Developed by Kai Roer of the Roer Group, the Security Culture Framework is a particular approach to security awareness. Unlike other programs, it recognizes the value of integrating security awareness programs into general corporate training modules. The SCF is comprised of four elements: metrics, organization, topics, and planner. An organization can adjust each of these when aligning the Framework to its unique business model.
The course started off several weeks ago with an introduction to terms such as “security” and “culture.” In this vein, we sought to understand how these two ideas combine to produce a “security culture,” as well as define what factors help constitute each corporate security environment. This was a great way to start off the summer camp, for it helped get all of us all on the same page, regardless of our professional backgrounds.
After examining the Framework as a whole, we have now begun to explore each of the elements mentioned above in great detail. So far we have covered metrics and organization. The lessons have primarily consisted of pre-recorded video lectures provided by Kai, followed by readings and short quizzes. These have been very helpful resources; they relate a great deal of information in a short period of time, but I have never felt overwhelmed. Additionally, Kai and his associate Mo Amin have addressed all of my questions in the weekly live Google Hangouts—an excellent companion to an otherwise strictly web-based course.
The past two topics in particular have ended with a written assignment that has challenged us to think about the lessons in a manner that relates to our own organizational security environments. These were daunting at first, but Kai and Mo were readily available to answer all of my questions via email. I feel confident and excited about completing the second half of the course.
The Security Culture Framework Summer Camp has so far given me a new perspective on security awareness. Acknowledging the string of high-profile data breaches this year, as well as the continuing detrimental relevance of “the human factor,” human users are consistently portrayed as spoilers of security environments. But Kai and his SCF challenge us to see more in our co-workers, employees, and organizations. They urge us to recognize the powerful impact informed human agents can have on the process of creating secure information environments. It is a refreshing, even hopeful, outlook for the field going forward, and I highly recommend exploring its nuances.
Please expect the second part of my review after I have completed the course.
David Bisson |
David is a graduate of Bard College, having received a B.A. in Political Studies. He is very interested in cybersecurity and completed his senior thesis on the U.S. military’s integration of cyber power. Currently, he works as the Media Coordinator at the Hannah Arendt Center for Politics and Humanities at Bard College. Going forward, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy