Many employees knowingly take actions that increase cybersecurity risks for their companies. A large majority of employees are also willing to bypass security measures to achieve business goals. One of the main reasons for this risky behavior is a perceived lack of consequences.
To address this, security leaders need to change how they approach employees. Rather than solely focusing on awareness, it’s vital to make the risks feel tangible and avoidable, beyond just imposing direct punishments. Companies need to show employees the personal consequences of cyber risks, and show emotional and meaningful messages.
Positive reinforcement, such as highlighting positive impacts and role models, also has to be use.
Connecting cybersecurity to core corporate values is also effective. For example, a company with focus on safety can link that value directly to cybersecurity practices, amplifying the cultural message.
Security communications should leverage social pressure. Highlighting how security breaches can harm others fosters a sense of collective responsibility, making it good in environments with high stakes, and environments where safety culture is already in place.
Making security personal is also key. Illustrating the real threats to someone’s personal life creates an emotional response.
Finally, if it’s possible, using humor can make security messages more memorable. Messaging that effectively connects actions to consequences, utilizes social pressure, aligns with existing values, resonates personally, and incorporates humor can significantly influence behavior and improve cybersecurity culture.
