Earlier this summer, the Security Culture Framework Summer Camp successfully completed its first iteration, leaving students with a deeper understanding of the importance of security culture and how each and every organization should treat awareness programs as a priority.
(NOTE: This is the second article of a two-part series. Please click here to read the first part.)
The summer camp was structured around the Security Culture Framework (SCF), a learning template developed by Kai Roer of the Roer Group. Roer first created the SCF to teach information security professionals how to develop unique activity campaigns that could be used to strengthen their organization’s security cultures. Since that time, Roer has traveled the world, leading countless conferences and workshops on how professionals can implement the SCF at their workplace.
FREE Download: CISO Data Breach Guide
As evidenced by its international appeal, the SCF is fundamentally an adaptable process. It does not assume that all organizations’ security needs are the same. As a result, the Security Culture Framework serves as a valuable resource regardless of where or for whom security professionals work.
The SCF is made up of four elements: metrics, organization, topics, and planner. Roer designed the class in such a way that each component received one week of instruction, including lectures, videos, and a written assignment. In this way, students learned the SCF incrementally, allowing for greater synthesis of knowledge.
This article focuses on the second half of the course, during which we learned about the topics and planner elements. For the former, we investigated a variety ways organizations can enhance their security culture. We were then tasked with developing activities that could help augment our own organizations’ security culture. This was probably the least difficult assignment in the course. In order to complete our first assignment, which dealt with metrics, we had to consider how we could measure improvement with regards to certain security goals we set for ourselves. Deciding on our goals inevitably required some thought into what kinds of activities we could employ, so I drew from this prior experience to create an in-depth anti-phishing campaign. Looking up phishing simulation software, not to mention traditional posters and hand-outs, was actually quite fun. I could see everything in the course beginning to fall into place, and comparing prices helped me begin budgeting my expenses. In hindsight, I feel the topics session would have worked well at the beginning, possibly by being partnered with the metrics unit.
Once we chose all of our activities, we were then ready to learn about the final element: planner. In this section of the class, we learned about how organizations successfully schedule and time-manage different security campaigns, or a finite set of complementary security culture activities. Our final assignment challenged us to do just that. Not only were we required to figure out how our activities would blend together, but we were also charged to assign different parts of the process – such as formulating our core teams, running the activities, and recording our results – discrete dates. This level of detail ultimately emphasized the real-world applicability of our efforts.
The planner assignment was our “final exam.” After we submitted all of our written work for the course, Roer and his associate Mo Amin looked over our assignments and awarded certificates of completion shortly thereafter.
I am grateful that I had an opportunity to participate in The Security Culture Framework Summer Camp this year. Challenging the idea of the “human factor,” the course taught me a great deal about how an educated human user can actually enhance an organization’s security. No two persons could have conveyed this point better than Roer and Amin. Their witty banter in our Google Hangouts, not to mention their accessibility over email, made this course the particularly enjoyable experience that it was.
Summer is over, but so what? Training knows no season. I invite you to visit the Security Culture Framework website to learn more about Roer’s creation. From there, check out this page that hosts available educational resources offered by the Roer Group. Who knows? Maybe another SCF camp is right around the corner.
David Bisson | @DMBisson
David is a graduate of Bard College, having received a B.A. in Political Studies. He is very interested in cybersecurity and completed his senior thesis on the U.S. military’s integration of cyber power. Currently, he works as the Editor for Information Security Buzz and the Media Coordinator at the Hannah Arendt Center for Politics and Humanities at Bard College. Going forward, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy