CyberSecPsych

Businesses around the globe have transitioned to digitally-focused operating models and in today’s age, data is now our most valuable business asset.  According to the CapGemini EMC Big Data report, 63% of the respondents considered that the monetization of the data could eventually become as valuable to their organizations as their existing products and services ⁽⁴⁾.  Through the collection and analysis of this data, companies aim for increased efficiency, reduced waste, and increased profits ⁽⁸⁾.

Along with this transition to a data-focused business environment have come an increase of cyberattackers looking to make financial gain.  The World Economic Forum recently focused on the issue at Davos, highlighting that the cost of cybercrime to firms over the next five years could reach $8 trillion.  In addition, the FBI recorded 40,203 cases of business email compromise (BEC) and email account compromise (EAC) around the world between October 2013 and December 2016, resulting in total exposed losses of $5,302,890,448 to businesses, which are only the reported attacks. ⁽³⁾

With such financial risks at stake, the topic of security culture has become more vital than ever.  According to the Cyber Security Culture in Organisations report by ENISA:

“Culture can be divided into three levels that interact together: (1) promoted values, (2) visible behaviors, and (3) the underlying assumptions we hold.  An organization’s culture transformation should begin with a change in values, leading to the adoption of new behavior.” ⁽¹⁾

This is an excellent statement as it gives a trajectory on how to modify the current company culture towards a culture where the best practices of security are used effectively and without second thought.

CORE VALUES OF THE BIGGEST BREACHES 

If we look at the core values for some of the biggest breaches in history, namely Yahoo and Target, we will see that neither of their core values remotely touch on security or safe online practices.  This is disturbing as “the costs of these breaches are often paid by an organization’s users in some form or another rather than the organization itself.” ⁽¹¹⁾  Although this can be argued and there are heavy sanctions and fines placed on these companies at time for negligence, at the end of the day, it is the customers’ data that is now exposed.  Taking a look at the core value statements from these two companies:

• Yahoo, 500 million accounts compromised in 2014 ⁽⁶⁾

• Target, data breach affected 40 million customers ⁽⁶⁾

“We fulfill the needs and fuel the potential of our guests. That means making Target your preferred shopping destination in all channels by delivering outstanding value, continuous innovation and exceptional experiences—consistently fulfilling our Expect More. Pay Less.® brand promise.”⁽²⁾

This is the company’s mission statements, and core values are ⁽¹⁰⁾:

Purposes and Beliefs:

Great Shopping Anytime, Anywhere

Celebrating Diversity & Inclusion

Design for All

Community Support & Engagement

More for Your Money

Fun and Rewarding Place to Work

WHAT ARE CORE VALUES

Core values define a company’s “operating instructions” with the goal of educating and encouraging the day-to-day behaviors of everyone who works at the company.  They represent the organization’s driving forces and highest priorities.  These values shape the foundation for what happens in the workplace and sets the stage for the organization’s corporate culture, defining how your employees relate to clients, customers, and vendors.

A study done by Booz Allen Hamilton and Aspen Institute’s Business and Society Program, titled Deriving Value from Corporate Values, highlights that the core value statements of most corporations include similar words and ideas, with:

• 90% of them reference ethical behavior or use the word “integrity”
• 88% mention commitment to customers
• 76% cite teamwork and trust

 

And while there are handfuls of security firms that have security and/or confidentiality in their value statements, outside of the security realm, there do not appear to be many.

TYPES OF VALUES

Different types of values exist and should be evaluated to see how aligned they are with where your corporations true current standing is, and where you want it to go.  Often, companies will include aspirational values when defining their core value statements, stating what they wish their value system to be, but not where it stands today.  It is important to note that values are different than goals, wherein “values provide a general rationale for more specific goals and motivate attainment of goals through particular methods” ⁽⁹⁾.  If the gap is too wide between where your organization currently stands and the value statement proposed, it will not only confuse employees, but loose employee engagement and this dissidence will cause them to reject the imposed value system.

PSYCHOLOGY OF VALUES/VALUE SYSTEMS

What are values, and how are they formed?  Values are the priorities that one holds that drives their internal compass and guides their implicit or explicit actions and behaviors.  These values then become norms when they mandate a specific course of action, and these norms reciprocally strengthen the commitments to the proposed values.

Values are bound together to form a system, and when “a new value is acquired or an old one is lost, when a value is weakening (lowering) or strengthening (rising), the whole system will be affected.” ⁽⁹⁾   These values tend to take a hierarchical approach and as the research by Shalom Schwartz has found, our values typically show up in clusters or groups, as shown in the illustration below ^(12):

The more ingrained and deeply rooted a particular value is, “the more it takes a central place in the system and the more it is lived intensely, arouses emotions, and mobilizes vehement energies.” ⁽⁹⁾ Values can be looked at from two perspectives, at the individual level and at the group level.

INDIVIDUAL VALUES

At the individual level, “values are internalized social representations or moral beliefs that people appeal to as the ultimate rationale for their actions.” ⁽⁹⁾  These values help the individual to self-regulate, bringing them inline with their internalized sociocultural goals, and keeping them out of conflict with the needs of the group.  These values are acquired as part of the socialization process through family, groups and general society, and are relatively fixed over time.  As research done by Dr. Daphna Oyserman states:

“Indeed, values that are individually endorsed and highly accessible to the individual do predict that individual’s behavior. Conversely, even personally endorsed values won’t influence action when they are not made salient to the individual at the time of action. Moreover, in any given situation more than one personally endorsed value may apply, and the behavioral choice appropriate for one value may conflict with the behavioral choice appropriate to another value.” ⁽⁹⁾

This is where the hierarchical aspect of values come in, wherein an individual will behave in line with the value that believe is more significant than the other.

GROUP VALUES

At the group level, values are common held cultural beliefs held by common members of a group (9).  These values form the social glue of the group and when individuals feel a sense of allegiance, the values are reinforced.  Group values can also set the stage for friction within a group, as individual values may conflict with the group’s, causing the individual to either retreat from the group, or realign their values to meet the group’s expectations.  These “social agreements” of what is right or wrong, good or bad, required or forbidden, or the degree of importance of something directs the behaviors of the individual members of the group and structures the everyday life choices made.

INTEGRATING A SECURITY VALUE SYSTEM

So how do we go about effective behavioral change that starts at the enterprise and can then spreads through society?

1. Define how your company uses its data assets.
   1. Be specific, think about your business category and how all companies in a given category relate to security of their data
2. Describe the collective attitudes and beliefs about cybersecurity that you desire all employees to hold while holding true to your company’s personality
   1. Use words that invoke an emotional response
   2. Be unique and differentiated
3. Translate these attitudes and beliefs into specific actions and decisions employees should make
4. Tie together how the actions and decisions defined in #3 produce your customer experiences that define and differentiate your brand with their security in mind

RESPONSIBILITY

As core values form the foundation of your organization, there should be no greater champion of these values than the Founder or CEO.  This individual’s core security values permeate the workplace and are a are key shapers of the organization’s security culture.  This individual, along with a handful of key employees, including the CISO/CIO/CSO, should be held responsible with creating the organization’s core security values.  In doing so, they are “imposing a set of fundamental, strategically sound beliefs on a broad group of people” ⁽⁷⁾ and reaffirming the company’s cultural expectations around cybersecurity.  This will allow organizations to asses which employees are able to embrace these values, and which do not, giving greater visibility into the risk factors associated with employees.

MARKETING CORE SECURITY VALUES FROM THE INSIDE OUT 

After a company decides on what its core security values are, it should be integrating them every chance they get, from the start of hiring to the last day of work at the company, employees should be constantly reminded that core security values form the basis for every decision the company makes.  Furthermore, internal champions of these core security values should be championed as models for the entire organization and further promotion of these values should be integrated at every turn in the company.  Executives should take note to repeat these values every chance they get to further solidify them as tenants of the company’s culture.

CONCLUSION

As cyberattacks increase across the digital landscape, we must start the transition to better security hygiene at the enterprise, acknowledging its importance in not only the life of the company, but also the lives of employees.  When employees feel like their personal lives are being taken into consideration with these cultural undertakings, they will be more engaged at the workplace and the integration into their own personal value system will take place.  Although a challenging road ahead to get everyone on board with security hygiene practices, the heads of global companies have the power to start this process, and watch it trickle down.

 

References

1. Cyber Security Culture in organisations. (2017). ENISA, 1(1), 35. http://dx.doi.org/10.1016/s1742-6847(09)70003-5
2. Farfan, B. (2017). Target’s Mission Statement Creates a Bullseye for Employees to Aim For. The Balance. Retrieved 19 February 2018, from https://www.thebalance.com/target-mission-statement-2891827
3. Jakobsson, M. (2018). Never Mind Malware – Social Engineering Will Be Your Biggest Threat This Year. Infosecurity Magazine. Retrieved 19 February 2018, from https://www.infosecurity-magazine.com/opinions/social-engineering-biggest-threat/?utm_content=buffer985a8&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
4. Jamsa, P. (2016). Data May Be the Most Valuable Asset Your Company Has. Digital Doughtnut. Retrieved 19 February 2018, from https://www.digitaldoughnut.com/articles/2016/april/data-may-be-the-most-valuable-asset-your-company-h
5. Kelly, C., Kocourek, P., McGaw, N., & Samuelson, J. (2005). Deriving Value From Corporate Values(p. 3). USA: The Aspen Institute and Booz Allen Hamilton Inc. Retrieved from https://assets.aspeninstitute.org/content/…/VALUE%2520SURVEY%2520FINAL.PDF
6. Larson, S. (2017). 10 biggest hacks of 2017. CNNMoney. Retrieved 19 February 2018, from http://money.cnn.com/2017/12/18/technology/biggest-cyberattacks-of-the-year/index.html
7. Lencioni, P. (2002). Make Your Values Mean Something. Harvard Business Review. Retrieved 19 February 2018, from https://hbr.org/2002/07/make-your-values-mean-something
8. Marr, B. (2016). Big Data: How A Big Business Asset Turns Into A Huge Liability. com. Retrieved 19 February 2018, from https://www.forbes.com/sites/bernardmarr/2016/03/09/big-data-how-a-big-business-asset-turns-into-a-huge-liability/#1eeaf43e7761
9. Oyserman, D. (2001). Values: Psychological Perspective. In International Encyclopedia of the Social & Behavioral Sciences. Elsevier Science Ltd.
10. Purposed & Beliefs. (2018). Target Corporate. Retrieved 19 February 2018, from https://corporate.target.com/about/purpose-beliefs
11. Shamban, S. (2018). Dear IT security pros: it’s time to stop making preventable mistakes. CSO Online. Retrieved 19 February 2018, from https://www.csoonline.com/article/3256284/data-protection/dear-it-security-pros-its-time-to-stop-making-preventable-mistakes.html
12. Stålne, K. (2012). Common cause | Fication. se. Retrieved 19 February 2018, from http://fication.se/?p=593
13. Yahoo’s Code of Ethics: Winning with Integrity. (2011) (p. 4). Sunnyvale. Retrieved from http://files.shareholder.com/downloads/yhoo/…/4f32ddd0-82e5-47c2-ac71-75403ebbb404