Awareways research

Mockup scherm cultuurscan

13 September 2022

‘Most governments are less mature in information security than commercial companies’

Governmental organizations are generally less mature in information security than commercial companies and nonprofits. Awareways concludes this after researching information security maturity levels into dozens of organizations. The research was done by Sjoerd van Veldhuizen as part of his graduation thesis.

Organizational types in info security

“I set out to find different organization profiles across sectors, as part of my graduation thesis”, Van Veldhuizen explains. “These profiles are meant to be used to customize content templates. However, the research also yielded an interesting conclusion: governments are trailing commercial companies when it comes to maturity levels.” As far as Van Veldhuizen knows, looking into these profiles hasn’t been done before in academic literature.

“My main research question was twofold: ‘how many organizational types can be identified within the complete set of our culture scan data?’ and ‘how can these organizational types be helped [more] effectively with awareness training and interventions?’”

Research design

“For my research project at Awareways, I have looked into whether there were types – or profiles – of client organizations”, Van Veldhuizen explains. “So maybe type A behaves a certain way, while types B and C behave in a different way. Based on these profiles, you can create customized templates for content to be developed more efficiently and more effectively.” Sjoerd looked at data from 36 client organizations over 3 years.

“More specifically, I looked at 8 variables for each organization: the 6 culture scan variables – behavior, attitude, perceived control, perceived norm, constraints and knowledge – correlated with organization size and type to make it 8 in total.”

Using these variables, he found two clusters, which are depicted in the graph below.

Research results

In the figure on the right, the ‘culture scan score’ axis stands for the score on the 6 culture scan variables so basically the overall score on the culture scan. The ‘Organization size’ axis stands for the size of an organization. The value 0 represents median values.

“We have split the population into two clusters. The one in pink has significantly lower scores on the culture scan – in other words: lower maturity. The cluster in blue has higher scores on the culture scan – in other words: higher maturity.

In deze grafiek staan de scores van alle ien we een verdeling van alles scores op de cultuurscan. Aan de linkerkant zien we een cluster in roze met significant lagere scores en dus een lagere volwassenheid. Het blauwe cluster aan de rechterzijde heeft hogere scores op de cultuurscan; een hogere volwassenheid.

In deze grafiek zien we op de horizontale as de 6 variabelen van de cultuurscan: gedrag, houding, waargenomen controle, waargenomen norm, beperkingen en kennis. Op ieder onderdeel scoort het blauwe cluster duidelijk hoger dan het oranje cluster.

Juniors and Seniors

Correlation coefficients on the size axis turned out to be too small to be significant, although more large organizations were in the pink cluster. That’s why we have decided not to take organization size into account. That leaves us with a focus on the two clusters as divided by their culture scan results: “Juniors” (the pink cluster, with lower scores/maturity) and “Seniors” (blue, with higher scores/maturity).

To better illustrate how they score on each of the 6 variables, you can see their average scores on each construct in the graph to the left.

In conclusion

After finding these two distinct types, we were curious as to the composition of each group. This is where we dive into the interesting results. “To this regard, I broke down both clusters into government, commercial companies and nonprofit organizations.”

“As it turned out, the junior cluster consisted mostly of governmental organizations – while the senior cluster consisted mostly of commercial companies and nonprofits.”

In other words, on the basis of these results, Van Veldhuizen has concluded that governmental organizations are generally – but significantly – less mature in information security than commercial companies and nonprofits. In an upcoming follow-up paper, we will take a closer look at the pattern of scores on the different culture scan variables and the interpretation of the underlying patterns.

Maarten Timmerman, social psychologist and Awareways CEO: “This result is in line with how we have seen our customer base develop. Six years ago, it was mainly the commercial, non-governmental companies that were starting awareness programs. We’ve welcomed most of the current government organizations in our customer base over the last three years. This might explain their lower maturity scores. In our experience, building an information secure culture requires a multi-year approach.”

In deze laatste grafiek zien we voor zowel het junior als het senior cluster de onderverdeling naar de drie typen organisaties: overheid, commerciële bedrijven en non-profitorganisaties. In het junior cluster bestaat 56,1 procent van de organisaties uit overheidsorganisaties. In het senior cluster is dat slechts 21,1 procent. De overheidsorganisaties zijn oververtegenwoordigd in het cluster dat minder goed scoort op de cultuurscan.

The Next Step

Awareways holds up a mirror to your organization. Our tailor-made security awareness programs expose vulnerabilities, offer solutions and reward safer behavior. By engaging experts in the field of psychology, storytelling, gamification and information security, we quickly get to the core of the matter to reach measurable results.

Cultural change within organizations and society as a whole – and more specifically behavioral change of everyone within – remains our main goal. As the next generation of agents of behavioral change, we take people on that journey. By approaching them as the strongest link in the information security process, rather than the weakest.

The Awareways culture scan reveals the present level of information awareness within any organization. At the same time, it challenges employees to reflect on their personal knowledge and behavior. Taking part in the survey is an intervention in itself.

Moreover, it not only offers concrete results – such as current levels of information awareness and insight into cultural aspects – but also practical focus points for a dedicated follow-up program. Join the security awareness movement

Awareways expert teams

Expert teams are a central part of our organization, ensuring many different perspectives on our approach to behavorial change in information security. Learning & Development (L&D) for instance focuses on the steps between knowledge and behavior. Thanks to backgrounds in psychology, education, UX/UI and gamification, the team offers a dynamic mix of ideas and ambitions, resulting in products and solutions that make a (measurable) difference.

DNA or “Data ’N Analytics” is our team of professionals in the fields of mathematics, data science and even particle- and astrophysics(!). They process all the data from our phishing simulations, security awareness programs and culture scan into comprehensive reports that support our goals of behavioral change in information security.

Together, they’re always looking for what needs to be further explored to continue to facilitate sustainable behavioral change. It’s what drives us to work on challenging new experiences, always focusing on maximal learning efficiency. Part of that approach is offering students and researchers an opportunity to do their research project under the guidance of the team. In this article, we’ve shared the latest results of such a research project.

Do you want to know more about our research and our approach to information security, or would you like to find out what Awareways can do for you? Contact us!