• Buy my latest book!

    In "Build a Security Culture" I explain what security culture is, how to build and maintain security culture, and how you can use the Security Culture Framework to plan, measure, organize and create results with your security awareness programs. The book is available in electronic formats as well as in print.
    You can buy the book on Amazon here: Buy now!
    Or directly from IT-Governance here.

Call for Presentations!

The Call for Presentations at the Security Culture Conference 2016 is open! Join your peers in Oslo, Norway to share your experiences, to learn, and to engage in discussions and panels on how to build and maintain security culture. The conference is two-days, two-tracks, with networking opportunities, exhibition area, Norwegian culture, great program and much more! I am thrilled to be part of this great event again for 2016!

The talks we are looking for are 25+5 minutes, and should focus on topics relevant to security culture and the application of the Security Culture Framework. Questions our participants are looking for answers to include:

  • How do I measure security culture?
  • How do I get the support from the top?
  • How do I change behaviors?
  • How can I facilitate a security culture program?
  • How do I adjust my content to the needs of the audience?
  • What kind of content should I use?
  • What are good goals for a security culture program?
  • What does a good security culture campaign look like?
  • And much, much more!

Put in your presentation today, and let us meet in Oslo in June – the most beautiful time of the year over here! And do you know anyone who should be on that stage, please tell them to put in a talk too!

What do you get as a speaker? The list is long, here are some of the perks:

  • Free, full access to the conference inc. social event
  • Exclusive access to the Speakers Dinner on Monday evening
  • Hotel Monday-Wednesday in Oslo (at the conference hotel)
  • Travel on economy
  • Much more!

So what are you waiting for? Put in that proposal today!

Oh, and have you any questions, please shoot them over to me, I am here to help!

Security culture – one rule to rule them all

Culture is an interesting thing. We all live in it, we embrace it and we are totally dependent on it. It is also very easy to dismiss – it is only when we see other groups of people, and realizing they are not doing things like we do, that we start grasping that there may be more to life than «How it´s done here».

Funnily enough, as soon as we discover this new group, and realize their differences, we are very quick to from opinions about «them» and how «they» are doing something strange, or even wrong. «We» and «our» way are considered the only right and righteous path to success, glamour and, well, security.

Security culture is no different, being a sub-culture, and easily dismissed as not relevant or even being a wrong path by some. Personally, I find it most intriguing when people who are not from a humanistic / social scientific background (say they have an infosec background), comes up to me and makes the claim «security culture will never work».

Or, as this morning on twitter, when Chris Hoff says:

I don’t subscribe to a “security culture”

Chris, how on earth can you not subscribe to a security culture? This felt like a kick in the belly, and my gut response was to write a long, angry post aimed to convince Chris that he needed to change his opinion. I mean, how can one not subscribe to security culture? It must be an ill-informed and badly judged decision for sure, right? Surely, Chris must be jumping to conclusions, me and Wolfgang being outstanding people and all?

STOP! Just Stop it!

Now I am the one jumping to conclusions – I read one tweet, and decide that a man I deeply respect and look up to (and occasionally disagree with), is wrong? Am I being tricked by my brain? Of course I am – this is the Dunning-Kruger effect playing me!

This is an interesting phenomena with humans – we make claims we have no support for, and we do so with a conviction that what we claim is true, and the only truth there is. The Dunning-Kruger effect above is only one of the many studies Psychology has undertaken to better understand our human biases.

Another of my favorite biases is the confirmation bias: as soon as we have made up our mind about a subject, our mind (and this happens automagically, mind you!) just stops looking for proof of us being wrong, instead it filters away any information that may have a negative impact on our decision, and leaves us only with information that confirms our idea.

These biases (and there are many more!) were probably not so bad from a hunter and gather society perspective.

In a scientific society where knowledge is being hunted and gathered, knowing when you are right or wrong – or when you just don´t have enough facts about your topic, becomes critical. I like to believe I live in a scientific society, where real knowledge matters, and where each and every one of us is responsible (as well as accountable) for the knowledge we hunt, gather and spread around to others. By digging deeper into twitter, I soon discover that Chris is at some conference, where someone is talking about infosec culture.

I have seen those bars, and I agree that this is not a culture I embrace. More important, it is not the security culture I preach. Im starting to wonder, what prompted these tweets?

What is going on?

Psychology, is what is going on. Our mind and our culture is playing tricks on us.

My background, training and thought processes are trained and formed to solve ICT-challenges. Over quite a few years, I have had the fortune to work with people, and while doing so I learned (sometimes the hard way) that people are not like technology – people form their own ideas and make up their own minds. I came to realize that if I were to be successful with securing systems and organizations, I needed to really understand people. I set out to find the answer to questions like

  • what drives them
  • what forms their behaviors
  • what is culture
  • how do people change

  and I went back to university to read up on social sciences. And like Chris, I try to be sharp and critical:

Very few infosec people I know of, do this. Instead, they make claims about people, behaviors and culture, yet they may have very little understanding about real people, and how real people functions – alone and in groups.

In this particular slide (which is what prompted Chris’ question above), security culture is being touted as 2FA and email encryption. I will agree that technology should be used to inform and form security culture, and as such these examples may be used as controls. However, this is not culture. Nor security culture. This is technology. 

DISCLAIMER: I did not see the presentation, nor any other slides, so again I am drawing conclusions out of context! I am sure Stefan’s Andrew’s other slides did dig deeper into this.

Others also engaged in the topic:

Do we need rules?

Rules – everybody hates them! Especially when it comes to security, right?

The subtopic of Social Psychology have spent the better part of 7 decades to understand how individuals function in a social setting. (in)famous experiments like the Stanford Prison Experiment, the Milgram Experiments and the experiments of Dr. Solomon Asch are just a few, that shows us how extremely powerful other people are on us as individuals when forming opinions and changing behaviors.

We are social creatures, who first and foremost adjust and adapt to our surroundings. We change as needed, to make sure we survive. To do that, we pick up the rules – written or unwritten – of the group we want to conform with. We pick up these rules automagically, on autopilot, most of the time not even realizing that we are, and how we are changing our own behaviors to meet the perceived requirements of said group. Together, they help form an understanding of what culture is, and how it is being influenced. It quickly becomes evident that rules are important:

  • Culture apply rules of acceptable behavior – what is allowed and what is forbidden for members of this group. As societies evolve and grow, rules change. Some rules turns into formal rules (laws, policies, regulations), while most rules are informal (group habits, dress codes, language, greetings etc).
  • Innovation informs rules – new innovations enables people to do new things, or to be more efficient (guns means better chance of hunting and more efficient war), while often also introducing new risks that needs to be regulated (guns are used for murder of civilians, robbery etc). I cannot think of any technological innovation that comes without a possible need for rules.
  • Ignorance is bliss – if you do not know the rules, they are easily broken. Sometimes that means you get away with it, other times you don´t. The perceived severity of your crime dictates the groups response.

  This is not an argument to substitute culture with rules. Culture is more than just rules, however, understanding the role of rules in culture will help us align our culture-building efforts to be more efficient.

Culture is not an option – it is always mandatory.

The interesting thing is how the mandatory part of most culture is hidden to us: most of the time, culture do not feel mandatory. Only when you try to move outside of the groups rule, do they become evident to you. Culture is the building block of human societies.

Humans cannot survive alone, which in turn mean we form groups and societies. For groups and societies to function, they need rules to regulate what is acceptable (or not) behavior. For you, as a person, this boils down to accepting the rules and be a member of a group, or dismiss the rules at your own peril.

Security culture is, just like safety culture and organizational culture, sub-cultures of (duh) culture. It is the part of culture that promise you a safe and secure place in your group – your group will help secure and protect you, as long as you do the same for the group by accepting the rules.

Do you get it yet?

The real challenge Hoff and others are pointing to, is the same thing as I try to fix with the Security Culture Framework. And surely, digging a bit deeper into the tweets, Chris get’s it:

Culture is truly impactful. As such, it should be treated with care and understanding. Just because you are into infosec does not automatically make you an expert on building and maintaining security culture. As I have said in my books, talks, trainings and the Security Culture Framework – you need help to understand culture. You should not do it alone, instead you should bring on those who know.

Culture is not new, it has been with humans since the start. Let us apply the techniques, methods and structures shown to work over millennias.

To build and maintain security culture, we can learn from social sciences, and from other areas where culture have been successfully managed, like safety culture and to some extent organizational culture. It is, however, not so that security culture is a silver bullet. It is one of the controls to apply – just like that firewall, IAM or crypto. Leave it out at your own peril!

Congratulations to all the new CSCP´s out there!

Another Security Culture Summer Camp is over, and five weeks of learning how to build and maintain security culture is over for now. During the summer camp, students – security professionals – from around the world have learned how to use the Security Culture Framework to build and maintain security culture in their organizations. It is with great pride I can congratulate another batch of Certified Security Culture Practitioners (CSCP) – more fantastic people to help organizations enhance their security by applying the principles of the Security Culture Framework.

Congratulations, all CSCP´s!

Who are these CSCP´s, anyway?

People and organizations around the world recognize the importance of good security culture to reduce the risk and impact of security incidents due to the human factor. There are two typical types of participants who join and complete the Security Culture Summer Camps:

  • Internal Awareness Officers – this is a group of people who work with security culture and awareness internally in an organization. They are focused on creating a good process of ongoing security awareness, and to document the security behavior change internally. Their actual titles vary, as does their location in the organization – from security professionals, compliance officers, via HR and training. Organizations who consider security culture a critical area sign up several participants to ensure the best results
  • Consultants – this group typically serve a number of clients, and help build and maintain security culture on behalf of their clients. Some consultants manage the whole process including executing the security culture program, others facilitate the process. No matter how the consultant and the client choose to work together, both parties recognize the value of the Security Culture Framework in building and maintaining good culture.

The Certified Security Culture Practitioner (CSCP) provide both organizations and consultants value by documenting the knowledge of the practitioner, access to a global network of other CSCP´s and a clear statement that security culture is taken seriously.

Do your organization consider getting serious about security culture? Hire a CSCP!

Or become a Certified Security Culture Practitioner yourself – sign up for the 2016 Summer Camp today:


Full Day Workshop on the Security Culture Framework


It is with great pleasure I invite you, you readers, to this special opportunity to join a full-day workshop on the Security Culture Framework. Why is this such a big thing? Simple: Previously, we have only done half-day workshops on parts of the workshop, or virtual workshops like the Security Culture Summer Camp. Now you get to spend one full day with me to learn all about the Security Culture Framework, and how to use it!

The workshop is being organized by ISACA Slovenia, and takes place in beautiful Ljubljana, fully worth a visit on it´s own, if you ask me. Time is September 24th, as part of the ISACA Slovenia conference (which you also should consider, a lot of the program is in English), and it looks great too! Oh, and did I mention the conference is to be held at the Zrece Spa! I will be there, and I will indulge myself to the fullest!

ISACA is charging a very reasonable 347.70 Euros including taxes for the workshop (must be paid in advance!). Participation in the workshop entitles you 8 CPE hours too!

The program of the day looks like this:

  • 9.00–10.30 Key concepts of security culture
  • 10.30–11.00 Coffee break
  • 11.00–11.45 Metrics
  • 11.45–13.00 Organisation and topics
  • 13.00–14.00 Lunch
  • 14.00–14.30 Plan
  • 14.30–15.00 Conclusions

Which means you should be able to catch the evening flights out of Ljubljana, or join me for a beer in the afternoon. I would certainly prefer the latter!

You can sign up here. More information at the ISACA Slovenia website. And should you be reading this too late (after September 20th 2015), you can always download the PDF here: 23konf-rkis_1506_invitation-workshop


CSA ASEAN Summit and Thai TV

In June 2015, I visited Thailand, and the beautiful Bangkok. My visit was business first, as I was invited to lecture the psychology of security at the Mahidol University, and to be on a panel on cloud security standards on the CSA ASEAN Summit 2015.

I did enjoy a couple of days as a tourist too, I got to see the beautiful Emerald Buddha Temple, where we met with the best tourist guide I have ever met (possibly with an exception of myself, for those of you in the know!). Our guide was knowledgeable (as far as I can tell), and she treated us as kings who deserved only the best. She also had an immense respect for the holy place, and made sure the other tourists and guides were told straight when they failed to honor the temple properly. It was a great experience indeed!



I also got to visit the Chatuchak (Latin spelling is…diverse) Market, the (in)famous weekend market with an unbelievable number of sales boots. This was a great experience for me, and a place I would love to visit again.

chatuchak2 chatuchak

There were shopping too, this time thai silk:


And do not forget the elephants!


elephant elephants

More serious business was done in the evenings over beers and streetfood. There can be no doubt that if you want a fantastic meal in Bangkok, go eat on the streets. Bring friends along, and have fun! I got to sit down with some great people, including Kitisak Jirawannakool and his friends in the local security community. Food, beers, good people sharing experience – what more can you want?


I did some work too. I gave a lecture on Hacking Your Mind, how our mind is tricking us into doing poor security, at the Mahidol University. They treated me very nice, and gave me a tour of their campus – a very nice one indeed!


The main reason for my trip to Bangkok was the CSA ASEAN Summit 2015. I was invited as the CSA Norway chapter President, and did two panels:

  • one on cloud security research, where I discussed the gap between academic research focus and the focus on the commercial industry, and how these two different focuses works to increase the distance between academia and industry, instead of closing it. We had a good discussion.
  • the second panel was on cloud security standards, where I voiced my concern that bad implementations of standards are bad for all, as well as standards tends to create a common security approach, leaving many organizations open to attach because of their failure of implementing the standard according to their own needs.

panel csa

The last panel was recorded on Thai TV, and can be seen below.

All in all, I enjoyed Thailand and Bangkok very much. A sucker for travel and exploring new cultures, I would love to spend more time in the region. So get those invites flowing!

Brighttalk summit: Incident Response and Insider Threats EMEA

Security culture is gaining popularity around the world, and I am continuing talking and training the topic. This time at the virtual summit Brighttalk Summit Incident Response and Insider Threats EMEA 2015.

A virtual summit means I do not have to travel, and nor do you! Another bonus as far as I understand is that you can watch the recording at your own convenience, should you miss the live event. In addition to myself talking about how to use the Security Culture Framework to get results from your awareness activities, you will also be able to join Shan Lee from Just Eat, explaining how he is building security culture.

Here is my talk, available for you:

You should sign up right away so you don´t forget!

The Conference of Culture

securityCultureConferenceSecurity culture is spreading it´s wings across the globe, and it is time to dedicate a conference to the topic. The Security Culture Conference invites speakers from US, UK and the Nordics to share their experience of building and maintaining security culture with attendees who want to know who to succeed with their security awareness activities to change the culture and behaviors.

With a fantastic speakers line-up, the Security Culture Conference takes place in Oslo in June 2015. A full day of talks and hands-on workshops, the conference is dedicated to sharing knowledge between all the participants. Speakers include:

  • J. Wolfgang Göerlich, who will share his experience of using the Security Culture Framework to build security culture into a team of developers.
  • Mo Amin, who will share how to burst the bubble and make security culture stick.
  • Waldo Rocha-Flores, who will share his secrets of measuring security culture.
  • Shan Lee who will share how he is building security culture across borders
  • Roar Thon who will share his passion for security culture, and why it matters
  • Myself, I will be sharing the basic principles of the Security Culture Framework, current status, and news!

In addition to talks, a series of hands-on workshops are planned too. These runs just after lunch, and will teach the participants relevant techniques and skills in one of three domains: Planning a security culture program, Involving the organization, or Measuring culture. Each of the workshops are 2 hours, and you get to choose one.

A the end of the day, a closing panel consisting of some of the speakers will be sharing their most important learning points from the day.

I am stoked to be part of the global movement that is the Security Culture Framework. It is fantastic to be working with some of the smartest people in the industry on a project that already is making huge impacts on the organizations applying it. I hope I will see you at the conference, and welcome your thoughts, ideas and discussions!

What are you waiting for? Sign up already!

This event is sponsored by The Roer Group AS and Cyberon Security AS. Thank you for your support!

Speaking at the Honeynet Project


This year, possibly for the first time, the Honeynet Project visit Norway with its full-week workshop! I am very excited by being invited to speak there, with amazing people like Lance Spitzner, Anton Chuvakin, Raffael Marty and Francesca Bosco to name just a few of the great names of speakers.

I will be doing the Hacking Your Mind talk on the CxO track, a talk where I explore three of the mental biases that makes humans vulnerable to exploitation, phishing and scams. As luck has it, I also propose a few strategies to become better at handling such events too.

In addition to giving a talk, I will be doing a half-day workshop on building security culture, using the Security Culture Framework, the free and open platform to build and maintain security culture. I hope there will be a huge turnout to this interactive workshop where you may have your habits and ideas challenged!

Sign up for the Honeynet Project Workshop today, and get to experience beautiful Western-Norway in spring – an experience worth it alone!

Oh, if you bring a copy of my latest book, I will sign it for you too!

Build a Security Culture – Now in a store near you!

My latest book, Build a Security Culture, is now available in a store near you – well, at least if you have access to the Internet, and reading this, I guess you have! The book is about building and maintaining security culture in organizations, and use the Security Culture Framework as a backdrop.

Here are a couple of pictures from the book – the first ever taken, as far as I know! Thanks for the pics, Thom!

Build a Security Culture Build a Security Culture cover

You can order the book at Amazon. I, obviously, think you should! It is also available in other stores, I am sure! You could also ask your local bookshop to put it on display – I would love that of course! Even better, take a picture of it, and post it on social media tagging me or #securityculture!

I also love to hear from you:

  • how do you use the book to build security culture?
  • what kind of goals do you use to measure your security culture progress?
  • who do you involve in your culture programmes?
  • what kind of activities do you find gives you the best results?

Share your thoughts below in the comments!

The Top Ten tips on Avoiding Security for Managers

There are many ways to increase security in your company, if that is your thing. Most managers will, however, find these ten tips on how to avoid security, much more useful. First published on this blog in 2007, I hereby repost my tips on how managers can avoid security. These tips are, in my humble opinion, still relevant today, and by following them, you will ensure that your company is ready when disaster strikes – ready to roll over and die!

Not ready to roll over and die, you say? Well then, use the tips as a way to discover how not to protect yourself and your company. If you already to one or more of these things, it is about time to reconsider your approach to security.

Here comes the original piece, with some edits for readability. Typos and grammar are, well probably still carrying my strong accent!

The Top Ten Tips on Avoiding security for managers

The Top Ten tips on Avoiding Security for Managers

I have noticed that all to many business managers and executives are digging into security. They have this strange idea that securing information and systems are important to their business.

If you are such a manager, or if you have one of those in your team – here are ten top reasons why you really should reconsider. If you have one in your team, give him this list and he should be getting the idea.

10: Make security a non-management issue

Make sure that you avoid taking security up to your level. If security is relevant at all in your company, make sure you keep it way under your radar. Best thing is to give it to the IT-department, so they can buy their firewalls and other stuff you do not want to hear about. After all, you do not want to bother your management team with issues of what parts of your business development, research and logistics are critical to your business, nor do you want them to worry about how to keep your competitors away from your marketspace.

So to make sure your management keep their focus on their particular tasks, make sure you never, ever bring security to the management table.

9: Avoid internal security policies

Policies are broad descriptions of how to relate the daily operations to security. Policies enables the management to describe actions and behaviors that are considered correct. Of course you do not want to bother your management team to think about such issues, and heaven forbid if you should tell your employees what to do and how to behave. To make sure you avoid controlling the behaviors of your organization, avoid security policies.

8: Never value your information

By making information a value to your organization, you automatically identify it as a potential security risk. If your CFO starts believing he is actually working with information someone cares about and values, he just might start selling it off to the highest bidder. And if your business development team realizes there is a value in the future merger they are working on, they may have to start screening their members, and use security measures to keep the other employees away from the information. It might be expensive, so unless you want to invest in training and technology, you really must stay away from thinking information has a value in it self.

7: Never grade the information

Grading information is the same as with valueing information. – it just takes it one step further. A simple grading scale may have only three steps – public, internal and management only. You really need to stay off this course – not only due to the level of buraucracy it adds to your allready heavily burdened organization – but because grading information really tips your employees and partners off that you think your information has value. They may actually start looking for graded information to sell off at the lunch diner or to the highest bidder. Which means you need some kind of security measures to ensure that only those eyes who are intended to see the files have access to them.

So in order to avoid large spendings, training and sneaking employees, you should never walk the path of grading information.

6: Do not care about risk assessments

Risk assessments are the art of guess what the chance that a certain risk may occure. As a manager, you are allready aware of the fact that it NEVER happens to you, nor your company. It may happen to your neighbour. To your competitor. And to the very best in your area. But it will NEVER happen to you. So there is no need what so ever to spend money, time and efforts in trying to guess how many laptops you will loose during the next 12 months, nor to figure out what a virus attack may cause your organization if it locks down your hole production facility. It will never happen, so save the cash and spend it on a dinner for your major client instead.

5: Knowlegde is overrated

Training your staff and employees about how to avoid virus, trojans and sexy young people asking funny questions is total waste of time and money. After all, when they are at the training, they are not able to do their work. When they get back to work, they start seeing threats all over. You may getting questions about why the Printer Repair guy is walking about in your offices and asking questions not at all related to printing. And your IT-manager may complain that noone calls him to reset the passwords or to clean out spyware from the computers anymore. And certainly, you would not want the IT-manager spending time on detecting, prevention and tuning your systems, now, would you? So make sure your employees are left in the dark. It is the cheapest thing to do.

4: No need for continuity planning

If someone in your organization starts talking about continuity and disaster preparations and planning for the worst, make sure your show them point 5 above. As I have established, all the bad things happens to the others – never to you. NEVER. So planning for disaster is a huge waste of time and money, something best left to your competitors. After all, their factory may catch on fire, and they need to be able to keep up the production to make a profit. Nothing you need to care about at all, as it will never happen to you.

So when you hear the buzz about planning for disaster, make sure you can stuff your ears with cotton, and just hum a tune you like.

3: Avoid security experts

When the security experts enters the building, the first thing they do is to figure out how to scare you to pay their huge and overrated invoices. Their knowledge and expertise is highly over rated, after all most are just techno geeks or former intelligens people with no understadning about running a business what so ever. All they care about is to invade your company with methods, rules, policies and tools. They even offer to train your staff. If you ever come across a security expert, make sure you never let him or her enter your premisses. Most of these people are hackers and social engineering specialists – who knows who they are really working for – and what they will take with them when they leave. Not that it matters to you – if you followed points three and four above!

2: Compliance is waste of money.

Compliance is the art of following the rules and regulations stated in laws like SoX, HIIPA, Basel II, PCI and in standards like ISO. They claim they are there to protect against missuse of information, or to ensure the quality of the information. As we allready agree, information has no value at all, so there is no need to care about compliance.

What’s more, who really cares about what shareholders, local governments and customers may think of you if something should happen? (Not that something ever will happen to you). It is a fact that a few customers are requiring compliance by all its partners. That is just a short-term missunderstanding, made by only a very few, non important producers like Mercedes Benz, Volvo, HP and a couple of others. Not at all relevant to you, and a total waste of time and cash. Make the right decision – stay off the compliance case!

1: Simple is bad – make things complicated!

Some claim simplicity is key. One password, simple rules, easy-to-use systems. What on earth makes people say that? The harder it is for your regular users to get access to a system, the harder it must be for everyone else. And Post-It notes is a great tool to jot down the ten-folds of passwords. And what would your users do with all the extra time if they only had to remember to bring with them one simple password? Surely it would be spent surfing for porn or sending emails to their family.

Another important thing is to confuse people. Just change policies every week. You may also enjoy changing them daily or even by the hour. Make routines so complicated they are impossible to follow.

Kiss goodby to good old KISS – the Keep it simple, stupid, and confuse everyone with complicated rules and procedures. Have you considered handing out three different access cards to the building to your employees? One for the parking lot, one for the main entrance, and one for the elevator. It works every time!

I first published this back in 2007, and because it is equally relevant today, I wanted to share it with my readers again in 2015. I hope you enjoyed!

What are your best tips to help managers avoid security in your company? Share them in the comments!