Last year, 74% of breaches involved human factors, like users behaving in risky ways or maliciously. Addressing any type of insider threat—whether it stems from human error and oversight or from more sinister intentions—is undoubtedly a challenge. However, when you foster a strong security culture, you can significantly reduce these incidents.
But creating a strong security culture isn’t easy. For starters, the concept of security culture itself can often feel vague. And this is partly because there aren’t any standardised metrics to measure it. Some organisations assess culture through phishing simulation click rates or reporting rates; others rely on training completion rates or the speed at which assignments are finished.
In this blog post, we’ll explore what security culture truly means, why it’s critical to your organisation and the key steps you can take toward building a strong, sustainable culture at your own organisation.
What is security culture?
Proofpoint defines security culture as the beliefs, values and attitudes that shape how employees behave when it comes to protecting their organisations from cyberattacks.
This concept was first outlined by MIT researchers Keman Huang and Keri Pearlson in 2019. Notably, an organisation’s security culture will be weak if its employees don’t see the value in security best practices, or if they view cybersecurity negatively, like if they think of it as an obstacle to their productivity.
What’s a good way to measure security culture?
Our goal is to make the concept of security culture more concrete. That’s why we’ve broken it down into three critical aspects:
- Responsibility. In other words, employees feel like they should take a proactive role in preventing security incidents.
- Importance. Employees believe that cyber threats are a material risk to the success of the organisation. What’s more, these threats could impact them personally.
- Empowerment. Employees feel empowered to act because they have a working knowledge of cybersecurity and policy. If they make a wrong security decision, they trust their organisation will resolve any issue quickly.
The Proofpoint model of cybersecurity culture sits at the nexus of three key factors.
If an organisation wants to gauge where their security culture stands, it can conduct a security culture survey. This can help with estimating the likelihood that employees will make security-aware decisions and take the appropriate actions.
At the end of the day, the goal is to drive positive behaviour change. Employees should feel encouraged to help keep their organisation safe by adopting security best practices.
Why is security culture important?
As highlighted in the Proofpoint 2024 State of the Phish report, 96% of working adults who took risky actions were aware that what they were doing was risky. This result challenges the traditional belief that people engage in risky behaviour due to a lack of security knowledge. It also explains why training alone isn’t enough—and why building a strong security culture is so essential.
Security culture is about how people perceive, engage with and follow security practices and policies. It shapes their decisions, like how they handle sensitive data or respond to potential phishing emails. Ultimately, it’s their decisions that impact an organisation’s overall security posture.
A strong security culture helps mitigate human risks by giving people the right tools as well as the right knowledge so that they know what’s risky and can avoid those behaviours. It also motivates them to follow best security practices because they understand the value of security, the risks involved and the consequences of non-compliance.
A robust security culture also fosters employee accountability. In our 2024 State of the Phish report, 60% of people either weren’t sure or didn’t believe they were responsible for helping to protect their organisation. When people understand the impact their actions have on their organisation’s security posture, then they are more likely to take ownership. This sense of accountability is crucial.
What are the key elements of a strong security culture?
Here are some key elements of a strong security culture:
- Committed leadership. Executives recognise that security is vitally important. As a result, they incorporate security into their business decisions. This sets the tone for the entire organisation and ensures that security is proactively pursued and not just an afterthought.
- Engaged and aware employees. Employees are not only security-aware, they’re also actively engaged in security awareness training initiatives. Because they understand the risks and potential consequences of neglecting security best practices, they’re eager to learn and apply them.
- Clear accountability. Employees at all levels understand they play a critical role in keeping their organisation safe. They don’t view security as someone else’s responsibility.
- Trust and openness. Employees feel comfortable reporting security issues. And they’re not afraid to admit their mistakes; they don’t worry they’ll be punished. Instead, they see the security team as a resource that can help when needed.
How can you foster a strong security culture?
These are three key principles for laying the foundation for a strong security culture:
- Understand your organisation. To start, you need to identify your key organisational risks as well as any microcultures that need to be addressed. This will help you ensure cross-functional engagement. During this phase, you should also identify any behaviour-driven risks and get feedback about key factors, like how much employees trust the security team.
- Build relationships. In the next phase, you collaborate with cross-functional leaders and influencers. Your goal is to build a network that includes people from key internal teams, such as HR, legal, compliance and corporate communications. Then, you work to get buy-in from the leadership team to gain support and resources.
- Make employees stakeholders. It’s important to regularly communicate the value and objectives of a security culture as well as your expectations. Part of this process is creating channels to gather employee feedback—both positive and negative. Make sure to give people opportunities to see that cyber safety is valuable for them personally. And give people a safe environment to learn and grow.
These principles are detailed in Proofpoint’s ZenGuide™. This comprehensive guide is complete with a communication plan to help you achieve your cybersecurity culture-building goals.
Snapshot of the communication plan in Proofpoint’s ZenGuide™.
How to overcome common challenges
It’s not easy to create a strong security culture. Here are some tips to help with common obstacles:
- Raise internal awareness. Not everyone shares the same level of security knowledge. Treat your programme like a marketing campaign. Use a range of communication channels and mediums to reach your target audience. Tailor your message to make it relevant to their specific roles—and even to them personally.
- Use both quantitative and qualitative insights. If you want to build a compelling case for investing in a strong security culture, data from industry reports can help. However, a well-told story often resonates more deeply with people than just raw data. So, when you’re trying to justify costs or request additional resources, it’s a good idea to combine data with storytelling.
- Make sure communication goes both ways. Two-way communication means that employees are encouraged to voice their opinions and share their ideas. When people are encouraged to raise questions or concerns about security initiatives, there’s a sense of inclusion. This ensures they don’t feel like responsibility is imposed from the top down. This is the best way to keep them engaged.
Conclusion
A strong security culture is essential for protecting an organisation from cyberattacks. And culture is shaped by people. It’s shaped by their attitudes about security, their ideas about their responsibility and their empowerment to act. Conversely, culture also directly impacts people—it shapes how they perceive security practices and how well they follow them.
To build a robust security culture, security teams must understand their organisations. They must also foster relationships across departments and empower employees as stakeholders in protecting the business. And they must always keep in mind that it’s a continuous effort that can start small. But done right, it will build momentum over time.
How can Proofpoint help?
It takes a village to build a strong security culture. However, having a comprehensive solution and a strategic partner can help you achieve the desired effects faster.
Proofpoint takes an adaptive human risk approach to driving sustained behaviour and culture change. Our unique DICE methodology, which stands for Detect, Intervene, Change Behaviour and Evaluate, provides organisations with a proven framework to change unsafe behaviour and foster a security-conscious culture.
Proofpoint’s ZenGuide™ uses the proven DICE methodology.
Do you want more help upskilling your user base? Consider using Proofpoint premium services. Our culture-driven security awareness and risk management programmes do more than simply help you tick a box. Instead, they focus on fostering real culture change and reducing risk.
Proofpoint provides a value-added strategic partnership where we help you implement industry best practices. What’s more, we assist security teams in their efforts to engage and motivate employees more effectively, which often means using threat data and risk insights to bring cybersecurity into the real world.
Proofpoint’s ZenGuide enables lean security teams to automate and scale personalised learning paths that are based on an individual’s unique risk profile, behaviours and role. Take a look at our ZenGuide product page to learn more.
For more tips on building a sustainable security culture, download our e-book Beyond Awareness Training.