WIXLIB

tionshave on employee security behaviour.Organisations should assess the extent to whichthe time, resources and costs involved have had apositive effect on protective security, and whetherimprovements or modifications in the approach arerequired. Any lessons that have been learned mustthen result in effective action so staff can see thesehave been made. This will help to ensure that futurebehaviour change activities remain current andvalid, and that any changes in contextual factorsare considered.How can this be achieved?A simple evaluation may involve sense checkingthat the activities and interventions are having animpact through a short survey with staff (e.g. onlineor face-to-face). A more comprehensive evaluationmay involve taking pre- and post measures over18-24 months against a range of metrics throughmultiple data sources. Whichever approach is taken,organisations should aim to do the following:CPNI has further tools and guidance that can assistorganisations with evaluation. For example, ‘Has itworked? An evaluation guide for an internal securitybehaviour campaign’ and the CPNI Security CultureSurvey Tool (suite of surveys to assess behaviouraland cultural change).Example interventions- Staff surveys- Intercept surveys- Focus groups- IT monitoring- Breach records- Observation studies- CPNI security culture survey tool Identify key performance indicators (KPIs) ormeasures of success against which to evaluateprogress. What are the aims and objectives of theintervention? What outcomes are expected in theshort, medium and long term? What changes inknowledge, attitudes and/or behaviours will therebe? Could there be additional consequences youhaven’t anticipated that you should measure? Consider ways to assess metrics, preferablyover time. What quantitative measures are availablesuch as breach records, reports of suspiciousactivity, observational data or survey data? Whatqualitative measures can be collated through focusgroups, interviews or open survey questions? Canmeasures be taken pre- and post interventions toshow the scale of change?11

The role of endorsementFinally, the effect of the first four Es will be augmentedif they are perceived by the workforce to be endorsedby credible sources. These credible sources may beexternal to the organisation (e.g. security experts, police,CPNI, ex-cyber-hacker) or internal to the organisation(e.g. Head of Security, Head of IT, CEO, the Board).Therefore it is paramount that, when designinginterventions around the 5Es, an organisationconsiders who will be the ‘messenger’ of theinterventions (e.g. who will be the voice of thecampaign or change programme? Who can makethe messages really resonate with employees?)Key things to remember when endorsing a messageor change are: D ifferent groups of employees may need endorsementfrom different people (e.g. for new employees themessage may be best delivered on induction by theHead of Security, whereas for existing employees whomay be cynical about the change the message may bebest delivered by an external credible source who canclearly articulate why something is a threat and whataction employees should take). The personal touch can also help to make the messagesmeaningful and impactful to employees (e.g. the Head ofSecurity being quoted through internal communicationsto say how much they value a report-in from employeesin relation to unusual or suspicious behaviour around asite, and what the Head of Security has done to actionthe report). The message must always be seen to be endorsedconsistently from the top of the organisation. Examplesof ways in which leaders can do this include statementsof endorsement in educational materials, attendanceand visibility at events, inclusion in senior levelcommunications to staff (e.g. briefings, newsletters),engaging in formal and informal conversations aroundthe behaviours.12

Implementing the 5EsThe 5Es provides a useful framework to follow forembedding security behaviours and creating anenvironment that sustains these.It is advisable to have the following in placeto maximise its impact: Data on the current status – organisations shouldhave a measure of where they are now in relation tothe security behaviours they wish to embed.For example: How frequently are employeesdemonstrating the desired behaviours today? What arethe primary factors or reasons behind why this may ormay not be happening (e.g. is it lack of understanding,lack of motivation, lack of the right equipment orresources, poor design or the workplace?) This willhelp with knowing how big the proposed change is,and where the priority areas for intervention may lie(e.g. should there be a greater focus on ‘Shaping theEnvironment’ or ‘Educating Why’?). A project team – it is important that there is asufficiently resourced project team available to lead andcoordinate the roll-out of the programme. This is key toensuring timely messages are communicated acrossthe organisation as well as coordinating activities andproviding clear lines of accountability.It is advised that the project team consists ofrepresentatives from the security department, HR team,and communications team as well as representativesfrom the organisation (e.g. security champions) who canhelp to design the programme. Appendix 3 details theAPEASE criteria which can be a useful framework toguide the design of practical interventions. Communications strategy and message –the development of an overarching security culturemessage and supporting communications strategycan help to augment the impact of your programme(e.g. “Together we’ve got security covered” or“Helpful vigilance”).A consistent message to underpin the programme willhelp it to become easily recognisable. However it isimportant that this is in keeping with the wider culture ofthe organisation so that it is perceived as being alignedand complementary to other workplace initiatives. Senior management and Board level support –this will be important, not only in terms of securing toplevel endorsement for the programme overall, but forenabling any changes to policies or processes to beapproved in a timely manner. If senior level supportcannot be achieved upfront, then a senior level sponsorwill be required who can take the lead on briefingseniors on the work and any decisions that are needed.Taking an integrated approachWhilst the 5Es have been presented in this documentsequentially, they will be most effective if they areintegrated with one another in an iterative way. This isbecause an organisation’s ability to flex between theprinciples will be important as requirements change.For example, there may be times when a focus on‘Educating why’ is the priority whereas at other times‘Enabling how’ may be key.Finally, when implementing the 5Es, please bear in mindthat there is a limit as to how much information employeescan take on board at any one time. Whilst an organisationmay identify a number of areas where significant stridesin employee security behaviour is required, it is advisablethat this is tackled in a step by step fashion. Identifying3-4 priority behaviours for change in Year One may be ahelpful starting point on which to build, as you move intoYears Two and Three of the programme.The 5Es model will continue to bereviewed and evaluated by CPNI.As we update our research, we willmake updates to this guidance and ourcorresponding products accordingly.13

Educate whyEducate employees on the threat pictureRaise awareness on the security threats and risks to the organisationAlign security to core business goals; articulate importance and whyemployees should careEnable howExplain the vital part employees can play in mitigating the threatby their actions and behaviousCommunicate what good security behaviour looks likeDevelop the relevant skills and capabilities within the workforceShape theEnvironmentShape the environment to drive and facilitate the behavioursCreate a physical environment that makes it easy (e.g. processes, activities, systems)Establish the social environment (e.g. leadership set the example;peer pressure; norms)Encouragethe actionEncourage the desired action through /- reinforcementRecognise and reward positive actions and behavioursDiscourage negative actions and behaviours (e.g. penalties, inconveniences)Evaluatethe impactEvaluate the impact and extent of the behaviour changeIdentify the KPIs and measures of successMeasure the scale of the change in theseEndorsed by credible sourcesAppendix 1:5Es to embedding security behaviourThis model is Crown Copyright and any reference to these 5Es should acknowledge CPNI accordingly14

Appendix 2:Worked example of theapplication of the 5EsAn organisation identified that it needed its workforce toadopt vigilant, security savvy behaviours when enteringand leaving their secure site. There were a number ofreasons for this such as:a) t he organisation’s security guards were not able to beeverywhere all of the time and so staff could assist withspotting unusual or suspicious behaviour;b) staff were often best placed to pick up on things thatstood out from the ordinary;c) hostile reconnaissance research had shown thatvigilant staff behaviour could act as a deterrenceto those planning an attack;d) staff would be more alert to potential threats if theywere alert, rather than distracted, when entering orleaving the site;e) staff were making the site and themselves vulnerableby wearing their passes in local shops, meaning it waseasier for hostile attackers to identify workers and/orlearn what the identity badges looked like.How the organisation applied the 5Es frameworkEducate whyTo educate staff on why being vigilant mattered whenentering and leaving the site, and to build motivationfor adopting the desired behaviours, the organisationcarried out the following activities: Reminded staff that the site housed sensitiveinformation that others (e.g. protest groups,organised criminals and some hostile foreignstates) were interested in acquiring which madethe site, and its staff, an attractive target for attack. Demonstrated the link between the compromiseof sensitive assets and the organisation’s abilityto deliver essential services to its customers,having a knock-on implication for businessreputation, revenue and future growth,as well as causing distress to customers.The organisation communicated these messagesthrough internal communications (e.g. newsletters)and departmental face-to-face briefings. Provided examples from their site (and similarsites in the UK) where suspicious activity hadbeen observed or had taken place and how thebehaviours of staff (e.g. pass wearing outside,lack of reporting of suspicious behaviour) hadaided the potential attacker. Provided senior managers with a tailored andmore detailed briefing on the threat to emphasisethe business reasons for taking protectivesecurity seriously.15