The key to keeping our information secure is our people, so how do we create a risk management culture?

Training and awareness

It is important that a company ensures that all personnel who are assigned information security responsibilities are competent to perform the required information security tasks.  The company therefore should provide the necessary training and awareness to those staff that are involved in: 

  • Establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISMS)
  • Carrying out risk assessments
  • The incident response team
  • IT security
  • Physical security
  • Carrying out security audits and reviews.

In addition, a company needs to provide general training and awareness to all staff regarding:

  • The risks that the company faces with respect to their day-to-day tasks
  • Use of the company’s information security policies and procedures
  • Complying with legal and regulatory requirements and contractual security obligations relevant to the information security management.

Risk Management Culture

An important aspect of risk control is to engender a risk management culture within the company to ensure that management and employee thinking, attitudes, behaviour, processes and practices towards risk at all levels of the company become an integral daily part of the way the company operates. 

Developing a risk management culture is a critical part of the risk management process.  It is also one of the most difficult aspects to achieve as building a cultural awareness with the necessary management and employee competence, knowledge and capability takes time. In addition, business attitudes change and the company faces a changing mind-set and behaviour within their workforce.

The organization should define what a risk culture should look like for its organization, and consider what different stakeholder groups need from risk management.

Risk management culture should be established as a collective effort of stakeholders across the company.  A risk management culture will of course depend on the nature, scale and complexity of the company, however it should exhibit the following features: 

  • Clear evidence of support from the top management of the company
  • Clear understanding of the role of risk and the benefits of risk management throughout the company
  • Staff across the company have an awareness of risk management, their roles and responsibilities; and personnel across the organization have sufficient risk management skills, knowledge and competence in line with the risk role/ risk element of any role they are required to perform on a daily basis
  • Risk management is an automatic aspect of working practices - staff should consider risk without being prompted
  • Open and honest discussion around risk
  • Risk information is shared across the company and lessons learned from actual
  • Risk management is part of company performance. 

Awareness Programme

An awareness programme should begin with the support of senior management.  Ideally the CEO should launch the programme by, for example, sending an e-mail message, which briefly summarises, the risks and threats and states that security is the responsibility of everyone in the company.  It is also a good idea to incorporate relevant information security content into other training programmes, for example, staff induction and training concerning how to do a particular job role. 

Distribute security awareness tips by e-mail on a regular basis.  Tips should advise of best practices and reinforce policy. 

Here are a few topics to start off with: 

  • Viruses and other malicious software
  • Passwords
  • Workstation, PC and laptop security
  • Business continuity
  • Destruction of sensitive material
  • Taking photographs
  • Use of mobile devices
  • Social engineering and not being afraid to say no
  • Operational security
  • Back up your data
  • Security incidents.

Additional awareness methods include having security luncheons and seminars, a security web site and awareness posters.  The awareness site should have a security representative to assist in the awareness programme and address security incidents. 

Having an information security day is another effective way to bring security to the forefront of everyone's mind. Security audits also raise awareness. Consider implementing office space reviews and annual self-assessment surveys.

The key is to make security a part of everyone's day without being obnoxious or repetitive.  

An awareness programme: 

  • Requires creativity and constant care and attention
  • Cannot be conducted in a vacuum
  • Must ensure that information security is not seen as a negative thing but a positive enabler for business.

Finally, management should lead by example: if management believes in information security and it explains why, it is much easier to bring staff around to management’s way of thinking. 

To learn more about how you can reduce and manage information security risks including real life examples of threats and vulnerabilities BSI have published Information Security Risk Management: Handbook for ISO/IEC 27001


What Professional Security Magazine say about the Information Security Risk Management Handbook:

 “How to manage the risks of insider trading, and disgruntled staff hacking into computer systems and stealing? This well laid out book takes you through the risk assessment, and controls (’a measure that is modifying risk’), and not forgetting monitoring and reviews (all documented)…” 

 Your basket
Your basket is empty