Defining Security Culture
project manager, State Information Network Agency, Latvia
There are several OECD documents concerning information security and
– OECD Guidelines for the Security of Information Systems and
Networks: Towards a Culture of Security, adopted as a
Recommendation of the OECD Council at its 1037th Session on
25 July 2002.
– Implementation Plan for OECD Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security
– The Promotion of a Culture of Security for Information Systems
and Networks in OECD Countries (16-Dec-2005).
– OECD Guidelines for the Security of Information Systems and
Networks: Towards a Culture of Security, Questions and Answers
• Neither of the mentioned papers contains comprehensive, clear-cut
definition of the concept ‘Security Culture’.
• Why authors of these papers avoided defining security culture and
preferred to confide in the intuitive understanding of the term?
• “Organization culture is like pornography - it is hard to define, but you
know it when you see it“, Ellen Wallach.
• However, if we are going to create security culture in our organisations
we have to make clear to ourselves:
• - What the ‘security culture’ means?
• - What makes the difference between applicable security legislation,
regulations, standards, policies, rules or instructions and Security
Quotation from article ‘Creating A Security Culture’ published by Animal
‘Those who belong to a security culture also know what behavior
compromises security and they are quick to educate and reprimand
those people who, out of ignorance, forgetfulness, or personal
weakness, partake in insecure behavior. This security consciousness
becomes a "culture" when the group as a whole makes security
violations socially and morally unacceptable within the group’.
The last clause of the quotation is essential – actually it answers the
question what makes the difference.
Safety and Security are different stuff; however there are a lot of
similarities between them:
- both are linked with risks and
- lack of both may cause considerable, even catastrophic damage.
Concept of Safety culture is more mundane and much more widely
used. Safety rules and instructions are ever-present. Safety is the top
priority in areas like shipping, nuclear energy industry etc.
The International Atomic Energy Agency gives the following official
definition of Nuclear Safety Culture:
‘Safety Culture is that assembly of characteristics and attitudes in
organisations and individuals which establishes that, as an overriding
priority, nuclear plant safety issues receive the attention warranted by
And further we read: ’…Safety culture has to be inherent in the
thoughts and actions of all the individuals at every level in an
Concept of ‘attitudes’ included in the definition is of crucial
importance. It makes the difference.
Replacing ‘safety” by ‘security” we can get to workable statements for
Security culture is that assembly of characteristics and attitudes in
organisations and individuals, which establishes that, issues of
security of information systems and networks, as a high priority,
receive the attention warranted by their significance.
Security culture has to be inherent in the thoughts and actions of all the
individuals at every level in an organization.
Actually it is another wording of the above-mentioned requirement to
make security violations socially and morally unacceptable.
This kind of security culture definition is in reality just a statement of a
goal, which, if reached, is the best guarantee for information and
information systems protection .
Creating and/or changing organisation’s culture is a very difficult long-
term managerial task, and security culture is no exception, it is part and
parcel of the overall corporate culture.
So we are confronted with the difficult task of changing corporate
Writing security standards, policies and instructions alone does not
We are not going to discuss all aspects of establishing the desired
culture in organization; we shall only emphasize those, which are of
particular importance in the area of information security.
In the OECD Guidelines awareness is mentioned as the first principle.
Being aware of importance of security, of the risks and available
safeguards is of crucial importance.
But requirement of awareness is closely linked with competence and
knowledge in the area of information security at all levels in the
Without adequate knowledge no real awareness is possible.
As ICT is fast changing industry it means that maintaining security
culture has to be linked with permanent learning process.
The effect of insufficient competence at the level of individual users is
quite obvious - the individual himself becomes the weak point in the
whole system of information and information system protection.
For example, if a person did not manage the very fundamentals of
public key cryptography, he or she may be unaware of situations when
his or her actions (when using digital signature) may cause serious
It is completely unacceptable that people, whose position or
occupation clearly requires competence in these matters, promote
incorrect understanding, for instance, of issues around digital
Announcements like “digital signature is in your smart card” or “you
will receive your digital signature from certification service provider”
send utterly wrong messages about the very essence of digital
Whatever simplifications are used (for the sake of convenience or
briefness) they should not lead to wrong understanding of the subject,
because those, who do not possess the respective knowledge, are
learning from what the allegedly competent (official) person says.
Insufficient competence at the level of political appointees in
government and/or governmental organizations results into slow and
inefficient process of establishing the necessary security institutions,
Public Key Infrastructure, Computer Emergency Response Teams or
Computer Security Incident Response Teams.
The level of necessary competence depends on the role person
performs in the Information society, but it is clear requirement of
Security culture that the respective adequate competence is ensured
and maintained at all levels.
It is indispensable prerequisite of both the Information society and
Tank you for attention