security values (i.e. culture), employees may pay lip service to the security practices in place, resulting in poor behaviours and lack of compliance with protective security measures. This in turn can lead to increased risk of security incidents and breaches, reputational and financial damage, the development of a climate that facilitates insider threat, as well as potential harm to employees, customers, and/or business performance. A good security culture in an organisation is an essential component of a protective security regime and helps to mitigate against insider threats and external people threats. Security culture is the set of values, shared by everyone in an organisation, which determine how people are expected to think about and approach security, and is essential to an effective personnel and people security regime.
The benefits of an effective security culture include:
- employees are engaged with, and take responsibility for, security issues
- levels of compliance with protective security measures increase
- the risk of security incidents and breaches is reduced by encouraging employees to think and act in more security conscious ways
- employees are more likely to report behaviours/activities of concern