Rawpixel.com - stock.adobe.com
How to get employees to take cyber risk more seriously
To combat risky cyber security behaviour, organisations must move beyond awareness training and cultivate a culture where security violations are personally felt and socially unacceptable, leveraging existing values, real-world impacts, and even humour
Security has long focused on making employees aware of cyber risks and mitigating actions to take, yet this approach hasn’t been particularly effective in stopping dangerous behaviours.
According to a Gartner survey, 93% of employees knowingly carry out actions that increase risk to the organisation. In addition, 74% of employees would violate a cyber security policy to achieve a business objective.
It’s not that employees are malicious or careless; they’ve simply become used to bypassing controls like any other daily work expediency to finish activities faster and with minimal effort. One of the top three reasons cited by individuals for these types of behaviours is a lack of consequences.
This problem needs to be attacked culturally and by changing values. Security leaders must adapt how they’re reaching employees by finding new ways to make cyber risk feel real enough for them to avoid dangerous behaviours, other than direct punishment. Leveraging cultural levers like peer pressure is useful in enforcing it.
A great example is the famous “loose lips sink ships” campaign the US used during World War II. It became a very effective slogan that made war gossip unpatriotic because it tied action and consequence together, at a time when those consequences could be very personal: a loved one could be on that ship.
Contrast this with organisations today. How do you create a security behaviour and culture programme that’s just as effective?
Organisations need to make violating security policies “unpatriotic” by highlighting the personal consequences of cyber risk. The best way to achieve this is to use powerful imagery and deliver a high-impact sentence or two in communications that evokes an emotional response.
Messaging also needs to remain as visible as possible – posters; ads in employee newsletters or portals; or having senior leaders discuss why a given set of values are important to the company.
Tie actions closely to impacts
Humans are naturally motivated to seek opportunity and avoid danger. Make the impacts – positive or negative – of cyber security decisions clear and personal. Focus on impact rather than consequences because it opens up the possibility of positive communications.
Highlighting positive impacts and role models will go far in changing cultural attitudes. Adding a real-person example also serves as a clear instruction to others and showcases them even more as a cyber security role model.
Springboard off existing corporate values
It’s easier to cultivate or change a belief when it's tied to things people already believe. Safety is often a core corporate value in energy and utilities sectors, just as financial security is in banking and insurance, or quality is in manufacturing. Tie these values unequivocally to cyber security and use them to amplify the cultural impact of messaging.
Changing culture takes intention and work. Much like how cyber security can’t expect “awareness” to do the work for us, we can’t simply proclaim “safety.” The connection needs to be made for the workforce.
Amplify consequences with perceived social pressure
Consider communications that play on built-in social pressure not to cause harm to others. This works well in high-risk environments like banks, or in environments where a physical safety culture is already the norm (e.g., hospitals, manufacturing or mining).
An Australian bank, for example, made data and confidentiality breaches real for its people by training employees that abusive domestic partners could use the bank to get the residential details of an estranged partner with potentially lethal consequences.
In environments with less inherent risk and built-in cultural awareness of safety in general, making the messages about a real person can have great impact. Highlighting the people who do the right thing as role models is effective. This reinforces the social pressure, as well as sets an example for others to follow.
Make it personal
Values and beliefs around risk change when the person can imagine the consequences happening to them or someone they care about. Focusing messaging on the very real threat that identity theft poses to all, for example, makes internalising the consequences easier. Empathetic imagery also helps in these kinds of messages.
Similarly, playing off the hassle of complying with security controls demonstrates how it leads to problems for others, makes it personal and applies social pressure.
Make it fun
Humour is inherently memorable. Though it can be challenging to connect risk outcomes in a humorous way, it can leave a lasting impression when done well.
An Australian private school, for example, played on the old age fear that rule-breaking behaviours will have lasting damage for students, creating a poster of a student in uniform, with lunchbox and a stack of credit card bills, with the slogan: “Identity theft will stay on your permanent record.”
The best and most impactful messaging connects consequences, amplifies them with social pressure, springboards off existing beliefs and values, is personally relatable, and ideally fun. If all of these boxes can be ticked in communications with employees, organisations will be more successful in changing dangerous behaviours.
Leigh McMullen is a distinguished vice-president, analyst and Gartner Fellow at Gartner
Read more on Security policy and user awareness
-
![]()
Majority of UK employees ‘willingly gamble’ with security
By: Alex Scroxton
-
![]()
Security Think Tank: Four steps to secure remote workers
-
![]()
Security Think Tank: Training can no longer be a compliance exercise
By: Hayley Watson
-
![]()
Cyber security training: How to be as secure as is practicably possible
By: Cliff Saran
