Issue link: https://insights.oneneck.com/i/1476862
10 The 7 dimensions of security culture The 7 dimensions of security culture Attitudes The feelings and beliefs that employees have toward the security protocols and issues. The seven dimensions used by CLTRe to model security culture pertain to the human factors (i.e. the core human-related elements) that have a direct or indirect impact on the security of the organization. Each dimension is separately observed, measured and understood on a continuum from low risk to high risk. This is informative for organizations, especially when the dimensions are seen together. Combining the dimensions creates an accurate estimate of an organization's security culture and allows an organization to fully and deeply understand the human risks involved and make reliable predictions. While the dimensions are interconnected in a complex web of causes and effects, empirical research shows that each organization demonstrates a specific system of interconnections among dimensions. The dimensions are correlated to each other, although some more strongly than others. Like cogs in a machine, each dimension is crucial for the machine to function properly. Data obtained by measuring each dimension of security culture allows for direct comparisons of the extent to which each dimension of security culture is developed; or looking from another perspective, these metrics reveal which dimensions are most problematic and risky. Moreover, the Security Culture Toolkit allows highly reliable evidence-based decision making as the data allows its users to identify the main causal mechanisms in the organization. To give a couple of examples, the data can show that in certain organizations end-user behavior is primarily dependent on the quality of communication in the organization, clearly calling for actions on the level of organizational communication processes. In another organization, the data may show that compliance is problematic because of lack of clear dissemination practices and an indifferent attitude of department leaders to security policies, calling for interventions at that level. For each organization and even department, we can compare the strength of influence of knowledge and awareness on employee behavior with the strength of influence of norms, attitudes, communication processes, roles and compliance and make predictions on this basis. The following chapters seek to provide a deeper understanding of each dimension, and why these seven dimensions are specifically used to measure security culture.