How to create a security culture in your organization

July 7, 2020  |  Nahla Davies

This blog was written by an independent guest blogger.

As our personal and business lives move into the digital sphere, implementing robust cybersecurity practices has quickly become a necessity. Much like brushing your teeth twice a day or making sure you get eight hours of sleep each night, it’s important to regularly protect and clean our data.

Indeed, with 70% of Americans conducting their banking primarily online, it’s easy to see that a lapse in judgment or ignorance of how to stay safe could have serious consequences for many.

Unfortunately, sufficient cyber hygiene practices are rare. A recent survey by Avast revealed that 83% of Americans use weak passwords, meaning that a large portion of the country’s private information is within arm’s reach of a hacker.

This spells trouble for businesses. If so few individuals can implement proper security protocols in their personal lives, how can businesses with hundreds or thousands of employees ensure that each of them will keep the company’s information safe? As they say: a set of loose lips can sink a ship — or in this case, leave a company’s data vulnerable to attack.

A recent literature review by a research group at Royal Holloway, University of London looked into the factors that affect cybersecurity behaviors within organizations. They found that the key to an organization’s digital safety is fostering a robust security culture.

While there’s no magic bullet that will instantly transform a poor security culture into a good one, there are specific actions that organizations can take to move them in the right direction. Here, we’ll take a look at what leads to a strong security culture and what companies can do to promote one.

What is security culture?

In general, security culture can be thought of as a series of security-related beliefs held by a group or organization and the behaviors that follow from those ideas.

For example, a good security culture is one in which the organization as a whole believes in the importance of cybersecurity, uses secure invoicing software, and enforces policies on strong passwords. A poor security culture would be one in which the CEO decries cybersecurity practices as a waste of time and allows employees to send passwords via unencrypted email.

Based on recent research, the factors that affect security culture can largely be divided into four main subcategories: compliance with company policy, intergroup dynamics, email behavior, and password behavior.

How to improve compliance with company policy

In this day and age, many organizations have some kind of company policy on cybersecurity best practices. However, merely having a policy doesn’t mean that employees will follow the rules. Unfortunately, it’s estimated that over half of all company security breaches are the direct result of an employee failing to adhere to company policy, not the lack of a strict policy in the first place.

In many cases, these failures to comply occur because employees believe that the policies are simply guidelines, not hard rules. They will weigh the perceived rewards (typically convenience) and the consequences of their actions when deciding whether or not to comply.

Despite the numerous security benefits of a VPN, some employees may not want to bother taking the extra few seconds to connect to one before transmitting sensitive information, in turn leaving that data vulnerable to interception. Or worse, their employer doesn’t offer VPN services and so they try to cut costs and use free VPN apps, which are notoriously insecure and may even contain malware.

Overall, increasing compliance among employees is a tough task. Although employees appear to weigh the risks and rewards before deciding whether to comply with policy, it’s not clear that rewarding good behavior or punishing noncompliance has any effect.

But there is evidence that overall job satisfaction and positive reinforcement by an employee’s peers does lead to improved compliance outcomes. Given this, the best way to deal with compliance issues appears to be ensuring that employees feel satisfied with their work and making it clear that cybersecurity is a top priority for the company. In this way, employees, supervisors, and other workers are more likely to view cybersecurity as a core part of the job that they enjoy, and consequently, comply with company policy.

How to improve intergroup dynamics

Intergroup dynamics refers to how different groups within a company interact and communicate. Some of the effects that poor communication can have are obvious: when communication isn’t clear and efficient, important messages about the company’s stance on cybersecurity can easily get lost in translation.

But cybersecurity issues from poor intergroup dynamics aren’t just due to games of broken telephone. Research indicates that many issues arise from differing views between departments. For example, IT staff may view employees as a threat to company security, while the employees are more likely to view themselves as a security asset that can actively protect important data.

This difference in framing can lead to negative feelings and tensions between different groups and contribute to an unwillingness to take the other side’s recommendations to heart. In more concrete terms, this could mean an employee thinking the IT staff is being annoying for forcing frequent password changes, despite it being a useful security measure. That employee may then tune out future guidance.

To improve intergroup dynamics, many researchers advocate for increased face-to-face contact between departments to help increase positive feelings. Small meetings between security staff and employees are viewed as particularly efficient. Additionally, company leadership should work to improve a sense of unity and identity among all departments and groups.

How to improve email and phishing behavior

For many companies, email is the primary method of communication. Unfortunately, email is also a minefield of phishing attacks — socially engineered cyber attacks that attempt to trick an email receiver to click a malicious link, download a harmful attachment, or provide information to the phisher.

For example, a phisher may send an email that’s designed to look like it’s coming from the recipient’s bank. The email will then ask the recipient to click a link and log in. After “logging in,” the victim’s bank login information will be sent to the phisher, not the bank.

While it may seem that training employees on identifying phishing tactics would help them improve in this area, research indicates that it’s not sufficient. However, it does play an important part. For the best outcomes, organizations should evaluate employees’ individual competencies, train them on their knowledge gaps specifically, and then test them afterward to ensure there has been an improvement.

How to improve password behavior

Many of the security issues with passwords don’t come from failing to create a safe password, but rather from the behaviors that occur after a password is set. Sharing passwords with coworkers, writing passwords on Post-It notes on an employee’s monitor, and failing to change them frequently are all behaviors associated with an increased security risk.

Unfortunately, imposing very strict password policies doesn’t necessarily help. Enforcing rules that lead to employee frustration, such as requiring that employees memorize excessively long randomized passwords, can be problematic.

Research indicates that the key to improving password behavior is finding a midpoint between company security and employee frustration. Overall, the best approach is figuring out a way to make it easy for employees to use strong passwords, such as using a password manager, while also highlighting the reasons that they’re so important.


In all aspects of security culture, education and awareness campaigns have generally been associated with positive outcomes. However, there is evidence that simply being aware of cybersecurity best practices is not enough to create behavioral change.

To fill in that gap, attitudinal change is required. This may include appealing to an employee’s fear and drilling in the idea that the risks of non-compliance with company policy outweigh the benefits of convenience.

Finally, company leadership needs to step up to the plate. Company culture is largely determined by the management, so if the leadership isn’t invested in cybersecurity, the employees won’t be either.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial