Over time, experience—and sometimes hard lessons—have shown that security is more than just technology, processes, or a team of IT specialists. Without a strong corporate culture that prioritizes cybersecurity, even the best efforts can be overlooked or misunderstood. So, how can companies get employees involved in improving security?
The question raised above is on the minds of almost every CISO. Based on industry experience, here are the key conclusions most often reached:
First, raise awareness. Organizations typically start by drafting security policies, assigning basic training to employees, running phishing simulations, etc. While this approach makes sense from an information security management perspective—being structured and measurable—it often fails to connect with real people, their knowledge, beliefs, and behaviors. It may look effective on paper, but does it truly address the human factor in cybersecurity?
For example, a company may focus heavily on training employees to spot phishing emails but overlook fax security—a still widely used but often forgotten method for transmitting sensitive data. If employees do not see security as a dynamic and evolving responsibility, they may assume that following a basic checklist is enough, leaving various gaps that attackers can exploit.
Second, develop a cybersecurity culture. The key objectives here are to actively engage employees in cybersecurity, shift unsafe behavior patterns, and embed security into the organization’s DNA. While this approach is harder to define, implement, and measure, it is the one that truly makes a difference in the long run.
Culture Shapes Behavior
Culture has many layers and components. The behaviors we observe in others—and our own actions—form patterns that shape daily interactions. These patterns are driven by underlying beliefs, values, ways of thinking, and past experiences, influencing why we act a certain way rather than another.
Now, let’s apply this to cybersecurity. Imagine an organization where employees routinely open phishing emails, click on suspicious links, download malware, and disregard security policies. This behavior is often driven by underlying beliefs such as: “Security is not my concern,” “Nothing bad will happen if I open this file,” or “If something goes wrong, it is IT’s responsibility, not mine.”
These deeply ingrained mindsets prevent employees from recognizing security risks and adopting safer practices. Simply put, they do not see cybersecurity as their problem.
We can have the most well-designed strategies, structured processes, and cutting-edge security tools, but ultimately, employee behavior is shaped by company culture. In other words, culture is reflected in how people make decisions when no one is watching and how they act in the absence of direct oversight. If security is not embedded in the culture, even the best plans and tools will not be enough to prevent risky behavior.
Security Must Match Culture
The security culture within an organization is a reflection of its overall corporate culture. If a company operates with a strict hierarchical structure, where processes and subordination are rigidly defined, then flexible and situational approaches to cybersecurity awareness will not be effective.
In such an environment, entertaining methods like cybersecurity cartoons or board games are unlikely to resonate with employees. Security initiatives must always align with the organization’s broader cultural framework to be truly impactful.
The same applies in reverse—if you impose strict security policies and punitive measures in a company with a startup culture, you risk alienating employees. At best, they may misunderstand the reasoning behind the rules; at worst, they may become resentful and resistant. For security initiatives to be effective, they must align with the company’s existing culture rather than clash with it.
Cybersecurity Culture or Fear of Fines?
Problem: Imagine we have a developer named Alex in our company. On average, it takes him 10 days to write code, test it, and pass quality and security checks. However, he is working within a sprint with a 7-day deadline. So, what will Alex do?
Will Alex release his code on time but with minimal testing? Or will he miss the deadline to ensure high-quality, secure code?
Answer: His decision will depend entirely on the company’s culture.
The key factor in Alex’s decision will be what the company prioritizes—whether he faces the consequences for missing the sprint deadline or for delivering insecure code.
“Will I be fired if I do not meet the sprint? Or will I be held accountable for releasing unsafe code?”
His choice will ultimately reflect what the company values and rewards.
Alex is well aware that deadlines and time-to-market are the company’s top priorities. He sees it in newsletters, hears it from management in meetings, and picks up on it in conversations with colleagues.
In this environment, deadlines and security become competing priorities, forcing him to choose between speed and safety.
“It would be nice to deliver secure code, but it is not a necessity. The main priority is meeting the deadline.”
Alex makes his decision—he submits the code, even though it is not fully secure. Nothing happens. No repercussions. He moves on to the next task. The company is silently accumulating technical debt in the form of security risks. If Alex is working on sensitive features like identity verification, payment orchestration, or data encryption, the consequences of releasing insecure code could be catastrophic. At some point, this debt does not just remain internal—it turns into headline-making breaches and data leaks.
The real issue is not just one specific security incident; it is the result of thousands of daily decisions made across the organization—each one prioritizing speed over security.
Changing Employee Behavior: Training
First, we need to define what behaviors we want to change and what we aim to teach. These questions should guide the development of training materials, courses, and security guidelines every single time.
Second, the answers go deeper than they may seem. To drive real change, we must understand our target audience—their roles, daily responsibilities, and the specific situations where they are most likely to make unsafe decisions.
Without this insight, training risks being generic and ineffective. For example, HR staff may need guidance on securely handling personal data, while physical security staff may benefit from training on Wi-Fi camera security and the risks associated with IoT and deepfakes.
You can segment your target audience in various ways. Most methodologies classify them into three main groups: IT, non-IT, and top management.
Each group can be further broken down for a more precise understanding of knowledge gaps:
- IT: Developers, analysts, testers, DevOps, system administrators.
- Non-IT: HR, finance, legal, administrative departments.
The more detailed the segmentation, the clearer it becomes who needs training, what they need to learn, and how best to deliver it.
Qualitative and quantitative research are essential for identifying gaps in employee cybersecurity knowledge.
- Qualitative research involves interviews and discussions with employees to understand how they handle information in their daily tasks. These conversations help uncover patterns of unsafe behavior.
- Quantitative research follows, using mass surveys to validate or refute the conclusions and hypotheses formed during the qualitative phase.
Only after completing thorough research should the development of a training program begin. This approach ensures that the training is targeted, tailored to the specific needs of the audience, and ultimately more effective in addressing real security challenges.
Changing Employee Behavior: Communication
Unfortunately, simply training people is not enough. They need to be actively engaged in cybersecurity, making it a part of their daily mindset and decision-making.
To achieve this, security must be valued and reinforced with positive incentives. Open, direct, and trust-building communication is essential.
One of the biggest risks for an information security team is being unaware of real issues because employees fear reporting incidents. When security policies rely on intimidation or punishment, people are more likely to hide mistakes rather than learn from them. Creating competition between security and business priorities only worsens the situation. Instead, organizations must foster a culture of trust where employees feel comfortable discussing security concerns openly.
An important part of this approach is positive reinforcement. Even small gestures, like company swag or non-material rewards for vigilance, can encourage employees to be more proactive about security.
This approach helps build a culture where employees genuinely care about information security and incidents are not covered up. When reporting a security concern is met with appreciation rather than punishment, people feel encouraged to act responsibly. Instead of fearing consequences, they are motivated by recognition and rewards.
What Drives Secure Behavior?
There are two types of motivation: external and internal. External motivation comes from how others perceive your achievements—things like bonuses, badges, and awards. Internal motivation, on the other hand, is driven by personal reasons, such as genuine interest, satisfaction from accomplishing goals, a sense of status, or simply enjoying the process. While both play a role, internal motivation tends to be the stronger force.
To build internal motivation, it is helpful to organize engaging activities that spark curiosity and excitement. Competitive events like Capture the Flag games, hackathons, quizzes, and challenges can make learning more interactive. You can also use creative approaches, such as demo days or even a series of short, humorous videos about security, to keep participants interested and motivated.
It is important to make communication not just informative, but also motivating. Social rewards still hold significant power, and major businesses actively leverage them to market their products and services. For example:
- Five stars for a steam generator on a marketplace, probably worth buying.
- Another 10 people are interested in the same room as you (on a hotel website).
Social proof is just as powerful in the world of information security.
In an experiment conducted in collaboration with a major international social network, two different messages were tested to encourage users to enable multi-factor authentication (MFA):
The first message was straightforward: “You can keep your accounts safe—please set up multi-factor authentication.” Some users followed through and enabled MFA.
The second message leveraged social proof: “Did you know that 93 of your friends already have MFA enabled?” This minor tweak led to 1.45 times more activations of the security feature.
The experiment highlighted how people are more likely to take action when they see others—especially their peers—doing the same.
Conclusion
In recent years, dozens of methods have been developed to measure information security culture, including qualitative, quantitative, behavioral, and mixed approaches.
However, there is no universal solution—and there never will be. The most effective metrics are those that capture real changes in behavior and align with existing business processes. At the same time, security priorities differ across industries, meaning that metrics designed for IT may not be relevant for sectors like oil and gas.
Many factors influence an organization’s approach to security culture, including its industry, size, corporate goals, key performance indicators, and priorities. Some companies may prioritize raising overall security awareness, while others focus on fostering a secure coding culture. Regardless of the specific goals, it is crucial to remember that security is ultimately about people and their behavior. A security culture cannot exist in isolation—it must be seamlessly integrated into the company’s broader corporate culture.
Alex Vakulov is a cybersecurity researcher with more than 20 years of experience in malware analysis and strong malware removal skills.