1 Tversky and Kahneman, 1973; https://thedecisionlab.com/biases/availability-heuristic/

2 Adapted from NIST SP800-16.

3 https://www.ncsc.gov.uk/files/Business-email-compromise-infographic.pdf

4 https://www.behavioraleconomics.com/resources/mini-encyclopedia-of-be/choice-architecture/

5 https://www.psychologytoday.com/us/basics/cognitive-dissonance

6 In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

7 Adapted from the definition for information security in ISO/IEC 27000:2009 (ISO/IEC 27032:2012, retrieved using www.iso.org/obp).

8 https://www.lexico.com/definition/cybersecurity

9 Cygenta.

10 ISO/IEC 27032:2012, retrieved using www.iso.org/obp

11 https://www.themantic-education.com/ibpsych/2016/10/24/single-and-double-blind-designs/

12 Kruger and Dunning, 1999.

13 https://dictionary.cambridge.org/dictionary/english/gamification

14 Kerr, 1998, https://doi.org/10.1207/s15327957pspr0203_4

15 https://opentextbc.ca/businessopenstax/chapter/the-hawthorne-studies/

16 https://www.psychologytoday.com/us/basics/heuristics

17 https://dictionary.cambridge.org/dictionary/english/norm

18 Drabek, 1986.

19 https://www.behavioraleconomics.com/resources/mini-encyclopedia-of-be/nudge/

20 https://psychologydictionary.org/null-hypothesis/

21 Skinner, 1948.

22 https://dictionary.cambridge.org/dictionary/english/pedagogy

23 Phishing can be accomplished by using social engineering or technical deception. ISO/IEC 27032:2012, retrieved using www.iso.org/obp

24 Ajzen, 1991 and https://sphweb.bumc.bu.edu/otlt/MPH-Modules/SB/BehavioralChangeTheories/BehavioralChangeTheories3.html

25 Rogers, 1975.

26 https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/ransomware

27 https://thedecisionlab.com/salience-bias/

28 Bandura, 1995.

29 Cialdini, 2007.

30 https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/phishing-spear-phishing

31 Adapted from NIST SP800-16.

32 https://www.sans.org/security-awareness-training/resources/two-step-verification

33 It is also the third highest information security-related search in Google Scholar.

34 https://www.theregister.co.uk/2007/04/17/chocolate_password_survey/. See also: https://youtu.be/opRMrEfAIiI and https://www.youtube.com/watch?v=UzvPP6_LRHc. In both cases these are the same activity repeated a couple of years apart; yet the same results.

35 See for example: https://money.cnn.com/2015/08/22/technology/ashley-madison-hack-government-workers/index.html

36 See https://geerthofstede.com/ and https://www.hofstede-insights.com/. Geert Hofstede died in February 2020.

37 SP800-16 is now relegated to the NIST ‘legacy’ list along with SP800-50. Both, however, contain a wealth of useful information on cybersecurity awareness, training and education.

38 In fact, placing awareness messages or posters in toilets seems to be a very popular approach. I’ve seen such messages in the toilet facilities of many organisations, including banks, catering organisations and consultancies.

39 As Douglas Adams put it in So Long, and Thanks for All the Fish: ‘a very respectable view widely held by right-thinking people, who are largely recognizable as being right-thinking people by the mere fact that they hold this view’.

40 As first noted by Irving Janis in his 1972 study.

41 I’ve stolen Jess’s headline and probably her thunder here – sorry Jess!

42 An experiment in Amsterdam railway station swapped the till displays from chocolate to fruit and registered an increase in sales of fruit: https://academic.oup.com/jpubhealth/article/38/2/e133/2241365

43 Other examples are at: https://medium.com/swlh/the-7-most-creative-examples-of-habit-changing-nudges-7873ca1fff4a

44 https://bthechange.com/organizational-change-failures-what-happened-to-daimlerchrysler-and-aol-time-warner-ff2b2c8fcb0e provides examples of failures where culture change didn’t happen.

45 https://blog.cygenta.co.uk/2fa_2019/

46 https://www.ncsc.gov.uk/speech/people--the-strongest-link

47 https://blogs.ucl.ac.uk/digital-education/2014/02/04/learning-on-steroids-with-richard-feynman/

48 https://www.sans.org/security-awareness-training/blog/accelerated-learning-european-secawaresummit

49 The last two questions are also linked to the organisational culture, of which more later.

50 https://www.ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/updating-your-approach and https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

51 These numbers are sourced from: https://www.forbes.com/sites/louiscolumbus/2020/04/05/2020-roundup-of-cybersecurity-forecasts-and-market-estimates/

52 A review, published in 1952, found over 134 definitions – and took 219 pages to review and classify them. See https://www.journals.uchicago.edu/doi/pdf/10.1086/221402 and Kroeber and Kluckhohn (1952, pp. viii, 223).

53 See for example: https://hbr.org/2013/05/what-is-organizational-culture

54 Or, even worse, doing both.

55 The Harvard Business Review article (https://hbr.org/2013/05/what-is-organizational-culture) contains a number of definitions similar to – and different from – the definitions presented here.

56 See: https://geerthofstede.com/landing-page/

57 See https://hi.hofstede-insights.com/national-culture and https://geerthofstede.com/culture-geert-hofstede-gert-jan-hofstede/6d-model-of-national-culture/

58 The highest level of Maslow’s Hierarchy of Needs: https://www.explorepsychology.com/maslows-hierarchy-of-needs/ and http://psychclassics.yorku.ca/Maslow/motivation.htm

59 https://sloanreview.mit.edu/article/coming-to-a-new-awareness-of-organizational-culture/?use_credit=fecf2c550171d3195c879d115440ae45

60 Neatly summarised by Sidney Yoshida (1989).

61 See https://www.psychologytoday.com/us/basics/cognitive-dissonance

62 See Chapter 5 for a great example of habit forming – locking computers.

63 DLA Piper GDPR Data Breach Survey 2020: https://www.dlapiper.com/en/uk/insights/publications/2020/01/gdpr-data-breach-survey-2020/

64 As defined by ‘Homo economicus’: https://www.behavioraleconomics.com/resources/mini-encyclopedia-of-be/homo-economicus/

65 Nudge theory, which we discussed in Chapter 1.

66 Popularised in his book Thinking Fast and Slow (Kahneman, 2011).

67 A simple test to show the difference is as follows; multiply 2 × 2, 20 × 20 and then 17 × 24 without using a calculator. The last multiplication triggers System 2 thinking for most non-mathematicians, or a heuristic answer.

68 https://www.psychologistworld.com/influence/social-influence

69 Examples of top down change include: https://www.forbes.com/sites/grantfreeland/2018/07/16/culture-change-it-starts-at-the-top/ and Johnson and Scholes’ case study of change in KPMG (Johnson et al., 2012).

70 https://www.forbes.com/sites/forbesbusinesscouncil/2019/11/21/building-culture-from-the-top-down/

71 https://www.fca.org.uk/news/speeches/getting-culture-and-conduct-right-role-regulator

72 For example: https://othjournal.com/2018/06/18/innovation-from-the-bottom-up-how-design-thinking-can-transform-the-air-force-culture/ and https://www.forbes.com/sites/forbescoachescouncil/2018/10/17/how-to-empower-a-bottom-up-culture-in-your-company/

73 From Thaler and Sunstein (2009), Thaler et al. (2013) and https://www.sas.upenn.edu/~baron/475/choice.architecture.pdf

74 Configuring everyone’s laptop with automatic encryption is a good example. The owner never has to think about it and a level of security is automatically integrated into their normal workplace behaviour.

75 See https://hbr.org/2020/04/build-a-culture-that-aligns-with-peoples-values

76 See https://knowledge.insead.edu/strategy/culture-can-make-or-break-strategy-3730 and https://www.torbenrick.eu/blog/strategy/relationship-between-culture-and-strategy/

77 For example https://www.torbenrick.eu/blog/culture/dark-side-of-coporate-culture/ and https://www.torbenrick.eu/blog/culture/corporate-cultures-breed-dishonesty/ for good summaries.

78 To put our contribution into perspective, a search on Google Scholar for corporate culture change and organisational culture change produces about 5 million results in total.

79 ‘Culture comes from the past’: https://www.fca.org.uk/news/speeches/getting-culture-and-conduct-right-role-regulator

80 See https://www.kotterinc.com/8-steps-process-for-leading-change/. Schein also has a model for culture change, see for example: https://sites.psu.edu/global/2020/04/07/managing-organizational-change-lewin-schein/

81 Without diving into the politics, the #MeToo and Black Lives Matter campaigns are also visible reactions to toxic cultures in our four types (macro, organisational, sub and micro) and found in many institutions and organisations.

82 https://www.fca.org.uk/news/speeches/our-approach-cyber-security-financial-services-firms

83 https://hbr.org/2016/12/how-to-discover-your-companys-dna and https://www.torbenrick.eu/blog/culture/organizational-culture-needs-to-change-fundamentally/; see the quote from Sony.

84 https://hbswk.hbs.edu/archive/gerstner-changing-culture-at-ibm-lou-gerstner-discusses-changing-the-culture-at-ibm

85 Schein (2009) has some powerful examples in The Corporate Culture Survival Guide.

86 Slightly dated, but this is a great study of a strong culture and the efforts to change it: https://www.forbes.com/sites/stevedenning/2011/07/23/how-do-you-change-an-organizational-culture/

87 https://angelareddix.com/leadership/how-to-build-a-strong-organizational-culture/, https://www.forbes.com/sites/nazbeheshti/2018/09/17/3-strategies-to-build-a-strong-company-culture/ and https://www.shrm.org/ResourcesAndTools/tools-and-samples/toolkits/Pages/understandinganddevelopingorganizationalculture.aspx

88 https://hbr.org/2019/12/to-build-a-strong-culture-create-rules-that-are-unique-to-your-company

89 https://www.forbes.com/sites/davidrock/2019/05/24/fastest-way-to-change-culture/

90 https://www.forbes.com/sites/grantfreeland/2018/07/16/culture-change-it-starts-at-the-top/ is a very good case study of how changing board behaviours and focus can help to create the desired culture change.

91 I find it annoying that investment as a noun is hijacked by continual association to money.

92 Without straying into the field of organisational decision-making, it is worth remembering that many decisions are agreed before formal meetings (at any level). The formal meeting and decision merely confirm to a wider audience the decision that has been made.

93 Wikipedia has a list of 117 belief, decision-making and behavioural biases: https://en.wikipedia.org/wiki/List_of_cognitive_biases; see also: https://medium.com/better-humans/cognitive-bias-cheat-sheet-55a472476b18#.ltfki4836

94 Taylor and Fiske (1975) and https://thedecisionlab.com/biases/salience-bias/

95 ‘The initial response to a disaster warning is disbelief’ (Drabek, 1986, p. 72).

96 Or, ‘No plan survives contact with the enemy’, attributed to Graf Helmuth von Moltke the elder: ‘Kein Plan überlebt die erste Feindberührung’.

97 https://www.theatlantic.com/business/archive/2017/10/money-measure-everything-pricing-progress/543345/

98 For example: https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget

99 As an example, insert the name of any pop musician or celebrity since 1950!

100 https://www.mas.gov.sg/publications/monographs-or-information-paper/2020/information-paper-on-culture-and-conduct-practices-of-financial-institutions; see Outcome 5 and 8.

101 In one such discussion, a cybersecurity professional told me, ‘I should be paid more than the entire board because I produce miracles with no money, no team and no support.’ I suppose it’s a matter of culture.

102 An obvious statement but one worth repeating: labour and employment laws and cultures differ around the world.

103 See for example: https://www.peoplemanagement.co.uk/voices/comment/has-your-organisation-turned-into-a-monoculture

104 Tools such as the Feynman technique can use and reinforce these stories.

105 A fellow cybersecurity professional once told me, ‘I would rather stick pins in my eyes than read another [cyber] security policy’.

106 https://www.iso.org/isoiec-27001-information-security.html

107 Download at: https://www.nist.gov/cyberframework

108 Download at: https://www.pcisecuritystandards.org/document_library

109 AIDA is attributed to E. St Elmo Lewis: https://www.oxfordreference.com/view/10.1093/oi/authority.20110803095432783

110 Scandinavian Air Systems, not the UK military’s Special Air Service.

111 The distance from Marathon to Athens, covered by the Athenian Army in full battle armour after the battle of Marathon to head off a further Persian landing nearer to Athens: 25 miles. In other words, a long and difficult journey, with the prospect of further battle at the end of it.

112 OK, you as the reader can say that I am being very negative and that, actually, you can build a security culture in certain types of organisations, such as cybersecurity companies, small to medium-sized organisations, start-ups where the culture is being formed or the business is cybersecurity, and organisations that have been through a major information security incident. Read on.

113 https://www.forbes.com/sites/tracybrower/2020/05/25/how-to-sustain-and-strengthen-company-culture-through-the-coronavirus-pandemic/