Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementPhysicalSecurity Leadership and ManagementPhysical Security

How to improve security culture within an organization

By Erich Kron
employees around worktable

Image via Unsplash

June 23, 2023

The phrase “Security Culture” gets thrown around a lot these days both in the media and within organizations. But what does it really mean and how can organizations achieve a positive security culture? 

Behind every security system in place is a workforce of people, some of whom may not understand why it’s important to lock their computers when they leave their desk, never leave their keys unattended or why they should never click a link in an unsolicited email. For some organizations, there could be up to thousands of employees encountering threats daily.

Security culture is defined as “the ideas, customs and social behaviors of a group that influence its security.” If the employees who make up an organization are careful to maintain good \security hygiene, then a resolute security culture is formed. If they do not, then the organization is at a much higher risk. 

Security culture can be broken down into seven dimensions:

  1. Employee attitudes to security and policy
  2. Behaviors
  3. Cognitive processes surrounding security
  4. Quality of communication
  5. Compliance to security policies
  6. Organizational unwritten rules or norms
  7. Individual responsibilities

There are likewise seven steps in implementing a quality security culture. Keep in mind that something like this does not change overnight. A plan may span many business cycles or years.

The first step is to choose one or two dimensions of security culture to initially focus on. Don’t attempt to change every aspect of the culture at once as this will be difficult to achieve. It is important to note, however, that improving one dimension will often result in an indirect positive effect on the rest.

Narrowing down the organization’s top security risks is a good place to start. Say that employees lack understanding of common industry threats or they commonly fall for social engineering attacks. These would be two areas that should be addressed first.

Make a plan to address these issues on an organizational scale. This plan could consist of formal policy changes or a more casually organized effort. If there are already employees who have good security hygiene, choose them as representatives to model appropriate security behaviors. It is more likely that employees will adopt certain practices if they see that their peers are doing the same.

The next step is to take this plan to executive leadership. It is likely that they won’t want all the nitty-gritty details yet but be sure to explain to them how the current security culture is lacking and how changing it will benefit the organization overall. 

Once leadership buy-in is secured, communicate these changes to the wider workforce. The most important thing is to communicate the “why” of it. Why the current practices are unsafe, why these changes are necessary, and why such changes will benefit every member of the organization. Most individuals want to know why they should spend the extra time on a new policy when they could otherwise be accomplishing something else. Emphasize that a well-functioning and profitable business, will protect every member of the organization.

Consider taking a survey at this point to gauge employee attitudes and behaviors prior to the plan’s roll-out. Then, execute the plan for the first business cycle. A three-to-six-month period is reasonable for testing the waters. Be prepared to face resistance and to deal with any unforeseen issues that arise. Make note for the next cycle.

Once the plan has been executed and the first cycle has come to a close, take another survey and create a report to share with leadership. It’s also a good idea to share the results with the wider organization so that employees may see the fruits of their efforts. If all goes well, there will be an improvement in attitudes, security practices, and overall risk.

Using the report, analyze where the plan succeeded and where it struggled and why. Likewise, take a look at some of the other dimensions of security culture and see where the organization can improve in some new areas. From there, decide how to move forward for the next business cycle(s). Remember, don’t try to accomplish everything at once. Instead, slowly trickle in new best practices and continue to encourage quality behaviors and reinforce the same messaging from prior cycles. 

The key point here is that a poor security culture will not be fixed overnight. It is perhaps a daunting task to take on such a large-scale behavioral shift in an organization, however the importance in doing so cannot be overstated. 

Security safety in an organization starts and ends with its employees. Having a strong security culture will set an organization apart and will protect it from the many consequences that plague businesses in this day and age. Most importantly, in having fostered a quality security culture, an organization may rest easy and instead focus its energies on succeeding in its goals.

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: risk management security awareness training security best practices security culture workplace culture

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Erich Kron is a security awareness advocate at KnowBe4, a provider of security awareness training and a simulated phishing platform.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Generic Image for Leadership Topic

    Protecting Against the Thieves Within: How to Implement an Effective Fraud Prevention Program

    See More
  • workplace

    AppSec’s Secret Weapon to Improve Security Culture and Engagement

    See More
  • cctv security camera

    How custom security infrastructure can benefit an organization

    See More

Related Products

See More Products
  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

See More Products

Events

View AllSubmit An Event
  • September 25, 2024

    How to Incorporate Security Into Your Company Culture

    ON DEMAND: From this webinar, you will learn how to promote collaboration between IT and physical security teams to streamline corporate security initiatives.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing