• Buy my latest book!

    In "Build a Security Culture" I explain what security culture is, how to build and maintain security culture, and how you can use the Security Culture Framework to plan, measure, organize and create results with your security awareness programs. The book is available in electronic formats as well as in print.
    You can buy the book on Amazon here: Buy now!
    Or directly from IT-Governance here.

Congratulations to all the new CSCP´s out there!

Another Security Culture Summer Camp is over, and five weeks of learning how to build and maintain security culture is over for now. During the summer camp, students – security professionals – from around the world have learned how to use the Security Culture Framework to build and maintain security culture in their organizations. It is with great pride I can congratulate another batch of Certified Security Culture Practitioners (CSCP) – more fantastic people to help organizations enhance their security by applying the principles of the Security Culture Framework.

Congratulations, all CSCP´s!

Who are these CSCP´s, anyway?

People and organizations around the world recognize the importance of good security culture to reduce the risk and impact of security incidents due to the human factor. There are two typical types of participants who join and complete the Security Culture Summer Camps:

  • Internal Awareness Officers – this is a group of people who work with security culture and awareness internally in an organization. They are focused on creating a good process of ongoing security awareness, and to document the security behavior change internally. Their actual titles vary, as does their location in the organization – from security professionals, compliance officers, via HR and training. Organizations who consider security culture a critical area sign up several participants to ensure the best results
  • Consultants – this group typically serve a number of clients, and help build and maintain security culture on behalf of their clients. Some consultants manage the whole process including executing the security culture program, others facilitate the process. No matter how the consultant and the client choose to work together, both parties recognize the value of the Security Culture Framework in building and maintaining good culture.

The Certified Security Culture Practitioner (CSCP) provide both organizations and consultants value by documenting the knowledge of the practitioner, access to a global network of other CSCP´s and a clear statement that security culture is taken seriously.

Do your organization consider getting serious about security culture? Hire a CSCP!

Or become a Certified Security Culture Practitioner yourself – sign up for the 2016 Summer Camp today:


Full Day Workshop on the Security Culture Framework


It is with great pleasure I invite you, you readers, to this special opportunity to join a full-day workshop on the Security Culture Framework. Why is this such a big thing? Simple: Previously, we have only done half-day workshops on parts of the workshop, or virtual workshops like the Security Culture Summer Camp. Now you get to spend one full day with me to learn all about the Security Culture Framework, and how to use it!

The workshop is being organized by ISACA Slovenia, and takes place in beautiful Ljubljana, fully worth a visit on it´s own, if you ask me. Time is September 24th, as part of the ISACA Slovenia conference (which you also should consider, a lot of the program is in English), and it looks great too! Oh, and did I mention the conference is to be held at the Zrece Spa! I will be there, and I will indulge myself to the fullest!

ISACA is charging a very reasonable 347.70 Euros including taxes for the workshop (must be paid in advance!). Participation in the workshop entitles you 8 CPE hours too!

The program of the day looks like this:

  • 9.00–10.30 Key concepts of security culture
  • 10.30–11.00 Coffee break
  • 11.00–11.45 Metrics
  • 11.45–13.00 Organisation and topics
  • 13.00–14.00 Lunch
  • 14.00–14.30 Plan
  • 14.30–15.00 Conclusions

Which means you should be able to catch the evening flights out of Ljubljana, or join me for a beer in the afternoon. I would certainly prefer the latter!

You can sign up here. More information at the ISACA Slovenia website. And should you be reading this too late (after September 20th 2015), you can always download the PDF here: 23konf-rkis_1506_invitation-workshop


CSA ASEAN Summit and Thai TV

In June 2015, I visited Thailand, and the beautiful Bangkok. My visit was business first, as I was invited to lecture the psychology of security at the Mahidol University, and to be on a panel on cloud security standards on the CSA ASEAN Summit 2015.

I did enjoy a couple of days as a tourist too, I got to see the beautiful Emerald Buddha Temple, where we met with the best tourist guide I have ever met (possibly with an exception of myself, for those of you in the know!). Our guide was knowledgeable (as far as I can tell), and she treated us as kings who deserved only the best. She also had an immense respect for the holy place, and made sure the other tourists and guides were told straight when they failed to honor the temple properly. It was a great experience indeed!



I also got to visit the Chatuchak (Latin spelling is…diverse) Market, the (in)famous weekend market with an unbelievable number of sales boots. This was a great experience for me, and a place I would love to visit again.

chatuchak2 chatuchak

There were shopping too, this time thai silk:


And do not forget the elephants!


elephant elephants

More serious business was done in the evenings over beers and streetfood. There can be no doubt that if you want a fantastic meal in Bangkok, go eat on the streets. Bring friends along, and have fun! I got to sit down with some great people, including Kitisak Jirawannakool and his friends in the local security community. Food, beers, good people sharing experience – what more can you want?


I did some work too. I gave a lecture on Hacking Your Mind, how our mind is tricking us into doing poor security, at the Mahidol University. They treated me very nice, and gave me a tour of their campus – a very nice one indeed!


The main reason for my trip to Bangkok was the CSA ASEAN Summit 2015. I was invited as the CSA Norway chapter President, and did two panels:

  • one on cloud security research, where I discussed the gap between academic research focus and the focus on the commercial industry, and how these two different focuses works to increase the distance between academia and industry, instead of closing it. We had a good discussion.
  • the second panel was on cloud security standards, where I voiced my concern that bad implementations of standards are bad for all, as well as standards tends to create a common security approach, leaving many organizations open to attach because of their failure of implementing the standard according to their own needs.

panel csa

The last panel was recorded on Thai TV, and can be seen below.

All in all, I enjoyed Thailand and Bangkok very much. A sucker for travel and exploring new cultures, I would love to spend more time in the region. So get those invites flowing!

Brighttalk summit: Incident Response and Insider Threats EMEA

Security culture is gaining popularity around the world, and I am continuing talking and training the topic. This time at the virtual summit Brighttalk Summit Incident Response and Insider Threats EMEA 2015.

A virtual summit means I do not have to travel, and nor do you! Another bonus as far as I understand is that you can watch the recording at your own convenience, should you miss the live event. In addition to myself talking about how to use the Security Culture Framework to get results from your awareness activities, you will also be able to join Shan Lee from Just Eat, explaining how he is building security culture.

Here is my talk, available for you:

You should sign up right away so you don´t forget!

The Conference of Culture

securityCultureConferenceSecurity culture is spreading it´s wings across the globe, and it is time to dedicate a conference to the topic. The Security Culture Conference invites speakers from US, UK and the Nordics to share their experience of building and maintaining security culture with attendees who want to know who to succeed with their security awareness activities to change the culture and behaviors.

With a fantastic speakers line-up, the Security Culture Conference takes place in Oslo in June 2015. A full day of talks and hands-on workshops, the conference is dedicated to sharing knowledge between all the participants. Speakers include:

  • J. Wolfgang Göerlich, who will share his experience of using the Security Culture Framework to build security culture into a team of developers.
  • Mo Amin, who will share how to burst the bubble and make security culture stick.
  • Waldo Rocha-Flores, who will share his secrets of measuring security culture.
  • Shan Lee who will share how he is building security culture across borders
  • Roar Thon who will share his passion for security culture, and why it matters
  • Myself, I will be sharing the basic principles of the Security Culture Framework, current status, and news!

In addition to talks, a series of hands-on workshops are planned too. These runs just after lunch, and will teach the participants relevant techniques and skills in one of three domains: Planning a security culture program, Involving the organization, or Measuring culture. Each of the workshops are 2 hours, and you get to choose one.

A the end of the day, a closing panel consisting of some of the speakers will be sharing their most important learning points from the day.

I am stoked to be part of the global movement that is the Security Culture Framework. It is fantastic to be working with some of the smartest people in the industry on a project that already is making huge impacts on the organizations applying it. I hope I will see you at the conference, and welcome your thoughts, ideas and discussions!

What are you waiting for? Sign up already!

This event is sponsored by The Roer Group AS and Cyberon Security AS. Thank you for your support!

Speaking at the Honeynet Project


This year, possibly for the first time, the Honeynet Project visit Norway with its full-week workshop! I am very excited by being invited to speak there, with amazing people like Lance Spitzner, Anton Chuvakin, Raffael Marty and Francesca Bosco to name just a few of the great names of speakers.

I will be doing the Hacking Your Mind talk on the CxO track, a talk where I explore three of the mental biases that makes humans vulnerable to exploitation, phishing and scams. As luck has it, I also propose a few strategies to become better at handling such events too.

In addition to giving a talk, I will be doing a half-day workshop on building security culture, using the Security Culture Framework, the free and open platform to build and maintain security culture. I hope there will be a huge turnout to this interactive workshop where you may have your habits and ideas challenged!

Sign up for the Honeynet Project Workshop today, and get to experience beautiful Western-Norway in spring – an experience worth it alone!

Oh, if you bring a copy of my latest book, I will sign it for you too!

Build a Security Culture – Now in a store near you!

My latest book, Build a Security Culture, is now available in a store near you – well, at least if you have access to the Internet, and reading this, I guess you have! The book is about building and maintaining security culture in organizations, and use the Security Culture Framework as a backdrop.

Here are a couple of pictures from the book – the first ever taken, as far as I know! Thanks for the pics, Thom!

Build a Security Culture Build a Security Culture cover

You can order the book at Amazon. I, obviously, think you should! It is also available in other stores, I am sure! You could also ask your local bookshop to put it on display – I would love that of course! Even better, take a picture of it, and post it on social media tagging me or #securityculture!

I also love to hear from you:

  • how do you use the book to build security culture?
  • what kind of goals do you use to measure your security culture progress?
  • who do you involve in your culture programmes?
  • what kind of activities do you find gives you the best results?

Share your thoughts below in the comments!

The Top Ten tips on Avoiding Security for Managers

There are many ways to increase security in your company, if that is your thing. Most managers will, however, find these ten tips on how to avoid security, much more useful. First published on this blog in 2007, I hereby repost my tips on how managers can avoid security. These tips are, in my humble opinion, still relevant today, and by following them, you will ensure that your company is ready when disaster strikes – ready to roll over and die!

Not ready to roll over and die, you say? Well then, use the tips as a way to discover how not to protect yourself and your company. If you already to one or more of these things, it is about time to reconsider your approach to security.

Here comes the original piece, with some edits for readability. Typos and grammar are, well probably still carrying my strong accent!

The Top Ten Tips on Avoiding security for managers

The Top Ten tips on Avoiding Security for Managers

I have noticed that all to many business managers and executives are digging into security. They have this strange idea that securing information and systems are important to their business.

If you are such a manager, or if you have one of those in your team – here are ten top reasons why you really should reconsider. If you have one in your team, give him this list and he should be getting the idea.

10: Make security a non-management issue

Make sure that you avoid taking security up to your level. If security is relevant at all in your company, make sure you keep it way under your radar. Best thing is to give it to the IT-department, so they can buy their firewalls and other stuff you do not want to hear about. After all, you do not want to bother your management team with issues of what parts of your business development, research and logistics are critical to your business, nor do you want them to worry about how to keep your competitors away from your marketspace.

So to make sure your management keep their focus on their particular tasks, make sure you never, ever bring security to the management table.

9: Avoid internal security policies

Policies are broad descriptions of how to relate the daily operations to security. Policies enables the management to describe actions and behaviors that are considered correct. Of course you do not want to bother your management team to think about such issues, and heaven forbid if you should tell your employees what to do and how to behave. To make sure you avoid controlling the behaviors of your organization, avoid security policies.

8: Never value your information

By making information a value to your organization, you automatically identify it as a potential security risk. If your CFO starts believing he is actually working with information someone cares about and values, he just might start selling it off to the highest bidder. And if your business development team realizes there is a value in the future merger they are working on, they may have to start screening their members, and use security measures to keep the other employees away from the information. It might be expensive, so unless you want to invest in training and technology, you really must stay away from thinking information has a value in it self.

7: Never grade the information

Grading information is the same as with valueing information. – it just takes it one step further. A simple grading scale may have only three steps – public, internal and management only. You really need to stay off this course – not only due to the level of buraucracy it adds to your allready heavily burdened organization – but because grading information really tips your employees and partners off that you think your information has value. They may actually start looking for graded information to sell off at the lunch diner or to the highest bidder. Which means you need some kind of security measures to ensure that only those eyes who are intended to see the files have access to them.

So in order to avoid large spendings, training and sneaking employees, you should never walk the path of grading information.

6: Do not care about risk assessments

Risk assessments are the art of guess what the chance that a certain risk may occure. As a manager, you are allready aware of the fact that it NEVER happens to you, nor your company. It may happen to your neighbour. To your competitor. And to the very best in your area. But it will NEVER happen to you. So there is no need what so ever to spend money, time and efforts in trying to guess how many laptops you will loose during the next 12 months, nor to figure out what a virus attack may cause your organization if it locks down your hole production facility. It will never happen, so save the cash and spend it on a dinner for your major client instead.

5: Knowlegde is overrated

Training your staff and employees about how to avoid virus, trojans and sexy young people asking funny questions is total waste of time and money. After all, when they are at the training, they are not able to do their work. When they get back to work, they start seeing threats all over. You may getting questions about why the Printer Repair guy is walking about in your offices and asking questions not at all related to printing. And your IT-manager may complain that noone calls him to reset the passwords or to clean out spyware from the computers anymore. And certainly, you would not want the IT-manager spending time on detecting, prevention and tuning your systems, now, would you? So make sure your employees are left in the dark. It is the cheapest thing to do.

4: No need for continuity planning

If someone in your organization starts talking about continuity and disaster preparations and planning for the worst, make sure your show them point 5 above. As I have established, all the bad things happens to the others – never to you. NEVER. So planning for disaster is a huge waste of time and money, something best left to your competitors. After all, their factory may catch on fire, and they need to be able to keep up the production to make a profit. Nothing you need to care about at all, as it will never happen to you.

So when you hear the buzz about planning for disaster, make sure you can stuff your ears with cotton, and just hum a tune you like.

3: Avoid security experts

When the security experts enters the building, the first thing they do is to figure out how to scare you to pay their huge and overrated invoices. Their knowledge and expertise is highly over rated, after all most are just techno geeks or former intelligens people with no understadning about running a business what so ever. All they care about is to invade your company with methods, rules, policies and tools. They even offer to train your staff. If you ever come across a security expert, make sure you never let him or her enter your premisses. Most of these people are hackers and social engineering specialists – who knows who they are really working for – and what they will take with them when they leave. Not that it matters to you – if you followed points three and four above!

2: Compliance is waste of money.

Compliance is the art of following the rules and regulations stated in laws like SoX, HIIPA, Basel II, PCI and in standards like ISO. They claim they are there to protect against missuse of information, or to ensure the quality of the information. As we allready agree, information has no value at all, so there is no need to care about compliance.

What’s more, who really cares about what shareholders, local governments and customers may think of you if something should happen? (Not that something ever will happen to you). It is a fact that a few customers are requiring compliance by all its partners. That is just a short-term missunderstanding, made by only a very few, non important producers like Mercedes Benz, Volvo, HP and a couple of others. Not at all relevant to you, and a total waste of time and cash. Make the right decision – stay off the compliance case!

1: Simple is bad – make things complicated!

Some claim simplicity is key. One password, simple rules, easy-to-use systems. What on earth makes people say that? The harder it is for your regular users to get access to a system, the harder it must be for everyone else. And Post-It notes is a great tool to jot down the ten-folds of passwords. And what would your users do with all the extra time if they only had to remember to bring with them one simple password? Surely it would be spent surfing for porn or sending emails to their family.

Another important thing is to confuse people. Just change policies every week. You may also enjoy changing them daily or even by the hour. Make routines so complicated they are impossible to follow.

Kiss goodby to good old KISS – the Keep it simple, stupid, and confuse everyone with complicated rules and procedures. Have you considered handing out three different access cards to the building to your employees? One for the parking lot, one for the main entrance, and one for the elevator. It works every time!

I first published this back in 2007, and because it is equally relevant today, I wanted to share it with my readers again in 2015. I hope you enjoyed!

What are your best tips to help managers avoid security in your company? Share them in the comments!

The process of building security culture

The Security Culture Framework (SCF), the open and free methodology, is a process of building security culture. It was created to help you organize your work with building and maintaining security culture. Using the principles found in process management, the SCF will enable you to document your progress, and create results though continuous improvements.

The Security Culture Framework instructs you to follow a replicable process to execute your security culture campaigns. The process, as can be seen on the picture, is constructed with  a series of actions. 

The process of building security culture

Building and maintaining security culture is an on-going, continuous process. In a reality where most security breaches are caused by human behaviors, it is increasingly important to build and maintain security culture. These are the five, easy-to follow steps in the Security Culture Campaign process.

The process of building security culture

1. Set a clear goal

You start with defining a goal for your campaign. A goal should be measurable, and clearly defined so you know when you have reached that goal. This step also tell you to set up a baseline metric, using the same metrics you will use for your goal. The gap between your baseline and your goal will help you decide what actions must be taken later.

2. Involve your organization

The second step is where you involve your team and your stakeholders to understand the goal. You also define a target audience – sometimes everybody in the organization, other times one department or a particular subset of people like senior managers. Understanding your target audience and their needs is the outcome from this step.

3. Engage with the audience

Step three involves using your goal and your target audience to choose the activities required to change the behaviors. Depending on what you set out to change, and whom you want to change, tailoring your activities like e-learning, lunch-and-learns, posters, stickers and so forth, to your specific audience will help you achieve the results you want. Instead of just doing something, you choose activities and topics that resonate with, and engage the audience.

4. Execute and measure

The fourth step is just like any other project execution: You do the things you have planned to do. And you measure the results as you go. When done, you compare your results to your goal and your baseline and see just how far you got. You ask yourself «What did I learn during this campaign that I should keep or change next time around?» and you keep a note of your learning outcome!

5. …And repeat

As with all processes, for each iteration, you go back to step one and repeat! I am a strong believer in celebrating wins, so if you consider the campaign to be successful, I suggest you take your team and yourself out for celebration before you start all over again.

Learn more about security culture building

To learn more about the Security Culture Framework, which is free and open for all, check it out at https://scf.roer.com.

Buy a book!

You may also pre-order my upcoming book «Build a Security Culture» if you, like me, enjoy reading! Use the URL below depending on your location: 

Use the Security Culture Toolkit

You may also use the Security Culture Toolkit to assess your security culture.

The Security Culture Toolkit. Know your Culture!


Security culture is hard to measure, I am told. When in a bad mood, I find my self replying «yes, if you don´t do it», or sometimes «Sure thing, when you do it wrong». To ease the burden faced when measuring security culture, we decided to build a tool to help organizations measure their security culture, and also provide tips on actions to take to build a better security culture. Voila – let me introduce:

The Security Culture Toolkit

The toolkit let you do an assessment of your current security culture. The assessment is based on a series of questions, all related to the Security Culture Framework, and by rating each statements, you receive a score. A score you can use to document your on-going security culture efforts by re-taking the assessment once a year. The toolkit effectively creates a way to document your current state, and the progress you have made since your last assessment.

All fine and well. But why stop there?

A score is nice to have, it´s a number into which you may pour any and all meanings. And of given time and re-assessments, said score will return value too. Yet, we figured you wanted more than just a nice number to show for yourself, so we added a series of tasks, each one tailored to your specific needs as recorded by your assessment.

The Security Culture Toolkit is a self-assessment tool that generates a set of tasks tailored to help you build and maintain good security culture. It´s almost like a silver bullet, except it is not a silver bullet. It aims to be one of many tools that you can (and possibly should) use to enhance your security.

You can sign up for the Security Culture Toolkit soon. In the meanwhile, you may sign up for beta-testing (being brave you must, as errors will be prone), or dig into the Security Culture Framework Community.

And as always, engage in the dialogue!