Five lessons for a stronger security culture

Up to 95 percent of security incidents typically result from human actions, whether unintentional or otherwise. To protect what matters, organisations can embed the right security behaviours into their culture, creating an effective line of defence while strengthening a whole society approach to security.

A robust security culture ensures that all individuals within the organisation understand their role in maintaining security and take proactive steps each day to enhance it. The most effective approach is rooted in behavioural science, creating a positive and active security culture that resonates with employees at all levels, increasing the capacity of security teams to horizon-scan for new or emerging threats. However, a recent survey conducted by PA and Opinium found that over half (55 percent) of UK citizens view the country as less safe today, with particular concern about cyber threats to critical national infrastructure.

We’ve supported clients across the private and public sector to shift how people engage with security resources, increasing employee vigilance and reducing security incidents. Through our behavioural change work, we’ve uncovered five lessons that security teams can use to foster a good security culture across teams and roles:

1. Align security with organisational purpose and strengths

It’s essential for people to understand how their behaviours directly contribute to their organisation’s mission and feel connected to the desired outcomes. When employees see the direct link between their actions and the organisation’s purpose, they are more likely to be engaged and proactive in maintaining a strong security culture. This alignment fosters accountability and engagement, making security a shared responsibility that everyone is committed to upholding.

Don’t fight wider organisational culture; instead, leverage people’s values, practices, and individual behaviours to communicate security best practices most effectively. Aligning security initiatives with existing cultural strengths creates a more cohesive and supportive environment where authentic security measures are naturally integrated into the way people work. For example, when working with a large consumer and manufacturing organisation, we put their iconic branding and beloved mascot to use to embed key security behaviours.

2. Make it easy to do the right thing

Reduce barriers and ensure that security guidance is clear and accessible. Simplify processes, provide straightforward instructions, and introduce habits so that following security protocols is seamless and intuitive.

For instance, working with a defence and security client, we consolidated all their security guidance into one central location, making the information easy to understand through detailed guides, concise summaries, and practical examples. To ensure accessibility, we provided hard and soft copies, as well as posters in high-traffic areas. This user-centric approach focused on how employees interact with security measures in their daily routines, rather than how the security function might traditionally present them. By prioritising the user’s point of view, we made it easier for employees to access, understand, and integrate security measures into their daily activities.

3. Focus on positive, actionable behaviours

By clearly identifying and promoting specific, observable, behaviours that enhance security, you provide practical examples for employees to follow, thus increasing adoption and sustainment of secure behaviour. Communicating these behaviours in a positive and active manner empowers individuals to take personal responsibility. This approach is strengthened when done in a respectful, peer-to-peer way, rather than a parent-child dynamic. Positive reinforcement and practical actions help embed good security practices into daily rituals, making them second nature.

When running a security campaign for a government client, we ensured all communications were positive and actionable, using phrases like “do this” and “consider that”. We deliberately avoided negative or scolding messages with capitalised commands, stop signs, large red font, and exclamation marks.

4. Know what success looks like, and how to prove it

Clearly define security outcomes and understand the levers to be pulled to change behaviours and measure impact from the start. Establishing clear benchmarks and metrics allows progress to be tracked, demonstrating the tangible benefits of a strong security culture while ensuring continuous improvement and sustained commitment.

Our work with security leaders focuses on established metrics such as a reduction in phishing clicks and fewer overall breaches, as well as changes in the nature of support sought by staff. Impact can be recorded through the shift from transactional questions (“Can I do this?”) to more complex, specific inquiries (“I need to do this, can you help me achieve it?”). This shift indicates a deeper engagement and understanding of security practices among employees, allowing a focus on more strategic threats.

5. Harness the power of collaboration

Collaboration is key to success. Security functions must engage with all levels of the organisation, fostering a collaborative environment where everyone feels a part of the collective security effort. Encourage open communication, share knowledge, and involve employees in decision-making processes to build a collective sense of ownership and responsibility.

Partnering with an energy and utilities company, we designed conversation cards for managers to facilitate discussions with their teams on relevant security topics. This provided a structured, consistent way to encourage local dialogue and engagement, reinforcing the importance of security in everyday operations.

Technical measures and policies don’t exist in a vacuum; they need to work in harmony with the people who navigate them. When it comes to good security, people are a fundamental part of the solution – and one of the greatest assets that an organisation has.