Organizational Culture for Information Security: A Systemic Perspective on the Articulation of Human, Cultural and Social Systems

Many international reports and research centers repeatedly insist that the individual is the most important element concerning information security and one of the most relevant when determining an information protection practice for organizations. Consequently, although the incorporation of advanced technology tools helps to maintain a perspective of security and measurable and monitored control, it is the individual and their actions that challenge those tools and reveal any instability that is inherent to individual practices.

The way organizational information security culture is analyzed and understood must be changed to attempt to shape it. The view must move from a mechanical view based on cause and effect to one that understands the culture as a network of nested human relationships that dynamically create practices and imaginaries¹ seen in patterns of conduct that become visible or invisible in organizations.

Upon recognizing the challenges involved in analyzing, studying and attempting to transform an organizational culture, especially with respect to information security, it is necessary to go beyond the standard practice of awareness-raising workshops to reach an understanding of the deeper aspects of the business dynamic, such as the structures of groups, the imaginaries of the individuals and the values that influence individual conduct beyond simply complying with standard requirements.

To understand the dynamic of the organizational culture of information security, it is helpful to research and establish points of reference to understand individuals’ actions as they relate to security and control and the nested relationships between the individual, the organizational culture and the social system in which the organization is located.

There are three key concepts to understand when discussing the organizational culture of information security: conduct, change and context. These three elements are imperative to the construction, consolidation and maintenance of a culture of security that responds to the challenges of the modern organization and the instabilities of the current environment to create opportunities from an accelerated technological convergence and enterprise digital transformation.

TO ADAPT THE ORGANIZATIONAL CULTURE OF INFORMATION SECURITY, IT IS IMPORTANT TO CONNECT THE CONTEXT, CONDUCT AND CHANGES REQUIRED TO ALIGN THE BUSINESS DYNAMIC WITH THE VALUE OF THE INFORMATION AS A KEY PART OF THE BUSINESS.

Exploring the Concept of Organizational Culture

Culture is defined by three different theories. Each establishes a working framework with key aspects that offer clues to understanding the cultural phenomenon.

According to one anthropologist, culture is an exercise to represent, classify and contextually explain meanings created by individuals through social interaction. That is, it recognizes socially established structures of meaning, such as people issuing signals or perceiving and responding to insults, so that culture is not a psychological phenomenon or a characteristic of thought, personality or cognoscitive structure of the individual.²

This research emphasizes the social dynamic and the manner in which cognitive artifacts are constructed and the social fabric that translates into the suppositions and imaginaries that are constructed by individuals from their contexts and realities. These meanings that are built around the social dynamic of organizations ultimately represent the social interests that are nourished by the challenges and expectations of the individuals that comprise the organization.³

On the other hand, a social psychologist insists that culture is a concept that is so confusing that in the anthropological (not psychological) sense, it must deal with the diversity of thoughts, feelings and acts such as the collective mental programming that distinguishes one individual member of a group from the others. According to this research, culture is associated with the dynamic of the collectives, which can be understood based on five elements:⁴

1. Distance from ability (unequal vs. equal)—This is associated with the problem of human inequality and refers to the degree that people with less power admit and wait for this to be distributed unequally.
2. Individualism/collectivism (alone vs. group)—This has to do with the relationship between the individual and the group or social cohesion.
3. Masculinity/femininity (tough vs. tender)—The differences between masculine and feminine is deeply rooted in history and though these concepts have changed with time, they continue to have an effect on culture.
4. Aversion to uncertainty (rigid vs. flexible)—This relates to the unpredictability of the future including life and death.
5. Short-term/long-term orientation—This describes the time component of a culture, that is, their way of planning and developing their activities.

This research holds that organizational culture is visible in the practices of an organization and how it is perceived by the members of that organization and defines a cultural pattern that keeps organizations unified around their own dynamic and history, ultimately identifying it before others.⁵

An organizational psychologist’s work establishes that culture comprises “basic presumptions and beliefs that are shared by the members of a company.” As such, some components of a culture such as beliefs (which are suppositions accepted as true without additional reflection) are less visible than others, such as conscious values and social norms. Conscious values appear in patterns, customs or specific acts present in the organization, and social norms are, ultimately, the rules of behavior or assumed behaviors in a group and may be institutionalized or anecdotes and previous knowledge immersed in the organization’s history and dynamic.⁶

Upon reviewing the three definitions of culture, there are some common points among each, which reveal the complexity of organization culture and the challenges involved in transforming it toward different objectives or enriching it so that it can connect with new values, imaginaries or distinctions.

To adapt the organizational culture of information security, it is important to connect the context, conduct and changes required to align the business dynamic with the value of the information as a key part of the business. The following should be considered regarding the challenge of information protection as an inherent part of organizational culture:

• All social dynamics imply recognizing behavioral patterns and imaginaries from history and from the specific view of each of its members.
• There is a tacit transfer of practices between individuals that are often not conscious values declared in the organization.
• All organizations establish collective programming for reading the context that gives it a particular identity, which, in itself, defines how to relate and act within it.

THE THEORY OF CHANGE IS REQUIRED TO MOVE A PERSON FROM ONE PLACE TO ANOTHER OR FROM ONE STATE TO ANOTHER.

These elements construct mental structures and cognitive artifacts that are incorporated within the social dynamic of the individuals in the organization who define and animate the conduct rooted in those constructs, which benefit from personal experience feedback within the business dynamic. Consequently, the organizational security culture is configured as a social mental construct that gives sense to a practice that must be connected with the business dynamic.

Understanding the Challenge of Conduct

Conduct is the other component that must be analyzed to understand the features of organizational information security culture. There are two specific models used to illustrate complementary aspects of the information protection practices: the Fogg model⁷ and the three strategies for conduct change.⁸

The Fogg model shows conduct as a product of three factors: motivation, ability and triggers, indicating that for an individual to reach a specific goal they must:

1. Be sufficiently motivated
2. Have the ability to carry out the conduct
3. Be activated to carry out the conduct

These three elements must occur at the same or the expected action will not occur.⁹

The following triggers are established by this model:

• Spark—A phrase or a video that inspires the individual
• Facilitator—An activator that causes the occurrence of the conduct
• Signal—An indication that is required to release the action

On the other hand, the three strategies for conduct change suggest that three elements are required to change the conduct of the individual:

1. Trap—If what really matters is the action to be performed and if it is possible to eliminate the work that is required of the person, beyond giving consent, then execute the action.
2. Make or change habits—This strategy should be used if an individual needs to perform an action at various times (i.e., eating better or spending less), and the individual can identify a clear indication, routine or reward.
3. Support conscious action—If neither of the other two elements are available, then it is necessary to help the person to consciously perform the target action. There are ways to make this process easy, but it is the most difficult path to take.

THE CHALLENGE OF EVERY EDUCATOR IS TO MAINTAIN THE MOMENTUM OR TO CREATE NEW MOMENTUM TO CONTINUE TO MAINTAIN THE STUDENTS’ PROGRESS.

One example of applying these strategies to change conduct in information security is how to help individuals use better passwords:

• Provide an orientation guide (support conscious action).
• Provide a strong password generation system (create habits).
• Establish secure password defaults (set traps).

According to these two theories, human conduct is mobilized by triggers and habits that connect the individual’s natural dynamic. This implies little use of an individual’s cognitive ability and more use of instinct at the time of action. Everything that is new or different or that involves work will result in greater resistance, and acceptance will have to pass through a filter of habits and activities that require less effort.

Analyzing Theories of Change

The theory of change is required to move a person from one place to another or from one state to another. Any change involves leaving a comfort zone and creating uncertainty (a little or a lot) to achieve something that is desired and generally not yet known. Among the theories of change there are two in particular that should be explored: the Hiatt and Creasey model¹⁰ and the awareness, desire, knowledge, ability, reinforcement (ADKAR) model.¹¹

According to the Hiatt and Creasey model, changes can be made by defining the following steps:¹²

• A reason—What do I want to achieve?
• A decision—Do I want to do it?
• A result—Do I know how to do it?
• A transition—Is somebody with me?
• A benefit—Is it worth the effort?

On the other hand, the ADKAR model establishes the following elements as fundamental to manage and generate transformation:¹³

• Awareness—Establish the need for change.
• Desire—Desire to participate and support the change.
• Knowledge—Understand how to change and how change will be seen.
• Ability—Implement the change in everyday tasks.
• Reinforcement—Maintain the change generated.

These two models for change establish that change requires awareness, decision, ability, accompaniment and specific benefit. The ADKAR strategy for reinforcement is fundamental for the sustainability of any transformation, indicating that without this act of reinforcement, the change will probably not be permanent or incorporated into the individuals’ practice.

To connect the dynamic of change to security and control practice implies incorporating or adapting distinctions on information protection that do not conflict with the nature of the enterprise reality. Every day, information security is performed as an experience that the individual is capable of, knows how to do and wishes to do, as a part of what the organization demands and expects from its contributors.

Understanding Context and Its Challenges

The world is a network of connections that define the conduct of the one that is modeled. Since the conduct of each individual is recognized not as isolated, but rather a response to specific realities, all changes involve or even design the relationships necessary for the transformation to occur, or to understand and diagnose the learning needed to break the status quo of a current practice.

The analyses previously mentioned can be connected with the mobilization of changes and changes in conduct from a specific reality that is recognized in a particular context.

According to research, all learning journeys begin with a special momentum where the expectations and challenges of the participants connect, and with time that is affected by frictions and distractions that could deteriorate that initial learning experience.¹⁴ The challenge of every educator is to maintain the momentum or to create new momentum to continue to maintain the students’ progress.

Frictions are caused by three elements:¹⁵

1. A rationality that is frustrated by uncertainty and weakens the mobilization of actions
2. Emotionality that assumes negative positions when something does not come out as expected or generates positive motivation that allows creative reflections
3. A context with different stimuli can cause conscious or unconscious reactions that lead to unforeseen conducts, distractions or cognitive biases.

One way to overcome these frictions is to maintain a “beta” mentality that understands that everything is done in response to a permanent construction process where things can come out differently than expected, which, in turn, opens a new window for learning and the development of unforeseen improvements.¹⁶ This implies empowering the individual to view the results obtained from a particular challenge with the knowledge that they can, at any time, make a better version of what has been achieved. In this way, the frustration of “not doing it as expected” becomes an experience of construction and individual achievement on a threshold of an expected result.

Researchers speak of another way to achieve an appropriate learning experience for an individual.¹⁷ This exercise begins with a suspension of the current reality; that is, in a way what one wishes to learn is a surprise. One then confronts this surprise with one’s previous knowledge, questioning oneself as to what could be used or what new things could be incorporated with what one knows. One then prepares a different position from the surprise created, proposing and describing the enriched practice that has been created and placing it into practice so that it is finally incorporated in one’s toolbox as prior knowledge.

This learning appropriation cycle establishes a process of real change in an individual, establishing new mental elaborations and cognitive constructs that change the way of doing things. In fact, this process creates new cerebral connections that enable the cognitive flexibility necessary to modify the way of seeing the world. This implies that all changes in the individual, or in their conduct, require learning, and each learning demands a suspension of what we know to open the way for the capacity to surprise ourselves and to surprise others.

These two proposals converge in the exercise of learning and exploring as they seek to eliminate self-restrictions and to recover the capacity of wonder. With a beta mentality, there is always a way to experiment, propose and prove, which allows people to leave what is already known and begin to follow the path of learning, which leads to change.

ALL CHANGES IN THE INDIVIDUAL, OR IN THEIR CONDUCT, REQUIRE LEARNING, AND EACH LEARNING DEMANDS A SUSPENSION OF WHAT WE KNOW TO OPEN THE WAY FOR THE CAPACITY TO SURPRISE OURSELVES AND TO SURPRISE OTHERS.

When people are not able to change, or when they resist it, there may be learning challenges that limit them in this process. There are four elements that should be considered to mobilize learning:¹⁸

1. Understand the “error” (i.e., what does not occur as opposed to what is expected) as a learning opportunity and not as a cause for repression or judgment.
2. Motivate a mentality of growth and challenge, which will allow learners to persist when they confront obstacles while carrying out the work.
3. Encourage learners to prove new things and to seek help to empower and develop their skills.
4. Avoid the bias of attribution. That is, when things do not come out as expected, people must recognize their own acts to open new windows of learning.

Connecting Culture, Conduct and Change: A View of Recursive Construction

Developing a cultural reinforcement and maturity program for an organization’s information security culture requires concrete efforts to recognize, understand and act on the relationships that synthesize organizational culture, conduct and changes in the environment (figure 1).

People are first. This dimension, like all others, is complex given its relational network and multiple connections. This discussion focuses on two specific and mutually supportive elements: human motivations (related to emotions) and thoughts (connected to their rationality).

These two elements establish the bases of human conduct that motivate actions in individual or group scenarios related to triggers and habits that connect actions to specific events. The first aspect is to make a requirement meaningful within the individuals’ motivations (relevance and transcendence), reinforcing it from the rationale of their frames of reference so that this knowledge will cause individuals to develop the ability necessary to transform it into a habit.

This first dynamic of the human system is compared with the organization’s cultural system, which is comprised of a basic structure of beliefs, values and standards that are reinforced by networks of meanings, imaginaries and different groups of collaborators within an organization. This connection implies that individual thoughts are nourished by and affect the basic structure of the culture, and that motivations link with the contributors’ dynamic in their intraorganizational relationships. It is a two-way street.

When this initial view regarding the distinction for information protection makes sense to the person, then the basic enterprise structure must be nourished and enriched to incorporate the value of information as a fundamental element of the business dynamic, and it should not be outside the scope of or generate frictions for those who have prepared an imaginary and concrete meaning for this value. Consequently, each group within the organization will specifically recognize this to the degree that it makes sense with their natural practice and adapt it to the form of their daily work.

The cultural fabric of the organization as a whole is fed by and affects the social system where it acts, and vice versa. The highest-level social structures and the demands and tensions to which the organization is exposed penetrate its culture and create the dynamic of the relationships, often changing patterns of action. When the cultural system is much stronger and relevant to the tensions that can be exercised by the social system collectives, it can begin to influence and transform the social scenario of action, making it a reference for others in the medium.

This scenario for information security culture establishes that many cultural systems that form part of the internal information protection dynamic, either as compliance or for appropriate purposes from the personal perspective,¹⁹ can interact to generate a dynamic that affects and defines new patterns within the social system in which they act. As such, the challenge is not to have changes come from outside but rather to motivate these from within the dynamics of the organization’s cultural systems.

Learning new cognitive structures and social constructs can weaken and overcome existing mental structures. That is, with a beta mentality where each iteration is in the business dynamic, an exercise of joint constructions is what makes sense to a group (and, ultimately, to human motivations) and has real potential to nourish and affect the social dynamic in which the organization is installed.

Consequently, when efforts are made to transform the information security culture, regardless of the cause (motivation, information disclosure, change of conduct or cultural training²⁰), the nested view that involves creating and propagating changes and modifications that are generated and consolidated from the human systems to the social systems must be recognized (figure 1). This involves constantly navigating unstable and shifting currents while maintaining the sense and value of current information protection, with reinforcement strategies at the human, cultural and social level.

THE CHALLENGE IS NOT TO HAVE CHANGES COME FROM OUTSIDE BUT RATHER TO MOTIVATE THESE FROM WITHIN THE DYNAMICS OF THE ORGANIZATION’S CULTURAL SYSTEMS.

Conclusion

Considering the three elements of conduct, change and context, organizational information security culture responds to continuous learning that leads to evolving changes in daily organizational practice, which helps design or diagnose the relations of the context to motivate the conduct required to defend and anticipate emerging threats.

This involves creating habits, maintaining supplemental activities, reinforcing conducts, decreasing frictions and distractions and, above all, maintaining a context of learning. This favors the beta mentality, where it is always possible to propose and propound on the introduction of different postures that alter or break with the known organization’s dynamic and its security and control models.

Conduct does not change or alter with ephemeral rewards or through harsh or inflexible controls; it is mobilized and becomes possible through a connection between the individual’s needs and expectations. In daily practice, individuals are able to jointly build the reality either by consolidating new relationships or motivating other emerging relations, which can lead to a new theoretical and practical benefit to the organization.

For this reason, the consolidation and evolution of the organization’s information security culture requires comprehension and systemic learning that validates the challenges of the environment, individual realities and the organization’s needs for protection. This is not a flexible or express process, but rather requires a permanent validation of gaps, psychologically secure environments for learning, and a concrete implementation of new, jointly built distinctions.²¹

In this way, it is possible to develop and present a conscious and real imaginary of security that extends beyond compliance with a standard or evidence of knowledge of that standard, incorporating it as part of the individual’s internal thought structure as a value that is connected with the current organization’s dynamic and its life and is ready for implementation within the organization and sharing with others.

With this, the appropriation process becomes visible²² through the permanent incorporation of the distinction in one person, which is permanently reinforced by their daily environment, making it a native knowledge in their conducts that are inherent to the cultural dynamic of the organization (i.e., that occur when nobody observes them).

CONDUCT DOES NOT CHANGE OR ALTER WITH EPHEMERAL REWARDS OR THROUGH HARSH OR INFLEXIBLE CONTROLS.

Endnotes

¹ The definition of social imaginary used have correspond to Juan Luis Pintos, who affirms that they are schemes, socially constructed, that allow us to perceive something as real, to explain it and to intervene operationally in what in each social system is considered as reality. See Pintos, J. L; Los imaginarios sociales. La nueva construcción de la realidad social, Fe y Secularidad, Editorial Sal Terrae, Spain, 1995
² Nivón, E.; A. M. Rosas; “Para interpretar a Clifford Geertz. Símbolos y metáforas en el análisis de la cultura,” Alteridades, vol. 1, iss. 1, 1991, p. 40–49, https://alteridades.izt.uam.mx/index.php/Alte/article/view/683/680
³ Sánchez, J.; B. Tejero; A. Yurrebaso; A. Lanero; “Cultura organizacional: desentrañando vericuetos,” Revista de Antropología Iberoamericana, vol. 1, iss. 3, 2006, p. 380–403, https://www.researchgate.net/publication/26447131_Cultura_organizacional_ Desentranando_vericuetos
⁴ Chamorro, E; “Las dimensiones culturales de Geert Hofstede y la intención emprendedora en estudiantes universitarios del departamento del Quindío (Colombia),” Revista científica Pensamiento y Gestión, vol. 41, 2016, p. 60–90
⁵ Stefanova, E.; A. Lucas; “El concepto de cultura de las organizaciones: Centralidad actual y evolución histórica,” Revista Internacional de Organizaciones, 2008, p. 65–76, https://www.researchgate.net/publication/46412084_El_concepto_de_cultura_de_las_organizaciones_Centralidad_actual_y_evolucion
⁶ Schein, E.; Organizational Culture and Leadership, Jossey-Bass, USA, 2004
⁷ Fogg, B; “A Behavior Model for Persuasive Design,” Proceedings of the 4^th International Conference on Persuasive Technology, April 2009, https://dl.acm.org/doi/10.1145/1541948.1541999
⁸ Wendel, S.; Designing for Behavior Change: Applying Psychology and Behavioral Economic, O’Reilly Media, Inc., USA, 2014
⁹ Op cit Fogg
¹⁰ Hiatt, J.; T. J.; Creasey; Change Management: The People Side of Change, Procsi Learning Center Publications, USA, 2012
¹¹ Hiatt, J.; ADKAR: A Model for Change in Business, Government and Our Community, Prosci Learning Center Publications, USA, 2006
¹² Op cit Hiatt and Creasey
¹³ Op cit Hiatt
¹⁴ Iny, D.; Leveraged Learning: How the Disruption of Education Helps Lifelong Learners and Experts With Something to Teach, Ideapress Publishing, USA, 2018
¹⁵ Ibid.
¹⁶ Ibid.
¹⁷ Reyes, A.; R. Zarama; “The Process of Embodying Distinctions: A Re-Construction of the Process of Learning,” Cybernetics and Human Knowing, vol. 5, iss. 3, 1998, p. 19–33
¹⁸ Gino, F.; B. Staats; “Why Organizations Don’t Learn,” Harvard Business Review, November 2015, https://hbr.org/2015/11/why-organizations-dont-learn
¹⁹ Carpenter, P; Transformational Security Awareness: What Neuroscientist, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, John Wiley and Sons, USA, 2019
²⁰ Ibid.
²¹ Edmondson, A.; The Fearless Organization: Creating Psychological Safety in the Workplace for Learning, Innovation, and Growth, John Wiley and Sons, USA, 2018
²² Cano, J.; “Systemic Model for the Diagnostic and Development of an Organization Culture for Information Security: A Vision From Generic Competences,” Doctoral Thesis, Universidad Santo Tomás, Colombia, 2018, https://repository.usta.edu.co/handle/11634/19640

Jeimy Cano, Ph.D., Ed.D., CFE, CICA

Is a university professor and independent international consultant with more than 25 years of experience in information security, data privacy, cybersecurity, digital forensics and IT auditing. In 2016, he was recognized as Cybersecurity Educator of the Year for Latin America by the Cybersecurity Excellence Awards and has published or presented more than 190 papers on his areas of interest in a variety of journals and for international events.