Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

3 steps to promote a human-centric security awareness culture

By Perry Carpenter
risk management freepik

<a href='https://www.freepik.com/photos/business'>Business photo created by rawpixel.com - www.freepik.com</a>

May 3, 2021

Human error contributes to almost 95% of security breaches. Most security approaches still fail at making a desired impact. Let’s analyze the two main reasons why businesses fail to develop a robust, human-centric security approach.

 

  1. Security awareness alone cannot influence positive security behavior

London-based security association The ISF determined that 92% of enterprises run some form of security awareness campaign, but only one-third commit budget to a behavior or culture change program. It appears that businesses are either too focused on satisfying compliance mandates or are not engaged enough in a sustained effort for making behavioral changes.

 

  1. Change management and sustaining positive behavior are complex challenges

Security behavior is influenced by a number of internal and external factors and is an incredibly complex challenge. Internal factors involve attributes like psychology, cultural attitudes, motivation and competence.  Do employees know and understand the types of risks they are exposed to? Do they understand the security measures the business is taking? Do they understand the consequences of their actions to the business?

External factors relate to attributes like organizational communication (how a business communicates to its workforce), capabilities (tools and resources provided to employees) and the influence (or culture) of senior leaders in setting an example to the workforce. Shortcomings in either internal or external factors can derail change management efforts.

 

Key steps in developing a human-centric security awareness program

A human-centric security program can be executed in different ways and no two programs are alike. That said, steps outlined below can help any organization—regardless of its size, budget or approach— implement a robust security awareness foundation:

 

Step1: Establish a behavioral baseline

Organizations frequently embark on security awareness programs without first assessing their current status. Establishing a baseline upfront helps the business identify strong and weak spots and to determine where the program is heading. Businesses should gain insight on where they’re now in terms of security behavior, the risk profile of each role and department, and what the business is currently doing to influence change.

Collecting evidence of security behavior from both qualitative and quantitative sources of information might be a good place to start. Historical datasets, risk assessment results and user behavior analytics are some examples of quantitative sources that businesses can use to evaluate their current security posture. Focus groups and behavioral response tests are examples of qualitative sources that organizations can use to measure status or current ability.

 

Step 2: Implement security initiatives

Once a baseline is drawn and an action plan is established you can now proceed towards implementing your security initiative. It’s vital for businesses to take culture and psychology into consideration because people have an innate desire to feel valued and act authentically without fear of reprisal. Findings from a PwC study showed that a majority of employees fear retribution if they raise a security concern. A culture of blame, shame or punishment will ostracize employees, make them less likely to report incidents, and inadvertently push them towards acting negligently.

Ensure communication is tailored to your particular audience. Employees are not homogenous; someone from sales may not experience the exact same threat level as a senior executive. Instead of running a blanket message, communication should be tailored to employee roles so that it resonates and improves engagement. Focusing on high-risk user groups first will improve security effectiveness.

Emotional engagement is another important aspect of training. Gamification, contests and other forms of simulation exercises can be extremely effective versus something that is dull, boring or mundane. People are receptive to regional narratives with such stories being more likely to be remembered. Content should be served up in smaller digestible doses, on a frequent basis, so that it doesn’t overwhelm training efforts while helping to develop muscle memory to recognize potential threats.

 

Step 3: Secure behavior by design

Individuals may experience a number of security threats throughout the day, but the tools and the systems available to them are not always designed in a way that allows them to effectively manage this threat or report it. By the time the actual employee realizes they’ve made an error or information has been compromised, it might be too late. Because current security measures aren’t connecting with people, adopting a cybersecurity-savvy culture means improving internal awareness and engagement needs so that employees are aware of policies, tools and procedures and efforts made by the business.

Secure behavior by design is an approach for developing systems, applications, processes and physical environments in a manner that guides and shapes positive security behaviors without acting as a deterrent to productivity. A good example of this can be something as simple as reporting a phishing email. An insecure design would mean that an employee would have to check the company policy to find the right contact to report the phishing incident. Instead, a secure by design system would consist of a phishing report button an employee could use to report a suspicious email to the security team. People often tend to mimic a wider group, so if we can design policies that enable individuals to proactively act securely, and if leadership is setting the right example, chances are other people will follow suit until eventually the entire office will manifest a security mindset over time.

To summarize, businesses that aim to champion security awareness and education should:

  • Have a deeper understanding of the types of risks each individual would experience.
  • Implement a program that accounts for psychology, culture and emotional engagement.
  • Invest in progressive policies that help influence positive security behavior.

 

KEYWORDS: cyber security human error incident response insider threats risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Perry carpenter

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). Working with noted hacker Kevin Mitnick, he is Chief Evangelist/ Strategy Officer for KnowBe4, developer of security awareness training and simulated phishing platforms with over 30,000 customers and 2 million users. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • people-business-freepik170x658v4.jpg

    3 reasons why cybersecurity must be people-centric

    See More
  • security awareness freepik

    Building a culture of cybersecurity: 3 key takeaways from the 2021 SANS report

    See More
  • security compliance

    8 steps to achieving cybersecurity compliance

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products

Events

View AllSubmit An Event
  • September 25, 2024

    How to Incorporate Security Into Your Company Culture

    ON DEMAND: From this webinar, you will learn how to promote collaboration between IT and physical security teams to streamline corporate security initiatives.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing