• Buy my latest book!

    In "Build a Security Culture" I explain what security culture is, how to build and maintain security culture, and how you can use the Security Culture Framework to plan, measure, organize and create results with your security awareness programs. The book is available in electronic formats as well as in print.
    You can buy the book on Amazon here: Buy now!
    Or directly from IT-Governance here.

The Conference of Culture

securityCultureConferenceSecurity culture is spreading it´s wings across the globe, and it is time to dedicate a conference to the topic. The Security Culture Conference invites speakers from US, UK and the Nordics to share their experience of building and maintaining security culture with attendees who want to know who to succeed with their security awareness activities to change the culture and behaviors.

With a fantastic speakers line-up, the Security Culture Conference takes place in Oslo in June 2015. A full day of talks and hands-on workshops, the conference is dedicated to sharing knowledge between all the participants. Speakers include:

  • J. Wolfgang Göerlich, who will share his experience of using the Security Culture Framework to build security culture into a team of developers.
  • Mo Amin, who will share how to burst the bubble and make security culture stick.
  • Waldo Rocha-Flores, who will share his secrets of measuring security culture.
  • Shan Lee who will share how he is building security culture across borders
  • Roar Thon who will share his passion for security culture, and why it matters
  • Myself, I will be sharing the basic principles of the Security Culture Framework, current status, and news!

In addition to talks, a series of hands-on workshops are planned too. These runs just after lunch, and will teach the participants relevant techniques and skills in one of three domains: Planning a security culture program, Involving the organization, or Measuring culture. Each of the workshops are 2 hours, and you get to choose one.

A the end of the day, a closing panel consisting of some of the speakers will be sharing their most important learning points from the day.

I am stoked to be part of the global movement that is the Security Culture Framework. It is fantastic to be working with some of the smartest people in the industry on a project that already is making huge impacts on the organizations applying it. I hope I will see you at the conference, and welcome your thoughts, ideas and discussions!

What are you waiting for? Sign up already!

This event is sponsored by The Roer Group AS and Cyberon Security AS. Thank you for your support!

Speaking at the Honeynet Project


This year, possibly for the first time, the Honeynet Project visit Norway with its full-week workshop! I am very excited by being invited to speak there, with amazing people like Lance Spitzner, Anton Chuvakin, Raffael Marty and Francesca Bosco to name just a few of the great names of speakers.

I will be doing the Hacking Your Mind talk on the CxO track, a talk where I explore three of the mental biases that makes humans vulnerable to exploitation, phishing and scams. As luck has it, I also propose a few strategies to become better at handling such events too.

In addition to giving a talk, I will be doing a half-day workshop on building security culture, using the Security Culture Framework, the free and open platform to build and maintain security culture. I hope there will be a huge turnout to this interactive workshop where you may have your habits and ideas challenged!

Sign up for the Honeynet Project Workshop today, and get to experience beautiful Western-Norway in spring – an experience worth it alone!

Oh, if you bring a copy of my latest book, I will sign it for you too!

Build a Security Culture – Now in a store near you!

My latest book, Build a Security Culture, is now available in a store near you – well, at least if you have access to the Internet, and reading this, I guess you have! The book is about building and maintaining security culture in organizations, and use the Security Culture Framework as a backdrop.

Here are a couple of pictures from the book – the first ever taken, as far as I know! Thanks for the pics, Thom!

Build a Security Culture Build a Security Culture cover

You can order the book at Amazon. I, obviously, think you should! It is also available in other stores, I am sure! You could also ask your local bookshop to put it on display – I would love that of course! Even better, take a picture of it, and post it on social media tagging me or #securityculture!

I also love to hear from you:

  • how do you use the book to build security culture?
  • what kind of goals do you use to measure your security culture progress?
  • who do you involve in your culture programmes?
  • what kind of activities do you find gives you the best results?

Share your thoughts below in the comments!

The Top Ten tips on Avoiding Security for Managers

There are many ways to increase security in your company, if that is your thing. Most managers will, however, find these ten tips on how to avoid security, much more useful. First published on this blog in 2007, I hereby repost my tips on how managers can avoid security. These tips are, in my humble opinion, still relevant today, and by following them, you will ensure that your company is ready when disaster strikes – ready to roll over and die!

Not ready to roll over and die, you say? Well then, use the tips as a way to discover how not to protect yourself and your company. If you already to one or more of these things, it is about time to reconsider your approach to security.

Here comes the original piece, with some edits for readability. Typos and grammar are, well probably still carrying my strong accent!

The Top Ten Tips on Avoiding security for managers

The Top Ten tips on Avoiding Security for Managers

I have noticed that all to many business managers and executives are digging into security. They have this strange idea that securing information and systems are important to their business.

If you are such a manager, or if you have one of those in your team – here are ten top reasons why you really should reconsider. If you have one in your team, give him this list and he should be getting the idea.

10: Make security a non-management issue

Make sure that you avoid taking security up to your level. If security is relevant at all in your company, make sure you keep it way under your radar. Best thing is to give it to the IT-department, so they can buy their firewalls and other stuff you do not want to hear about. After all, you do not want to bother your management team with issues of what parts of your business development, research and logistics are critical to your business, nor do you want them to worry about how to keep your competitors away from your marketspace.

So to make sure your management keep their focus on their particular tasks, make sure you never, ever bring security to the management table.

9: Avoid internal security policies

Policies are broad descriptions of how to relate the daily operations to security. Policies enables the management to describe actions and behaviors that are considered correct. Of course you do not want to bother your management team to think about such issues, and heaven forbid if you should tell your employees what to do and how to behave. To make sure you avoid controlling the behaviors of your organization, avoid security policies.

8: Never value your information

By making information a value to your organization, you automatically identify it as a potential security risk. If your CFO starts believing he is actually working with information someone cares about and values, he just might start selling it off to the highest bidder. And if your business development team realizes there is a value in the future merger they are working on, they may have to start screening their members, and use security measures to keep the other employees away from the information. It might be expensive, so unless you want to invest in training and technology, you really must stay away from thinking information has a value in it self.

7: Never grade the information

Grading information is the same as with valueing information. – it just takes it one step further. A simple grading scale may have only three steps – public, internal and management only. You really need to stay off this course – not only due to the level of buraucracy it adds to your allready heavily burdened organization – but because grading information really tips your employees and partners off that you think your information has value. They may actually start looking for graded information to sell off at the lunch diner or to the highest bidder. Which means you need some kind of security measures to ensure that only those eyes who are intended to see the files have access to them.

So in order to avoid large spendings, training and sneaking employees, you should never walk the path of grading information.

6: Do not care about risk assessments

Risk assessments are the art of guess what the chance that a certain risk may occure. As a manager, you are allready aware of the fact that it NEVER happens to you, nor your company. It may happen to your neighbour. To your competitor. And to the very best in your area. But it will NEVER happen to you. So there is no need what so ever to spend money, time and efforts in trying to guess how many laptops you will loose during the next 12 months, nor to figure out what a virus attack may cause your organization if it locks down your hole production facility. It will never happen, so save the cash and spend it on a dinner for your major client instead.

5: Knowlegde is overrated

Training your staff and employees about how to avoid virus, trojans and sexy young people asking funny questions is total waste of time and money. After all, when they are at the training, they are not able to do their work. When they get back to work, they start seeing threats all over. You may getting questions about why the Printer Repair guy is walking about in your offices and asking questions not at all related to printing. And your IT-manager may complain that noone calls him to reset the passwords or to clean out spyware from the computers anymore. And certainly, you would not want the IT-manager spending time on detecting, prevention and tuning your systems, now, would you? So make sure your employees are left in the dark. It is the cheapest thing to do.

4: No need for continuity planning

If someone in your organization starts talking about continuity and disaster preparations and planning for the worst, make sure your show them point 5 above. As I have established, all the bad things happens to the others – never to you. NEVER. So planning for disaster is a huge waste of time and money, something best left to your competitors. After all, their factory may catch on fire, and they need to be able to keep up the production to make a profit. Nothing you need to care about at all, as it will never happen to you.

So when you hear the buzz about planning for disaster, make sure you can stuff your ears with cotton, and just hum a tune you like.

3: Avoid security experts

When the security experts enters the building, the first thing they do is to figure out how to scare you to pay their huge and overrated invoices. Their knowledge and expertise is highly over rated, after all most are just techno geeks or former intelligens people with no understadning about running a business what so ever. All they care about is to invade your company with methods, rules, policies and tools. They even offer to train your staff. If you ever come across a security expert, make sure you never let him or her enter your premisses. Most of these people are hackers and social engineering specialists – who knows who they are really working for – and what they will take with them when they leave. Not that it matters to you – if you followed points three and four above!

2: Compliance is waste of money.

Compliance is the art of following the rules and regulations stated in laws like SoX, HIIPA, Basel II, PCI and in standards like ISO. They claim they are there to protect against missuse of information, or to ensure the quality of the information. As we allready agree, information has no value at all, so there is no need to care about compliance.

What’s more, who really cares about what shareholders, local governments and customers may think of you if something should happen? (Not that something ever will happen to you). It is a fact that a few customers are requiring compliance by all its partners. That is just a short-term missunderstanding, made by only a very few, non important producers like Mercedes Benz, Volvo, HP and a couple of others. Not at all relevant to you, and a total waste of time and cash. Make the right decision – stay off the compliance case!

1: Simple is bad – make things complicated!

Some claim simplicity is key. One password, simple rules, easy-to-use systems. What on earth makes people say that? The harder it is for your regular users to get access to a system, the harder it must be for everyone else. And Post-It notes is a great tool to jot down the ten-folds of passwords. And what would your users do with all the extra time if they only had to remember to bring with them one simple password? Surely it would be spent surfing for porn or sending emails to their family.

Another important thing is to confuse people. Just change policies every week. You may also enjoy changing them daily or even by the hour. Make routines so complicated they are impossible to follow.

Kiss goodby to good old KISS – the Keep it simple, stupid, and confuse everyone with complicated rules and procedures. Have you considered handing out three different access cards to the building to your employees? One for the parking lot, one for the main entrance, and one for the elevator. It works every time!

I first published this back in 2007, and because it is equally relevant today, I wanted to share it with my readers again in 2015. I hope you enjoyed!

What are your best tips to help managers avoid security in your company? Share them in the comments!

The process of building security culture

The Security Culture Framework (SCF), the open and free methodology, is a process of building security culture. It was created to help you organize your work with building and maintaining security culture. Using the principles found in process management, the SCF will enable you to document your progress, and create results though continuous improvements.

The Security Culture Framework instructs you to follow a replicable process to execute your security culture campaigns. The process, as can be seen on the picture, is constructed with  a series of actions. 

The process of building security culture

Building and maintaining security culture is an on-going, continuous process. In a reality where most security breaches are caused by human behaviors, it is increasingly important to build and maintain security culture. These are the five, easy-to follow steps in the Security Culture Campaign process.

The process of building security culture

1. Set a clear goal

You start with defining a goal for your campaign. A goal should be measurable, and clearly defined so you know when you have reached that goal. This step also tell you to set up a baseline metric, using the same metrics you will use for your goal. The gap between your baseline and your goal will help you decide what actions must be taken later.

2. Involve your organization

The second step is where you involve your team and your stakeholders to understand the goal. You also define a target audience – sometimes everybody in the organization, other times one department or a particular subset of people like senior managers. Understanding your target audience and their needs is the outcome from this step.

3. Engage with the audience

Step three involves using your goal and your target audience to choose the activities required to change the behaviors. Depending on what you set out to change, and whom you want to change, tailoring your activities like e-learning, lunch-and-learns, posters, stickers and so forth, to your specific audience will help you achieve the results you want. Instead of just doing something, you choose activities and topics that resonate with, and engage the audience.

4. Execute and measure

The fourth step is just like any other project execution: You do the things you have planned to do. And you measure the results as you go. When done, you compare your results to your goal and your baseline and see just how far you got. You ask yourself «What did I learn during this campaign that I should keep or change next time around?» and you keep a note of your learning outcome!

5. …And repeat

As with all processes, for each iteration, you go back to step one and repeat! I am a strong believer in celebrating wins, so if you consider the campaign to be successful, I suggest you take your team and yourself out for celebration before you start all over again.

Learn more about security culture building

To learn more about the Security Culture Framework, which is free and open for all, check it out at https://scf.roer.com.

Buy a book!

You may also pre-order my upcoming book «Build a Security Culture» if you, like me, enjoy reading! Use the URL below depending on your location: 

Use the Security Culture Toolkit

You may also use the Security Culture Toolkit to assess your security culture.

The Security Culture Toolkit. Know your Culture!


Security culture is hard to measure, I am told. When in a bad mood, I find my self replying «yes, if you don´t do it», or sometimes «Sure thing, when you do it wrong». To ease the burden faced when measuring security culture, we decided to build a tool to help organizations measure their security culture, and also provide tips on actions to take to build a better security culture. Voila – let me introduce:

The Security Culture Toolkit

The toolkit let you do an assessment of your current security culture. The assessment is based on a series of questions, all related to the Security Culture Framework, and by rating each statements, you receive a score. A score you can use to document your on-going security culture efforts by re-taking the assessment once a year. The toolkit effectively creates a way to document your current state, and the progress you have made since your last assessment.

All fine and well. But why stop there?

A score is nice to have, it´s a number into which you may pour any and all meanings. And of given time and re-assessments, said score will return value too. Yet, we figured you wanted more than just a nice number to show for yourself, so we added a series of tasks, each one tailored to your specific needs as recorded by your assessment.

The Security Culture Toolkit is a self-assessment tool that generates a set of tasks tailored to help you build and maintain good security culture. It´s almost like a silver bullet, except it is not a silver bullet. It aims to be one of many tools that you can (and possibly should) use to enhance your security.

You can sign up for the Security Culture Toolkit soon. In the meanwhile, you may sign up for beta-testing (being brave you must, as errors will be prone), or dig into the Security Culture Framework Community.

And as always, engage in the dialogue!

Fluffy awareness, anyone?

Fluffy awareness – what exactly is that? And perhaps more important – is fluffy awareness something we want? Or even need? This was the main question discussed during the January 2015 episode of the live Security Culture Show I host together with the excellent Mo Amin.

You can watch the full 45 minute recording on Youtube, or also download the podcast at the Security Culture Framework site.

As always, we ramble on about security culture, awareness and related topics. And as always, we had a fantastic guest: Sarah Clarke, who happily shared her experiences and knowledge of creating awareness that makes a difference. We had loads of fun, discussing anything from Judo, sticks and fear, to agreeing on intrinsic motivation being a key element in building lasting change. We had more viewers than ever before, and questions and discussions where held in the comment area too! Make sure to check them out here!

We also gratulate Rowenna Fielding with winning a copy of my upcoming book “Build a Security Culture” – the book will ship mid March!

Do you want to watch us live? Next show is February 24th at 1800CET. Look for that Google Hangout-on-air invite!

Here is the full show:

What is Culture?


There is a major question I got asked more often than not: “What is culture?” Most of the time, the asker wonders from the perspective of cyber security and security awareness, even if I also get asked by non-security people. There is no single, clear-cut definition of culture, it all depends on your perspective, background and interest. In my upcoming book “Build a Security Culture”, I define security culture as:

The ideas, customs, and social behavior of a particular people or society that allows them to be free from danger or threats.

This definition is created by combining the definition of security, and adding that to the definition of culture generally used by anthropologists. The definition of security culture I use explains and frames the topic I discuss, and is most commonly the answer I provide when asked “What is Culture?”

You may or may not agree with this definition, and that is fine. Instead, let´s agree that there are many different definitions available, and the one we should use should be best able to describe the topic and framing we aim for. As an example of alternative perspectives of culture, let us consider a few other definitions.

culture: from farming, preparing and using the nature for farming, i.e. cultivating the landscape.

This is the original use of the word, and is a useful backdrop to the definition, as it makes us realize that culture is about changing something into a state that we want – from the wild nature into a form and state we can control.

In sociology, culture have many different definitions and perspectives too – from being the object of studies and explanation (cultural studies, studies of how culture is created, used and impacts us), to cultural sociology where culture itself is used to describe, initiate and explain change. According to the latter, culture is one of a number of objects we may change, thus by definition (again), culture is formable, something we can act upon and use.

In psychology, culture is mainly focused on the differences between groups (regions, countries etc), and used to explain how one group of people may respond to threats differently based on their collective mind being different.

My concern with culture is a practical one: I strive to build and maintain security culture. A definition that helps me frame the topic helps me understand what exactly we are working with, and what is not a part of the work. My needs are to identify the areas we can change, how to change those as efficient as possible, and document both the change itself and the failures. I am a pragmatic in that I focus on creating actual results, more than just describing an interesting (ab)normality.

Using the definition above helps me focus on my tasks and work towards my goal: build and maintain better security culture.

If you are interested in security culture, you may want to check out the Security Culture Framework.

2015: The Year of Security Culture

How to create a security culture program

Building security awareness has been shown to be a challenge in the past, with a general consensus of poor results, lack of direction and a missing agreeing of what awareness is in the first place. Let me dedicate this year: 2015: the year of security culture!

As you know, I have been focusing on security culture for quite some time, and the respond we see in the market is huge. The Security Culture Framework is being applied by organizations in the USA and Europe, and we are seeing a growing number of requests from Asia, Africa and South Americas. The reason is as simple as the framework principles are easy: the Security Culture Framework provide a process that is easy to apply, engages the whole organization and creates documentable, tangible, visible results. All without you having to replace existing content and trainings – instead it wraps around the activities used to help you build value and get real results. The best part? The Security Culture Framework is free. For all.

«This focus on security culture – will it take away all the risk and threats out there?»

Of course not. Just like adding a firewall to your network does not stop every cyberthreat, security culture is one of many tools that should be in your toolbox, and a strategy that should work together with and support both policies and technology. And vice versa: Technology and policies should be implemented in a way to support security culture.

2015 will be the year when security culture grows out of infancy and into adulthood. Security culture will slowly replace awareness, and create results instead of frustration. The first step was the Security Culture Framework. In a few weeks time, the book «Build a Security Culture» will hit the shelf in a (virtual) bookstore near you, explaining the concept and giving you direction. And later this year, The Roer Group are launching a series of new tools to help you structure, plan and execute your work with security culture and cyber security too.

There will be more on culture from me this year. The same, I believe, will be true with large (and small) hacks (not from me, though, except there are minds to be hacked! Those I am likely to continue to play with!) And like before, nature is going to be causing her fair share of disaster too.

Let´s stand together and fight back as best we can. May the most resilient survive!

A cultural 2015 I wish for you!

2014: The Year we Survived

It´s that time of year again, the time of reflection, the reviewing of goals and the defining of our future. I welcome you to 2015, after surviving 2014 despite best efforts by countries, criminals, nature and the cyber itself! I will not spend time on the Sony hack more than I have done, nor will I consider the other challenges faced by companies in 2014. It suffices to say that Troy Hunt´s excellent Have I been pwned service have grown considerably in size since he visited Oslo in June. Instead, I will review some of my goals, reflect a tiny bit and of course make my predictions for 2015.

In December 2013, I defined some goals for 2014, the main one being a student at the University of Oslo, reading Psychology. A year on, and I am quite happy to say I have successfully completed the courses and exams of the first year, and I am continuing reading in 2015. As I stated last year, I believe it is of utmost importance for security people to actually understand people if we want to help them succeed with changing their security behaviors.

In addition to studies, I planned on working with the Security Culture Framework, which went through a facelift, we signed up several new consulting partners both in Europe and the US, and we did the Security culture Summer Camp 2014, where we certified a group of Security Culture Practitioners. With Mo Amin, we also kicked off the Security Culture Show, a monthly TV and podcast where we invite guests to discuss security culture.


In short, there were a lot of successful goal completions for me in 2014. What about failures, then? I had some of those too! One goal I had for the year was to write two books: «Build a Security Culture», in which I explain how to design and maintain a lasting security culture program; and a book on hacking peoples minds: the psychology that tricks us into doing the things we do. I failed utterly in writing the second book.

People did tell me that I may be setting too high goals for the year, and they were right. Although I do feel bad thinking of not meeting all of my goals, when I do look at my score card, I have ticked off most of them, and that is success for me.

There is no doubt that I set the stake high, and by doing so increasing the risk of failure. But let´s turn that up-side-down and consider what may have happened if I did not set my goals this tough? I may have had more «time» to watch TV or whatever, but I would not have achieved what I have done, and I would be settling for less. And those who know me, also knows that I do not settle for less.

Nor am I known for choosing the easy way out.

Smart people for great conversations

Some of the students I met at the Ljubljana Grad. Great minds from all over Europe indeed!

A brief look of my year includes guest lecturing security culture at several universities in Europe, speaking at a number of conferences (my October was particularly busy due to the Security Awareness Month NCSAM), writing a book, studying full time and traveling to new countries and places. Just like Colombia in 2013, I fell in love with Slovenia in 2014. I wonder which country I will fall in love with in 2015?


Oh, let´s not forget the CSA Norway Summer Conference 2014, where Thom Langford, Quentyn Taylor, Mo Amin and myself where rocking out to «How to Become an infosec Rock Star»!

Aquavita Chorizo. Ask me for recipe!

Aquavita Chorizo. Ask me for recipe!

I continued to cook too, and had a number of fantastic people visiting: Troy Hunt, Arron Finnon, Jack Daniel and Scott Thomas to name a few. To say they have been eating out of my hand would not be entirely true, yet not entirely wrong either!

Predictions for 2015: will be published in an upcoming post (next week), with the title: 2015: The Year of Security Culture


Thanks for 2014! It was a great year in many ways, and a desperate one for some. Most of us are still going strong, let us continue with that!