In the Industry Benchmark section of the 2021 Security Culture Report, we describe the security culture scores of each industry sector in detail. This section of the report can be used to get a deep dive into specific industries, and as a benchmark to compare your own scores against those of different industry sectors.
Detailed analysis shows that the majority of all analyzed organizations managed to develop a mediocre or moderate security culture, while only a small portion of organizations have a good security culture. The mean and median of the total security culture score is 73:
Alarmingly, a few organizations are scoring in the Poor bracket and no organizations have reached an Excellent security culture score yet:
Which Industries Have the Best and Worst Security Cultures?
Security culture across the industries varies. Again, the 2021 Security Culture Report reveals a gap between the best performers and the poor performers:
The best performers are Financial Services and Banking, two industries with a long tradition of managing risk. However, being a “best performer” doesn’t necessarily equate to having performed at a desirable level. For instance, a score of 76, as seen by Banking and Financial Services, is well below a Good security culture, and these industries shouldn’t be too quick to congratulate themselves.
Research into how security culture influences credential sharing shows that moving from one security culture class to another is directly correlated to risk. By improving from the current class of Moderate to the next class of Good security culture, these industries see an eight-fold reduction of employees sharing credentials:
The worst performers were Education and Construction. Even though Education is still at the bottom of the list, this industry has shown a significant improvement compared to earlier years and is now demonstrating Moderate security culture.
Unlike the Education industry, Construction experienced a drop in their security culture during the pandemic. Other industries with a reduction in security culture are the Consumer Services industry, with a new score of 72, and Business Services, with a new score of 74.
Suffering from Chaos and Confusion
A comparison to last year's results reveals which industries triumphed and which languished. As already mentioned, Construction, Consumer Services and Business Services saw their overall Security Culture Benchmark figure drop one point lower this year. The COVID-19 pandemic has caused chaos and confusion for many.
Numerous organizations have had to make tough financial decisions and a global reduction in workforce in these industries may explain why we see a decline in security culture in these three industries.
The chart, below left, shows the change in security culture within the Business Services industry (-1) which has traditionally shown a relatively high score, making this change somewhat surprising. You also can see a breakdown of this score across the seven dimensions, below right, to reveal its security culture strengths and weaknesses.
Embracing Digital Transformation
On a brighter note, even if some users seem to struggle with transforming their business digitally, the adoption of technology is showing an improved security culture in other industries. The report reveals two industries that saw positive changes in their security culture.
With a score of 70 (shown below left), Education is two points up from last year. This improvement may be explained by education being moved from classrooms to virtual settings due to the COVID-19 pandemic and the associated technology systems and training changes. Below right, you can see how the Education sector scores across the seven dimensions to see this industry's security culture strengths and weaknesses.
The Legal industry also increased their score by two points. Again, digital transformation may explain this improvement as many legal processes and procedures have moved online. In addition, this industry has had an increased demand for cybersecurity and privacy lawyers due to the increase in cyber attacks. Legal practices that facilitate the collection and protection of data have thrived.
What is Security Culture?
Security culture is the ideas, customs and social behaviors that impact an organization’s security. In information security culture, we look at how the cultural aspects influence the information management. In cybersecurity culture, the focus is on the part of information management that uses cyber technology to create, manipulate or store information and data.
The purpose of the security culture survey and the Security Culture Report is to provide an objective scientific method for assessing, reporting and comparing the relative information security culture‑related strengths and weaknesses of individuals, organizations, industry sectors, regions and more.
Results from this year’s Security Culture Report reveal that 2020 was heavily influenced by the global effects of COVID-19. We see pandemic-related ripples within some of the year-over-year changes detected in security culture.