While some sectors scaled back their security culture efforts, there was overall improvement worldwide in the past year, according to security awareness and training company KnowBe4's 2022 Security Culture Report.

More than 530,000 employees at almost 3,000 different organizations were surveyed by KnowBe4 Research, which is part of the same organization that offers security awareness training.

Researchers approached the issue with the understanding that regardless of an organization’s location or goal, its security awareness, behavior, and culture are demonstrated through its ideas, customs, and social behaviors.

“Security culture involves how people think about and approach a more secure environment, and this report focuses on those key elements,” Perry Carpenter, chief strategy officer for KnowBe4 and one of the authors of the report, said in a press release.

The research measured seven aspects of security culture, including attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities. The report is based on survey responses from more than 257,000 employees.

Across all countries and regions, “large organizations report better attitudes and behaviors than smaller organizations,” the report said. “On the other hand, small organizations scored better on all other dimensions, something that is really visible on the communication dimension.”

The countries/regions with higher security culture scores included Bulgaria, Europe, Ireland, Italy, and Sweden, although there were large variations between European countries.

“Considering the ongoing geopolitical situation, our recommendations are that countries in Europe take action to improve their security culture by assessing their employees and implementing training and education programs to ensure the right security behaviors,” the report said.

The countries/regions with “alarmingly low” scores included Asia overall, and Indonesia and Malaysia in particular. Japan, however, stands out as a country that scored well. The researchers noted that the results may have been skewed due to the comparatively smaller sample size that came from the region. Researchers recommended that organizations in Asia invest in security awareness, behavior, and culture programs.

Organizations in the United States displayed differences in their respective security cultures, with the trend that small organizations score better than larger ones. Meanwhile, Canadian organizations displayed largely consistent scores regardless of the size, but several states produced a low sample size. The smaller samples indicated that most organizations have not implemented even minimal security measures.

Researchers recommended that Canadian organizations develop and roll out “adequate security culture measures, including training and assessments,” while U.S. organizations “assess their employees to identify weak spots in employees’ understanding around their role and responsibilities toward security, and implement training and education programs to improve.”

Mexico scored the highest among countries in Central America (which also provided a low sample size), while Colombia ranked well above other nations in South America. Researchers recommended that organizations in both Central and South America implement sufficient security culture measures, including assessments and training.

For Africa, the report found that despite both an interest in and tradition of security culture, the score was not as high as expected. However, researchers expect improvement with more African nations measuring these dimensions in the future.  

Over in the Oceania region, although Australia and New Zealand displayed “quite different” security cultures, neither scored notably well.

“It is highly recommended that organizations in this region step up their investments in security awareness, behavior, and culture going forward,” the report said.

“In the new trend data, which looked at security culture over the last two to three years, security culture has improved across regions and industries overall,” Carpenter added. “This was the most promising finding from our research and emphasizes that security culture should be viewed as a critical asset used to reduce risk and improve security.”

The researchers also looked at the survey results in different frames of reference, including by industry. The full report can be found here.