Feedback loops to feed your security culture program

Feedback loops are valuable tools used to learn from something you do, and applying that learning in your later activities. In the Security Culture Framework, feedback loops are used to learn from each security culture campaign that is implemented, and the input from the feedback is then used to enhance the activities in the program.


The GoalLearning from your actions is a great way to build competence. We are all learners, all of the time according to scientists. It makes sense then to put this learning into work by applying it to our next actions. In the Security Culture Framework, feedback loops are used to gather metrics and results from your activities, and then using that feedback to understand what to change, what to do again, and what not to repeat.

The same feedback may also be used to understand how different user groups are, well, different. Some people learn best from reading, others by taking active part. Some learn after seeing something once, others need repetition and deeper motivation. Gathering and using data from your security culture campaigns will help you understand where to put your focus, and who may need more work than others.

In psychology, feedback loops explain how we learn from our actions: We do something, observe the outcome, adjust our course and then apply the learning to our new action. According to psychology, our brain use feedback loops automatically. Why should we not employ similar methods when working with security and security culture? In fact, we already do. Think of the ISO/IEC standards (and many other body of standards too) using the Plan-Do-Check-Act (PDCA) cycle. The PDCA cycle is a clean copy of the feedback loop employed by our mind. This is great news: it means most of us already know how to effectively use feedback loops in a workplace!

Using the Security Culture Framework, you organize the work with security culture and awareness in such a way that feedback is gathered as part of the process. The framework is free, and open, so you can download templates and start building culture today.

New Look of The Security Culture Framework

The Security Culture Framework has evolved over the past years, from a loosely knit set of ideas into a process and methodology. With the frameworks development, the website and community have changed too.


The current iteration of the Security Culture Framework website features all content free and open. What used to be hidden away behind registration links, are now freely available to anyone, without registration. One may ask why we chose such an approach, and the short answer is that we strongly believe in creating a platform that are being applied and used by people and organizations around the world, with no strings attached.

The longer answer involves our business strategy, how we as a company are making our money. We make money from our training, coaching and consulting services which we provide to organizations worldwide. We provide support to our implementation partners by training and certification services. And we provide clients with support and access to specialist competence when they need to. Our money-making services are closely tied to the Security Culture Framework, as the framework allows us to provide high-quality content, processes and methodology to organizations  who otherwise would not be able to afford our services. Now, they can use the framework, while opting to buy the services they need and see fit – directly from us, or from our certified partners.

The Security Culture Framework also allow you to register your own account so you can join the public discussion on how to build and maintain security culture, learn from others, and to get community support. Even more importantly, you can share your own results and get comments and ideas on how to improve.

Controlling your culture is a process where you must be in charge, by setting clear goals, define your metrics, involve the right people and so forth. You have two choices: leave the culture to control it self, or take charge to create and maintain the kind of culture you want in your organization. The Security Culture Framework is to be used when you want to take charge.

What is your experience with culture? How have culture impacted your job, your organization or your career? Please use the comments to share your experience!

Security Career Advice: Handling Executives who ignores you

Security Career Advice

Advices are important. Both to receive and to give. As my regular readers know, I occasionally answer questions about the industry, education and offer security career advice on what one should (not) do.

Brian reached out and wanted to know how to deal with executives. His question brings us to a vital area of security, and your career: How you communicate, and how you interpret other peoples communication, is key to your success.

This is the question of today:

"Hi Kai,  What advice would you give to someone who 
found vulnerabilities, brought them to the executive level 
and then had the executives 'play' them down to avoid being 
embarrassed? I believe that InfoSec has no room for egos.
Cheers and thanks again!
Brian "

This is an interesting question, particularly to me, since I am not exactly known for discovering and sharing vulnerabilities. I am not that technical anymore. However, what I can say, revolves around how you can handle different people, and how you may interpret their reactions to you.

Which is exactly what I did in my respond to Brian:

Hi Brian!

One of many challenges we see with people (execs are people, believe it or not…) is their mental patterns, ideas and customs getting in the way for rational decision making. Most people (at those levels at least) have their own agendas – either personal, professional or both, and the mental patterns can make it hard for them to see things from different perspectives.

The same is true for security pros – we tend to focus on our perspective only, and deem everyone who “don´t get it” to be stupid user, wrong or just plain ignorant of the problem.

In the words of Dr. Stephen Covey, the author of 7 habits, we all should do out best to “Seek to understand before we try to get understood”. What I am saying is that that the exec may have reasons for their behavior that they failed to communicate to you, making it hard to understand why they choose to do what they did.

Although I am a fan of full disclosure, I do not believe in total disclosure: I do believe there are situations where we should not share everything with everyone. In the case of vulnerabilities, on a general note, I believe we should try to fix the hole before we tell everyone. And when the hole is fixed and patched, there may no longer be any real reason to talk about the vulnerability?

In cases where a company choose not to fix, not to patch, and not to disclose anything, there may be a case for going public with the vulnerability. However, I strongly believe in being more responsible than we demand from others, so I would be very careful in how I choose to go public.

Questions like:
– what will be the outcome if I do this?
– what is the outcome I want to achieve?
– what other actions can I take to achieve similar results?
– who will get into trouble if I do this? Who else?
may help you decide the appropriate action.

So short answer: try to understand their (execs) motivation, and why it differs from yours.

How does my answer help you? How can you use this? What other tips would you give Brian?

Do you have a career related question? Let me know!

Travel Report from Ljubljana

It´s July 2014 when I write this travel report from Ljubljana. I spent one week in this amazing city in Slovenia, a small country south in Europe. A truly fantastic place, well worth your time.

The Ljubljana Grad / castle of Ljubljana

The Ljubljana Grad, Castle of Ljubljana, viewed from downtown.

The official reason I traveled to this, for me new, location, was an invitation to lecture about security culture and the Security Culture Framework at the University of Ljubljana. I also had the great pleasure to speak at the CSA CEE Conference, where I explained some of the psychology of security.

As you, my regular reader know, I love sharing my passion for security culture, behavior and communication.

The lectures took place at the faculty for computer science, and the students there were not at all prepared to spend six hours with me, and not using their computers! I don´t know what they expected, except it was not what they got!

Although I could go on rambling about myself and my lectures, I am not going to. Instead, I will share some of the highlights from this nice place. This is after all, a travel report from Ljubljana!

Party Crashing

One of the great things in life is attending nice parties. Meeting smart people, discussing life, love and existentialism. Or just drinking wine, beer, booze.

I am no stranger to such ideas, and as I wandered aimlessly touristy, I heard sweet voices from many people. Like a mot is drawn towards a lantern in the dark, my legs steered me towards the building, a part of the Ljubljana Grad, the local castle. I was expecting to meet some obstacles on the way, like locked doors, questioning guards or other controls aimed to keep party crashers like myself out.

Not this time.

Wine and food for thought at the Ljubljana Grad

A nice place, fantastic people and great food – the Ljubljana Grad has it all!

I must have looked like a perfect fit for this party, dressed as I were in blue jeans and half-buttoned shirt. I just smiled, nodded, and walked straight in. Into a room with beautiful people of all ages, from all around Europe as I discovered as I strolled the room with a glass of wine and some finger food.

Smart people for great conversations

Some of the students I met at the Ljubljana Grad. Great minds from all over Europe indeed!

Very nice place, great people, and fine conversations, pretty much sums up my experience.

World Cup

I also got to experience the world cup match between Belgium and the USA. I don’t usually watch soccer, my excuse this time was beer, and another party to be crashed.

Belgian Soccer Suporters in Ljubljana

I had the pleasure of joining these fine folks watching the Belgium vs. USA world cup soccer match.

Again, nice people, good drinks, a good game and not so great conversations – unless you are into soccer, possibly. The students I enjoyed the game with, were fantastic sports, though, even going all #holakai on me.

A Finnish fan, secretly cheering USA

Pekka, a Finnish linguist, secretly shared for USA during the match. We were both in disguise, using Belgium colors!

Fuzzy Goals

While there, I also took the time to record a short city walk, where I explain how fuzzy goals sometimes can be useful to help you discover what is going on in your organization, your security program, or in your systems.

Fuzzy goals are, as opposed to SMART goals, goals that are not very clearly defined. You may create a hypothesis to test, or define your goal widely so that you get a general direction towards which you can direct your actions. The purpose is to help you discover new, possibly surprising, things.

A challenge with fuzzy goals: They can easily become lazy goals, replacing SMART goals, and thus loosing it´s purpose: instead of helping you discover stuff, they get´s in the way of creating real results.

Thanks to Ljubljana

There are a number of people to thank for this great experience, here a but a very few:

Mojca, at the University; Damir, President of CSA Slovenia; Lowk3y (who prefers to stay out of sight of my camera); Pen, the Restaurant which served fantastic horse steak; Ljubljana Grad who offered me fireworks, parties and great music; Kristina, who accepted my lunch-date-invitation; the City of Ljubljana, who showed me the best of the best. And to many more!

And finally – a great thanks to the Computer Scientist doubling as a Harp musician, who played me the late-night serenade at the CSA Speakers dinner! That was brilliant!

A harp

A harp, possibly with a different name…

Security Culture Hangout – Metrics

Today is the Security Culture Hangout day, the last wednesday of the month! In this month, we take a look at security culture metrics – how to measure your security culture program. As usual, we use the Security Culture Framework as our foundation, and the Metrics module of the framework is described here.

You can watch the hangout here:

Today, we have our first guest: Geordie Stewart of Risk Intelligence. Geordie is well versed in security awareness, a popular speaker on the topic, and he will share some of his experience with measuring awareness and culture.

I first met Geordie at the RSA Conference Europe in 2012, where we both were on a panel to discuss security awareness and its applicability.

If you have any questions you would like to ask Geordie or myself, head on over to the event page and post your question there!

If by any chance you missed the hangout live, you can always watch it on youtube.

This is the second Security Culture Hangout on Air we produce. You can watch the first one here.

Please share your comments, ideas and propose guests for the show below!

How to become an infosec Rock Star

Today is the Cloud Security Alliance (CSA) Norway Summer Conference in Oslo. I have been fortunate enough to be asked to explain how to become an infosec rock star, and below are my slides and notes, all for you to enjoy.

Remember that if anyone of these can achieve Rock Star Status, you can too! Take these tips, and go ahead!

This is the full deck, available at Slideshare:

Slide 1


One year ago, I went to Colombia to deliver a keynote on security culture and human behavior at a conference. As usual, I updated my twitter stream with what happend during my stay, and this photo was posted. A napkin, given to me by one of the ladies present.

A tweet that had a colleague ask me: “Kai, how do one become an infosec rockstar?”

My name is Kai Roer, and I am here to tell you what makes a rockstar – in the infosec industry! 

Slide 2: It´s only Rock and Roll, Baby!

Its Only Rock and Roll Baby

Therefore, let us take a look at what makes a rockstar! 

First, it is about having fun! It´s all Rock and Roll, Baby! And fun can be defined in many different ways – just consider the amazing number of different rock music available – from Elvis, Stones and Beatles, to Deep Purple, Twisted Sisters, to Nirvana, Pearl Jam, and many more. 

Just like there are many bands with a wide variety of flavours, there are a large number of stars in the infosec community. And just as with rock and roll, there are some common factors to consider if you want to be an infosec rock star too: 


You need to be up for Sex and Drugs and Rock and Roll

Be newsworthy

You should be newsworthy,

Be different

Be Different,

Be daring!

Be Daring, even



Build a following

Do these things, and you will build a following and fans, 

and get yourself groupies!

and you may even get yourself some groupies!
Let´s take some time to look at each of these requirements!

Slide 3: Sex and Drugs and Rock and Las Vegas


Music: ZZ-Top: Las Vegas

Sex and Drugs and Rock and Roll was a thing of the 60s and 70s, says some. I say it still is. 

ZZ Top is closer to the Rock and Roll than to sex and drugs, just listen to the rythm in their blues-like music.

Just like sex and drugs are important to rock and roll; so are conferences, events and their parties to the infosec community. If you want to learn something new, meet new people, and possibly even score some free booze, you get out of your office (or dungeon), and go shake some hands at an event. 

Slide 4: Las Vegas Jack


As with rock music, some events are more important than others. Again, it depends on your taste, interest and friends, yet many people will agree that the Security BSides events have become a real player – not only in Las Vegas, everywhere! 

The BSides are a bit like I picture the Woodstock festivals, driven by the community, for the community.

As one of the founders of BSides, and possibly the missing ZZ-Top band-member, Jack Daniel represent the Sex and Drugs and Rock and Roll. His care for the community is hard to hide between his grumpy tweets, and his infamous RV-rides with the RV filled with infosec peeps are just, well, exactly like a band driving from concert to concert in their band-bus! 

Jack is also old enough to realize that the constant buzzing about New this, New that is nothing to panic about – in his words:

Don´t panic, we´ve solved this before. Jack Daniel

Slide 5: Be new and newsworthy

Being New(sworthy)

Music: Rammstein: Sonne

In addition to have the Sex and Drugs and Rock and Roll attitude, you need to be newsworthy – that does not necessarily mean that you need to come up with something totally new – it means you must be able to present it in a new way. A way that gets people interested. 

If you choose to become a cover band, that is fine too, as long as you remember to credit the originator. 

Rammstein, however, is not a cover band, this group is doing their own thing. They are strong, can be a bit rough on the edges for everyones taste, and they combine humor, quality and care. 

Their focus is narrow, yet within their area, they simply ROCK! 

Slide 6: Mr. Passwords


Just like the Norwegian Mr. Password, or Per Thorsheim as he is known over here. 

Per has a deep interest and passion for passwords, so much so that he has established not only one, but two conferences on the topic – one in Norway, and one in Las Vegas. Just like the band, Per is very focused, can be considered a bit rough (he if from Bergen, after all!), yet those who know him know him to be caring, deeply generous and extremely knowledgeable. 

Although the topic of passwords are not exactly new, the way Per present and focus on the topic, brings new and valuable knowledge to the area, which is why he exemplifies being new(sworthy).  

Slide 7: Be Different


Music: Jamiroquai: Cosmic Girl

Being new is all well and fine. Another way to get attention is to be different. After all, you need to get heard through all the noise, right? 

Of course Im right!

Just consider all the musicians around the world who wants to become a Rock Star. They’ll do anything, with anyone, just to get a shot at becoming a star. Most of the time, though, doing anything to anyone just isn´t the right thing to do. 

You need real talent, real skills, real interest and deep understanding of what you want to achieve. Jamiroquai knows that better than most. 

Slide 8: The Father of Girl Cynic


As does Javvad Malik of 451 Research, or J4vv4d of HostUnknownTV, and his other alter egos.

He started out as an infosec cynic, you know that state many infosec peeps end up in after too many lonely years in the bunker, and upon being challenged, his English wit and humor became his savior. Just as he became the savior to the sanity of so many others in the infosec community. 

Being different lifted Javvad to starship faster than most, and by embracing the fame, he continue to share his valuable insights, ideas and humor worldwide. 

And his Cosmic Girl? His award-winning daughter Girl Cynic, of course!

When it comes to Rock Star-ing – being different is good! 

Slide 9: Be Daring!

Being Daring

Music: Serj Tankian: Uneducated Democracy 

Some musicians just do their own thing. System of a Down spawned a singer-song-writer out of the extraordinary with Serj Tankian. Playing with words, music, emotions and energy, Serj is able to rock your emotions, beliefs and mind. 

Serj accepts nothing for being a fixed truth- he dare to challenge the status quo, and he dares to ask the difficult questions, and to point fingers right where they need to be poked. 

Being daring is vital when you have an important message to bring across. 

Slide 10: Being Josh Corman


Just like Josh. 

Joshua Corman is on a life-long mission to change the world. He dares to ask the right questions, to the right people, at the right time. Because he makes it the right time, the right people and the right questions. 

Like Serj Tankian, Josh has a brilliant mind, a mind he use to better understand what our industry is all about, so he can help fixing it. Josh is all about understanding, analyzing and fixing.

Like when he dares to tell you that no-one is ever going to save you

I am The Cavalry.  Josh Corman

Meaning you are, and that you need to step up your game of defense.

So be brave, be daring! 

Slide 11: Create that SHOCK!


Music: Miley Cyrus: Wrecking Ball

Occasionally, someone is getting more attention than others. Most of the time that happens because they have planned for it, or at least understand how media and crowds work together to feed a message in every channel, so often that it becomes the Main News that week. 

Miley Cyrus knows that being SHOCKING will get you attention, and the attention of media. 

Having attention, means more sales, more fans, and ultimately, more fame. Which in turn makes it easier to spread your message to more people, which builds more fame, which again makes your message stronger, and so on and on and on and on.

Slide 12: Mikko on a Ball


And fame is something this guy have. Mikko Hypponen of F-Secure have done it all (well, possibly except riding a metal ball nude, but what do I know). Like Miley, Mikko is smart, driven and has a somewhat Disney-like background, being the nice-guy and all. 

Mikko also knows how to use media and the crowds to drive his message across. He may be the closest thing the Infosec community have to a Crowd-Drawing Rock Star, at least when he shows up at your event, the crowds come to. 

And the key to using media? Be shocking! Or comment on the shocking news. Dance with your crowds, and make new friends while keeping your old ones close. 

Miley and Mikko both know how to rock that boat! 

Slide 13: Build followers…


Music: Metallica: Fight Fire with Fire

There are many bands and musicians that deserves a place in a presentation about infosec rockstar. IMO, non more so than Metallica. An international band (well, at least with members from Europe and US), Metallica creates a sort of music that when it came out, it was new and different, and that over the years have built an enormous following with fans around the globe. 

Their attitude towards music, their fans and their search for perfection, is just what it takes to be great. 

Slide 14: Rik the Rocker

Rik Metallica

Like Metallica, at least by the looks of it, Rik Ferguson is a true rocker. He has built a large following too. Being easily recognizable, while having a clear message, and consulting anyone from Mom&Pap to the Europol, Rik use a number of channels to build fans and followers. 

He is a frequent conference speaker, he creates video lessons (well, Trend-Micro Advertising), and he digs into the deep end of technology. 

Like Metallica, he not only looks the case, he delivers the goods too. And that is what it takes to build a large base of followers and fans. Like a real Rock Star!

Slide 15: …and make FANs!

and fans

Music: ACDC: Let me put my love into you

For many, ACDC is the epitome of Rock and Roll (or heavy metal, if you must). Their long careers in the industry has taken them around the world, they have seen and done things most of us can´t even dream of, and they still haven´t learned how to dress properly. 

Despite all their oddities, and their age, ACDC is one of those bands that have “always been there”, and that has made them a huge number of fans. 

Slide 16: Bruce the Rock Star


Like ACDC, Bruce Schneier have also “always been there”, and like ACDC, Bruce is a bit of an oddball. He can be difficult to talk with, he is doing his own stuff, and he seems to be most comfortable when he can observe, analyze and speak up his brilliant mind when he decides to. 

Also like ACDC, Bruce´s following is so huge that it turned into the meme this presentation is based on: 

"The closest the security industry has to a Rock Star» according to The Register.

Not only is he an Infosec Rock Star, he is also so loved that he is being mocked, and we all know that you only joke about those you love. Unless he really is Chuck Norris in disguise? 

Possibly one of the most influential people in modern day infosec, Bruce has a vast knowledge that he shares through books, consulting, speeches and his blog. And like ACDC, he keeps selling the same story again and again, and we all love it! 

Slide 17: Handshakin´Stevens

Bruce Quote

This is exactly how important Bruce is. 

Slide 18: The Up and Coming – on a Mission from God

The Future

Now that we have gone through how to become an infosec rock star, let me just say this. No matter the who you consider a rock star, the single most important Rock Star in this room, is you! 

This community needs more openness, care and sharing. We are on a mission from God, to create a safer world. To do that, we need to enable more people to share their stories, their ideas, their craziness and their knowledge. 

If you take nothing but one thing from my presentation, take this:

The Up and Coming are the future of this industry. Let us work together to help them succeed! 

Slide 19: The groupies are mine!

Groupies are MINE

Oh, you wonder where the Groupies part of this presentation went? 

I get to keep them! Get your own groupies! 

Slide 20: Where is the party?


Thank you everyone for giving me your attention! A special thanks to @marigrini for asking the question: 

“How do you get to be in this industry, and receive handkerchiefs like that!!??” 

Now, where is that party! 

Since you are still reading, Im guessing you´d like to see this, or other presentations, at your next event? Get in touch, and let´s see just what show I can put on for you!

Get on the bus! The Security Culture Summer Camp 2014 is about to start!

The Security Culture Summer Camp 2014 is about to start. We still accept participants for two more weeks (until the 27th June), so make that decision you know you always wanted to do: Come on and join us!

The Security Culture Summer Camp 2014

A camp, Kai, not a school!

What is the Security Culture Summer Camp, anyway?

Think of it as a seven week program that will teach you the basics of the Security Culture Framework, help you set up your very own security culture program, and a fantastic chance to spend time with others to discuss and learn security culture.

So far, we have participants from Sweden, France, UK and the USA. This means that not only do we get to learn about security culture, we also can play with culture in general to help us understand how culture impacts our behavior.

The Security Culture Summer Camp takes place online, using a mix of our own e-learning platform with assignments, readings and video lectures; and using Google Hangout on Air to allow for live discussions and Q/A sessions about the content, assignments and learnings. The workload is estimated at 4 to 8 hours per week, including readings and assignments.

Do you need more reasons to join us? Check the list below!

  • Yours truly is your teacher;
  • Take awareness trainings to the next step by creating measurable results;
  • Learn to set goals, and work towards them;
  • Create a plan, with the necessary actions, ready for implementation;
  • Learn and share experiences from other participants;
  • Understand who to involve in your programs, and why;
  • Build a list of activities that will enhance your security culture;
  • Use the Deming Cycle to create increasingly better awareness;
  • Save money: Understand your own needs before you buy content;
  • Save money: Create a program that focus on what you need;
  • Save more money: The summer schools is only 499USD. And signing up with this code give you a 25% rebate!

What are you waiting for? With a workload like this, you can even do it during your vacation time!

Oh, and yes, there will be certificates so you can prove your content. You will earn the right to call yourself a Certified Security Culture Practitioneer. Which, by the way, is the first step toward becoming a Certified Security Culture Coach!

And for those who needs CPE´s – there may be light in the tunnel. Contact me directly if you need them!

Come on! Sign up today, and be with us from the very start!

Happy summer camping – bring marshmallows!

The CISSP Companion Handbook (Book Review)

Javvad Malik's The CISSP Companion Handbook

Javvad Malik’s The CISSP Companion Handbook

Some times, great things happen. It can be the Spring in Norway, a cup of coffee in the morning, or a humorous new book on a boring topic. This post is about the latter one.

Javvad Malik, the notoriously funny and insightful guy, wrote the “CISSP Companion Handbook”,  where he set out to explain the things you need to know before your sit for your CISSP exam. This book is not to replace the official documentation, it is meant as a companion handbook, a resource to use to get a laugh when you need it most.

However, the CISSP Companion Handbook is not only about laughing and English humour (notice the u!). Javvad is, behind his beard and jokes, a very insightful gentleman who cannot fool anyone for long. The book is, in my opinion, a great resource for an overview of the CISSP requirements. It gives the reader a perspective on what the CISSP is all about, and ties it into real-life examples (like the email exchange explaining witchcraft, erm, encryption) using Javvad’s exceptional story-telling skills.

One of the many things I like with this book is how Javvad is able to explain the different concepts of information security using words and sentences that make sense also for people who are new to the topic, or who are lacks a technical background. As such, I would recommend this book as a CISSP / Infosec 101 university course book.

Why should you buy this book?

  • it gives a great overview of the CISSP
  • it helps you understand the broad scope of the CISSP
  • it is funny
  • it use real-life examples that are easily understood
  • it is written by Javvad

Why should you not buy this book?

  • it is funny (if you think a laugh can ruin your studying)
  • it makes you wonder why the official docs of the exam are so humongous
  • you may actually like it

This book is RECOMMENDED by Kai! (And yes, that is an affiliate URL. If you prefer not to be tracked, use this direct link instead).


The Security Culture Hangouts on Air

The Security Culture Framework deserves more than just a place to discuss and learn. We wanted something more interactive, something where you can join us, discuss and share your experiences.

Enter the Security Culture Hangout on Air – a monthly event that takes place on Google Hangouts, are live streamed, and automatically stored on our YouTube channel. What is more: Tomorrow is the kick-off event, and YOU are invited!

Join us for the live event here:

Or watch the recording on Youtube here:

And for your convenience: here is the embedded video:

Hosting the show is yours truly, and Mo Amin. We will be featuring interesting guests in future shows, who will share their knowledge of security culture, awareness and training.

The future shows will cover topics like: How to measure culture, What to focus on in your security culture program, Whom to involve, How to make progress and so much more.

As always, you can join the conversation at, and you can learn more about security culture in general here!