Table of Contents
- Introduction
- Infosec Cybersecurity Culture Domains
- Launching a Cybersecurity Culture Survey
- Taking the Cybersecurity Culture Survey
- Cybersecurity Culture Survey Results
- Frequently Asked Questions
Introduction
Empowering an organization to defend against cybercrime is not just about sending regular security awareness training and following up to ensure it is completed - it’s about driving culture and awareness change within an organization. The Infosec IQ cybersecurity culture survey will help you understand what successful cybersecurity culture looks like by measuring and quantifying employee attitudes and beliefs, and offer guidance to improve culture within your organization.
The cybersecurity culture survey is a short survey (18 questions, 3-5 minutes) that security awareness program managers assign to employees. Survey results and a culture dashboard provide a snapshot of cybersecurity culture across five Infosec cybersecurity culture domains. Survey results are accompanied by guidance on how to strengthen culture using Infosec IQ and security awareness and training best practices.
We want you to be able to answer:
- Where is my organization strong? Where do we have gaps that need help?
- Over time, how is my organization’s security culture evolving?
- How can I best use Infosec IQ to strengthen my cybersecurity culture?
Infosec Cybersecurity Culture Domains
Below are the five domains for the Cybersecurity Culture survey. Click here to download a detailed PDF document.
A. Confidence : How employees classify their own ability to put their cybersecurity knowledge to practical use.
B. Trust : How employees perceive the security posture and processes at their organization.
C. Responsibility : How employees perceive their role in the cybersecurity of your organization.
D. Engagement : How willingly employees participate in your organization’s security awareness and training program and apply available resources and support to improve security behaviors.
E. Outcomes : How employees perceive the consequences of a security incident at your organization.
Launching a Cybersecurity Culture Survey
The Cybersecurity Culture Surveys are different from a traditional IQ campaign in that there is no pre-defined end date. An active survey will continue until it is ended by an admin, which allows you to decide whether to conduct surveys over a period of time or based on response rate. We suggest 50% of your learners as a good baseline, but needs may vary. Additionally, surveys can be assigned to all learners, or only to specific groups.
Considerations
- Learners must be in a group in order to participate in a survey.
- There must be at least 10 total participants in a survey.
- There are no email notifications for the survey.
Follow these steps to launch a Cybsersecurity Culture Survey:
- Navigate to AwareEd > Culture Survey.
- On the right, under Survey Details, you’ll see information about the current survey, or the previous survey if there is no active survey. Click on New Survey here.
- Select the group(s) you want to enroll in the survey, or click Select All.
- To begin the survey click Launch Survey on the lower-right.
- The current results can be viewed at any time by returning to AwareEd > Culture Survey. Note that data will not populate in the graph until 10 responses have been received.
- While there is an active survey, click the End Survey button at any time to finalize the current survey results.
- When a survey ends, the result set will be assigned the name of the current month and year e.g. Apr 2021. If you wish to change the name simply click into any previous result and click the pencil icon next to the name.
Taking the Cybersecurity Culture Survey
Once a learner is enrolled in a Cybersecurity Culture Survey, they will be prompted to take the survey the next time they visit their dashboard. Note that there are no email notifications for the Cybersecurity Culture Survey. Learners will have the option to skip the survey if they don’t have time to complete it, but they will be reminded every time they visit their dashboard.
The survey will also appear as a tile in the learner’s dashboard if the prompt is dismissed. Once the active survey has ended the learner will no longer have access.
Cybersecurity Culture Survey Results
The results for the most recent five Cybersecurity Culture surveys will be displayed in the graph. To look at individual survey results click on Previous Survey Details on the right side of the page, and then click on the result you wish to view.
On the left side of the graph you can download either a PDF of the graph that is currently displayed, or you can download a spreadsheet containing all survey results.
Frequently Asked Questions
How was this created?
Infosec’s culture survey was developed and refined over time by a team of cybersecurity educators and industry analysts at Infosec, in collaboration with John Stevenson, Associate Director of the University of Wisconsin - Madison’s Survey Center. The survey is designed to optimize clarity, engagement, consistency, and elimination of bias.
How many responses do I need?
It depends who is taking the survey. We recommend assigning the survey to everyone in your organization, and then thoughtfully and respectfully encouraging them to participate. This will help you gather an accurate picture of the opinions and perspectives of your staff, across a diversity of roles. When used in this manner, a majority of your staff should respond for the results to be considered representative of the breadth of your organization. That means a bare minimum of over 50% of your included learners.
If your organization is very large, you may choose to take a “random sample” of a specific department or employee group by assigning the survey to that group only. Tables or calculators like these can help determine how many responses you need. To get reliable domain scores in this context, we recommend a confidence level of at least 90% with a 5% error margin.
What’s a good score?
Once we’ve gathered enough data, we’ll release some averages broken down by industry and company size so you have something to compare to. In the meantime, don’t worry if you’re seeing scores in the 1-2 range. That’s typical. Cybersecurity culture is a relatively new idea, and good culture doesn’t happen overnight, or by accident!
The goal of the survey is to help your organization’s cybersecurity culture grow, and then enable you to easily see and demonstrate that growth. The best way to meet that goal is to focus on the recommendations, and use your scores as evidence for why they’re important and worth investing in. Then launch another survey in 6-12 months to show their (and your!) value.
How are scores calculated?
Each question corresponds to one of the five cybersecurity culture domains. Each answer has a numerical value. For most questions, those value are:
Not at all = 1, A little = 2, Somewhat = 3, Very = 4, Extremely = 5
To calculate a domain score:
- The numerical values of all learners’ answers to each question in the domain are averaged.
- The per-question average scores are then summed and divided by the number of questions in the domain.
For example, there are four questions associated with the domain of Trust. If among all learners, the average scores for those four questions are 2, 2, 3, and 3, the Trust score is 2.5, calculated by:
- First summing the four question scores: 2 + 2 + 3 + 3 = 10
- Then dividing the result by the number of questions: 10 / 4 = 2.5
In accordance with opinion survey best practices, a handful of questions are negative, and the order of their numerical values is correspondingly inverted:
-
Engagement Question 1 - Overall, how often does complying with your organization’s cybersecurity policies and best practices interfere with your ability to do your job?
-
Outcomes Question 2 - How serious do you think the consequences would be to an employee if they caused a cybersecurity incident at your workplace?
A score of 1 on either of the above questions is best, and a score of 5 is worst. Additionally, while most questions are equivalent, a handful have greater or lesser relative weight in determining domain scores, reflecting their greater or relative lesser importance to the domain.