This question of security culture is discussed in Luke’s group.
IMO, culture is a big issue and varies from company to company. I would
- clarify the management’s expectation upon security and culture,
- set the goals according to those expectations and/or requirements,
- analyze the dimensions of security culture, and
- define metrics and KPIs to measure if the goals are achieved.
The following are some factors to consider:
- the risk appetite of the board,
- arrangement of the security function,
- the soundness of the policy framework,
- security budget,
- meeting frequency or attendance of the management,
- the readiness of the management system,
- total hours of training and education,
- the number of incidents reported, and
- sense of urgency and accountability, etc.