Last year, 74% of breaches involved human factors, like users behaving in risky ways or maliciously. No doubt, it’s a challenge to address any type of insider threat—whether it stems from human error and oversight or from more sinister intentions. However, when you foster a strong security culture you can significantly reduce these incidents.
But creating a strong security culture isn’t easy. For starters, the concept of security culture itself can often feel vague. And this is partly because there aren’t any standardized metrics to measure it. Some organizations assess culture through phishing simulation click rates or reporting rates; others rely on training completion rates or the speed at which assignments are finished.
In this blog post, we’ll explore what security culture truly means, why it’s critical to your organization, and the key steps that you can take toward building a strong, sustainable culture at your own organization.
What is security culture?
Proofpoint defines security culture as the beliefs, values and attitudes that shape how employees behave when it comes to protecting their organizations from cyberattacks.
This concept was first outlined by MIT researchers Keman Huang and Keri Pearlson in 2019. Notably, an organization’s security culture will be weak if its employees don’t see the value in security best practices, or if they view cybersecurity negatively like if they think of it as an obstacle to their productivity.
What’s a good way to measure security culture?
Our goal is to make the concept of security culture more concrete. So, we’ve broken it down into three critical aspects:
- Responsibility. In other words, employees feel like they should take a proactive role in preventing security incidents.
- Importance. Employees believe that cyber threats are a material risk to the success of the organization. What’s more, these threats could impact them personally.
- Empowerment. Employees feel empowered to act because they have a working knowledge of cybersecurity and policy. If they make a wrong security decision, they trust that their organization will resolve any issue quickly.
The Proofpoint model of cybersecurity culture sits at the nexus of three key factors.
If an organization wants to gauge where their security culture stands, it can conduct a security culture survey. This can help with estimating the likelihood that employees will make security-aware decisions and take the appropriate actions.
At the end of the day, the goal is to drive positive behavior change. Employees should feel encouraged to help keep their organization safe by adopting security best practices.
Why is security culture important?
As highlighted in the Proofpoint 2024 State of the Phish report, 96% of working adults who took risky actions were aware that what they were doing was risky. This result challenges the traditional belief that people engage in risky behavior due to a lack of security knowledge. It also explains why training alone is not enough—and why building a strong security culture is so essential.
Security culture is about how people perceive, engage with and follow security practices and policies. It shapes their decisions, like how they handle sensitive data or respond to potential phishing emails. Ultimately, it’s their decisions that impact an organization’s overall security posture.
A strong security culture helps mitigate human risks by giving people the right tools as well as the right knowledge so that they know what’s risky and can avoid those behaviors. It also motivates them to follow best security practices because they understand the value of security, the risks involved, and the consequences of non-compliance.
A robust security culture also fosters employee accountability. In our 2024 State of the Phish report, 60% of people either weren’t sure or didn’t believe that they were responsible for helping to protect their organization. When people understand the impact that their actions have on their organization’s security posture, then they are more likely to take ownership. This sense of accountability is crucial.
What are the key elements of a strong security culture?
Here are some key elements of a strong security culture:
- Committed leadership. Executives recognize that security is vitally important. As a result, they incorporate security it into their business decisions. This sets the tone for the entire organization and ensures that security is proactively pursued and not just an afterthought.
- Engaged and aware employees. Employees are not only security-aware, but they’re actively engaged in in security awareness training initiatives. Because they understand the risks and potential consequences of neglecting security best practices, they are eager to learn and apply them.
- Clear accountability. Employees at all levels understand that they play a critical role in keeping their organization safe. They don’t view security as someone else’s responsibility.
- Trust and openness. Employees feel comfortable reporting security issues. And they’re not afraid to admit their mistakes; they don’t worry that they’ll be punished. Rather, they see the security team as a resource that can help when needed.
How can you foster a strong security culture?
These are three key principles for laying the foundation for a strong security culture:
- Understand your organization. To start, you need to identify your key organizational risks as well as any microcultures that need to be addressed. This will help you to ensure cross-functional engagement. During this phase, you should also identify any behavior-driven risks and get feedback about key factors, like how much employees trust the security team.
- Build relationships. In the next phase, you collaborate with cross-functional leaders and influencers. Your goal is to build a network that includes people from key internal teams, such as HR, legal, compliance and corporate communications. Then, you work to get buy-in from the leadership team to gain support and resources.
- Make employees stakeholders. It’s important to regularly communicate the value and objectives of a security culture as well as your expectations. Part of this process is creating channels to gather employee feedback—both positive and negative. Make sure to give people opportunities to see that cyber safety is valuable for them personally. And give people a safe environment to learn and grow.
These principles are detailed in Proofpoint’s ZenGuideä. This comprehensive guide is complete with a communication plan to help you achieve your cybersecurity culture-building goals.
Snapshot of the communication plan in Proofpoint’s ZenGuide.
How to overcome common challenges
It’s not easy create a strong security culture. Here are some tips to help with common obstacles:
- Raise internal awareness. Not everyone shares the same level of security knowledge. Treat your program like a marketing campaign. Use a range of communication channels and mediums to reach your target audience. Tailor your message to make it relevant to their specific roles—and even to them personally.
- Use both quantitative and qualitative insights. If you want to build a compelling case for investing in a strong security culture, data from industry reports can help. However, a well-told story often resonates more deeply with people than just raw data. So, when you’re trying to justify costs or request additional resources, it’s a good idea to combine data with storytelling.
- Make sure communication goes both ways. Two-way communication means that employees are encouraged to voice their opinions and share their ideas. When people are encouraged to raise questions or concerns about security initiatives, there’s a sense of inclusion. This ensures that they don’t feel like responsibility is imposed from the top down. This is the best way to keep them engaged.
Conclusion
A strong security culture is essential for protecting an organization from cyberattacks. And culture is shaped by people. It’s shaped by their attitudes about security, their ideas about their responsibility and their empowerment to act. Conversely, culture also directly impacts people—it shapes how they perceive security practices and how well they follow them.
To build a robust security culture, security teams must understand their organizations. They must also foster relationships across departments and empower employees as stakeholders in protecting the business. And they must always keep in mind that it’s continuous effort that can start small. But done right, it will build momentum over time.
How can Proofpoint help?
It takes a village to build a strong security culture. However, having a comprehensive solution and a strategic partner can help you achieve the desired effects faster.
Proofpoint takes an adaptive human risk approach to driving sustained behavior and culture change. Our unique DICE methodology, which stands for Detect, Intervene, Change Behavior, and Evaluate, provides organizations with a proven framework to change unsafe behavior and foster a security-conscious culture.
Proofpoint’s ZenGuide uses the proven DICE methodology.
Do you want more help upskilling your user base? Consider using Proofpoint premium services. Our culture-driven security awareness and risk management programs do more than simply help you check a box. Rather, they focus on fostering real culture change and reducing risk.
Proofpoint provides a value-added strategic partnership where we help you to implement industry best practices. What’s more, we assist security teams in their efforts to engage and motivate employees more effectively, which often means using threat data and risk insights to bring cybersecurity into the real world.
Proofpoint’s ZenGuide enables lean security teams to automate and scale personalized learning paths that are based on an individual’s unique risk profile, behaviors and role. Check out our ZenGuide product page to learn more.
For more tips on building a sustainable security culture, download our e-book Beyond Awareness Training.