Christian Toon
Head of Cyber Professional Services
Improving security culture through behavioural analysis
Cyber security is a threat to every organisation’s operations and reputation. Breaches happen not just because of non-secure technology, but because criminals use sophisticated methods to target employees to gain access to systems. Ensuring their people are following secure behaviour is increasingly a priority for organisations, including the UK’s Science Museum Group (SMG).
The Challenge
SMG wanted to know how secure its workforce was and to assess to what degree its existing training and compliance activity had resulted in behaviour that would protect the organisation and its data.
It wanted to use this information to deliver a more effective security awareness programme.
The Solution
We used our Human Cyber Index (HCI) to measure security behaviour. Developed with behavioural scientists this involves assessing people’s knowledge and understanding of good security practice, their behavioural intentions and whether they are adopting security policies and processes.
The results enabled SMG to understand where it is achieving its security aims. The exercise challenged the current approach to security and highlighted areas of development centred on an action plan designed to promote a more positive security culture.
Analysis of the data helped SMG improve its security culture by identifying which departments and sites needed further education and by highlighting how some of its policies and processes could be enhanced. It also helped the company challenge its thinking about behaviour, engagement and any impact on productivity. Future security awareness programmes will aim to encourage people to adopt good security practice by focusing on positive reinforcement.
The project involved co-ordination with SMG’s ICT department, data protection officer and internal communications team to help establish a narrative to help employees understand what was happening to ensure there was high participation in the project.
SMG said that the project gave it greater insight into how it can support teams in protecting it from cyber threats and highlighted areas to focus on to encourage security behaviours.
The Result
Use of the HCI has enabled SMG to come up with a new action plan that will create a more positive security culture. This was based on insight and analysis of the results of the HCI process. This allowed SMG to understand where it is achieving its aims, it challenged the current approach and highlighted areas of development.
Use of the tool in Pinsent Masons has allowed us to tune into how our people are thinking about critical cyber security issues such as passwords, incident management and phishing.
