Human-centric cyber security risk directly relates to people’s knowledge, attitudes and behaviours towards security. This risk is present in your organisation’s workforce, so it is important to identify and understand the cause so that you can take steps strengthen your security culture.
When every person in your organisation becomes an extension of your security team, you can move beyond standard compliance and create a cyber security culture of continuous improvement.
Why cyber security awareness training isn’t always enough
Learn how to identify the root cause of your organisation’s human-centric cyber risks and mitigate them with data-driven, targeted interventions.
Cyber Security Culture
Identify and reduce your organisation’s human-centric risks.
The importance of a strong cyber security culture
People, not technology, present the greatest vulnerability to an organisation’s security posture. Addressing this requires focused effort and investment in initiatives that reduce human-centric cyber security risk and uplift organisational security culture.
The three pillars of security
KPMG helps you to identify and evaluate your organisation’s human-centric cyber risks and risk drivers by looking at your organisation’s cyber security culture holistically. Our approach can help you to create measurable behavioural change that targets the key risk personas in your workforce.
Appropriate security policies and management systems.
Systems in place to mirror your security policies and risk appetite.
Adequately skilled members of the security team.
Organisational security culture
Organisations need a secure workforce not just a security workforce.
Using data to measure cyber security culture
A data-driven approach can help you understand your organisation’s cyber security culture, the human-centric risks present in your workforce and the evidence based strategies to target them.
74% of all data and security breaches have a human element.
Five steps to improving organisational cyber security culture
Cyber security culture
12 month continuous improvement cycle
We remeasure your organisation’s cyber security culture over time to assess the effectiveness of the intervention strategies at reducing your human-centric cyber security risks. This provides your organisation with a data-driven Return on Investment mechanism.
- Green flags
Increases in positive cultural traits - Red flags
Reductions in negative cultural traits - Evaluation of key risks
Indicate which risky behaviours have been mitigated by interventions
Qualitative and quantitative data collection to understand your organisation's current-state security operating model and cyber security culture, including:
- interviews with leadership, security teams and other stakeholders
- review of security policies, processes, training and awareness initiatives
- cyber security culture diagnostic survey gauging staff knowledge, attitudes and behaviours.
A comprehensive appraisal report of your cyber security culture, including:
- workforce segmentation by risk persona
- positive and negative cultural traits
- key behavioural risks.
Tailored intervention strategies that target the root cause of your human-centric cyber security risks, broken down by level of urgency.
- Do now:
address key risks to security culture - Do next:
address other significant risks - Do later:
address additional risks for further uplift.
Implementation of the recommended intervention strategies. Interventions cover:
- All people
- Processes
- Technology elements
Build your cyber security culture with KPMG
KPMG’s approach to identifying and addressing human-centric cyber security risks is holistic, data-driven and focused on providing you with an evidence-based plan to move your organisation towards a culture of continuous improvement.
KPMG’s cyber culture specialists
Learn more about generative AI in the care industry
References
- Director-General's Annual Threat Assessment 2024, ASIO, 28 February 2024
- 2023 Data Breach Investigations Report, Verizon, accessed 29 April 2024