As a member of the cybersecurity team at my organization, I used to think that scaring employees into following protocols was the best approach. Our team would send out stern emails warning of dire consequences for security breaches and reprimand anyone who slipped up. But this atmosphere of fear backfired — people hid issues instead of reporting them.
Eventually, I realized there was a better way. To create an optimal security culture without resorting to fear tactics, organizations should:
Focus on the Why
Instead of dictating rules, it is helpful to explain why they matter. Strong passwords and updated software are essential to protecting customer data. When employees understand how their actions impact their organization’s security, they are more likely to comply.
Make It Personal
Security awareness training often feels abstract and disconnected from daily work. To change this, organizations can customize examples and scenarios to their teams’ actual responsibilities. Details such as using coworkers’ names and department-specific data can make the training feel more relevant and engaging.
Incentivize Reporting
Rather than punishing missteps, organizations should praise those who speak up about potential issues. For example, when an employee voluntarily reports a phishing email, they can be thanked for their vigilance so that they feel proud instead of ashamed. Organizations can also offer awards for those who go above and beyond with security. A little recognition goes a long way.
Collaborate on Solutions
Instead of simply dictating new policies, staff should be involved in brainstorming sessions to develop procedures together. This helps staff members feel invested versus having rules forced on them. Their insight can also help improve policies as staff may know practical challenges that leadership has overlooked. Collaboration builds buy-in.
Stay Positive
It is helpful to give staff the benefit of the doubt and frame corrections as learning opportunities. Rather than accusing people, errors or mistakes can be reframed. For example, if someone fails to lock their screen, it can be used as an opportunity to work with that person to figure out how to help everyone remember to lock their computers. It is remarkable how an optimistic assumption can change the conversation.
Conclusion
With these tactics, teams can go from resenting security to championing it. When staff members know their organizations wants everyone to succeed, it creates a type of culture that leads to robust protection—without all the fear.
Editor’s note: For further insights on this topic, read Tim Spivey’s recent Journal article, “To Fear or Not to Fear: How to Create an Optimal Security Culture,” ISACA Journal, volume 6, 2023.