What is security culture?

Security culture is best defined as the norms, beliefs, and values inherent in the day-to-day operations of an organisation. It is a subset of broader organisational culture and manifests as the security knowledge, attitudes, and behaviours of staff. It encompasses all dimensions of security including cyber security, information security, physical security, personnel security and organisational elements such as policy, procedure and governance.

Why is it important?

Eighty-two percent of security breaches involve the human element, including social engineering attacks, errors and misuse. A healthy security culture is the foundation of sustainable organisational resilience.

However, security teams face an uphill battle to affect positive security behaviour.  Efforts to improve security culture often fail to produce the desired effect because they focus on security awareness, which is only one of many underlying causes of poor security attitudes and behaviours. There is a myriad of reasons why organisational security culture may be lacking, ranging from poor levels of engagement to carelessness, competing priorities and more. 

Collectively, these human-centric risk factors weaken an organisation’s overall resilience.

Attackers will exploit human and technical vulnerabilities to compromise the confidentiality, integrity, and availability of an organisation’s assets. Failing to understand and adequately address the drivers of human-centric risks can have a detrimental impact on an organisation’s security posture.

Once understood, targeted interventions can be designed and implemented to reduce risk and improve security culture against KPMG’s defined maturity model.

Security culture wheel diagram

12 month-continuous improvement cycle including the following 5 steps:

  1. Collect
  2. Analyse
  3. Tailor
  4. Remediate
  5. Validate

Our approach

KPMG’s proprietary approach to assessing security culture is designed to provide organisations with a data-driven understanding of their user security behaviour. This includes an assessment of the human-centric risks currently observed, and a prioritised program of targeted intervention activities designed to deal with the most critical risks first. Subsequent phases build towards embedding a strong, continuously improving security culture that is resilient to evolving security threats.

To do this, we look at security culture holistically. KPMG’s Culture Framework is used as a lens to understand the root causes of security issues within an organisation. The seven drivers of culture inform the design of change interventions to drive positive security behaviour.

Find out more

KPMG’s approach is intended to support your organisation while you embed a strong, continuously improving security culture that is resilient to evolving security threats. We do this by addressing cultural root causes and creating a baseline to measure against.

Investing in the human element of security helps foster workforces that understand security and why it matters. When every individual becomes an extension of your security teams, it’s possible to move past check-box compliance and achieve greater levels of security maturity.

Security culture transformation factsheet

Identify and address your organisation's human-centric risks.

Connect with us

Related services