Transforming Security Culture: 5 Proven Communication Tactics
Learn how to revolutionize your organization's security culture with 5 proven communication tactics. From fostering employee engagement to simplifying complex cybersecurity topics, these strategies will empower your team to identify and mitigate risks effectively.
2024-12-06
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Cyber risks are pervasive, yet many employees remain indifferent to their potential consequences. According to a Gartner survey, 93% of employees knowingly engage in actions that heighten cyber risks, and 74% would breach cybersecurity policies to meet business objectives. Additionally, Gartner predicts that by 2027, 50% of cybersecurity organizations will replace “individual awareness” initiatives with strategies focusing on “group norms for behavior” to address the disconnect between awareness and secure behavior.
What can organizations do to shift the needle? The answer lies in culturally driven communication strategies that highlight personal consequences and leverage group norms. Here are five effective tactics for fostering secure behaviors in your organization.
Tie Actions to Tangible Impacts
People are naturally motivated to pursue opportunities and avoid threats. This innate drive can be harnessed effectively in cybersecurity communication. By clearly illustrating how secure actions lead to tangible benefits—like trust, efficiency, or career growth—and how insecure actions result in personal or organizational harm, messages can resonate more strongly. For example, linking data security to professional success or showing how breaches disrupt workflows can provide a compelling narrative that aligns with employees’ motivations and priorities. Effective messaging makes the outcomes of cybersecurity choices clear and personal. For instance:
- Positive framing: "When customers trust us with their data, we win more business."
- Real-life examples: "Jana used synthetic data instead of privileged information. Her app launched faster and cleared cybersecurity reviews seamlessly. Be like Jana."
This approach not only highlights the benefits of good practices but also uses relatable stories to reinforce behavior. Gartner’s research notes that 93% of employees continue risky behaviors because they lack clarity on the consequences of their actions.
Align with Corporate Values
Every organization has core values—safety, quality, innovation—that can serve as springboards for cybersecurity messaging. By framing security initiatives within these familiar values, employees are more likely to see cybersecurity as an extension of their day-to-day responsibilities. For example, emphasizing safety in manufacturing could involve messaging like “Secure systems ensure safe operations,” while quality-driven organizations might adopt “Data integrity is quality in action.” This alignment fosters greater engagement and embeds security into the organizational security culture. For example:
- In manufacturing: "Making security part of our flow helps us go fast."
- In finance: "Financial security doesn’t end with customers; it starts with us."
Tie cybersecurity to these existing values to amplify its importance and integrate it seamlessly into the organization’s identity. A Gartner study highlights that leveraging corporate values increases employee buy-in by up to 30%.
Amplify Consequences with Social Pressure
Humans are more risk-averse when others are affected. This principle can be leveraged by emphasizing the broader social consequences of cybersecurity lapses. For instance, highlight how a single data breach can compromise customer trust, damage a company’s reputation, or expose sensitive personal information that leads to significant harm. Such messaging taps into employees’ inherent social responsibility, encouraging them to view cybersecurity not just as an individual duty but as a collective one. When employees understand that their actions impact colleagues, customers, and the organization as a whole, they are more likely to adopt secure behaviors. Highlighting the social implications of cybersecurity lapses can drive change:
- General message: "A data breach can destroy a person’s life."
- Personal example: "It took Janet years to recover her identity after it was stolen."
Showcasing real stories and role models—like employees who reported phishing attempts—reinforces the idea that secure behavior is both necessary and achievable. Gartner’s 2022 survey found that social pressure significantly reduces risky behavior in 40% of cases.
Make It Personal
Messages resonate more deeply when individuals can envision the consequences for themselves. This means moving beyond abstract concepts to showcase relatable scenarios or examples that employees can connect with on a personal level. For instance, using stories about identity theft or financial scams that impacted real people can help bridge the gap between distant risks and everyday actions. Visualizing these outcomes—whether through impactful slogans or empathetic imagery—ensures that cybersecurity becomes not just a professional concern but a personal priority. Empathy-driven campaigns can include:
- Relatable visuals: A person surrounded by overdue bills with the caption, "After getting my identity stolen, I felt helpless and vulnerable."
- Impactful slogans: "If you think changing your password is a hassle, try changing your identity."
Personalizing cybersecurity threats helps employees internalize their importance and act accordingly. Gartner’s findings suggest that empathy-based communication increases engagement by 25%.
Use Humor and Creativity
Humor makes messages memorable and relatable, especially when adapted to an organization's unique context and audience. For example:
A poster showing a child with a lunchbox and a stack of credit card bills: "Identity theft will stay on your permanent record."
Creative campaigns, particularly those riffing on popular memes or cultural references, can cut through the noise and leave lasting impressions. For instance, a tech company might use humorous analogies involving common tech mishaps to emphasize the importance of secure behavior. Similarly, in industries like finance, incorporating humor around monetary losses or identity theft can make the message resonate more personally.
Tailoring humor to specific demographics and organizational culture ensures it lands effectively and avoids misunderstandings. A Gartner report notes that humorous messaging achieves 50% higher retention rates compared to standard communication, making it a powerful tool when used thoughtfully.
Embedding Cybersecurity into Culture
Changing behavior is about more than awareness. Organizations need to foster a culture where security is second nature. Adopting frameworks like Gartner’s PIPE (Planning, Implementation, Performance Monitoring, and Evaluation) can help structure efforts to reduce human-born cyber risks effectively.
Recognize that employees often circumvent controls because workarounds are rewarded as efficient. Addressing this cultural issue involves:
- Reducing friction in security processes.
- Making secure behavior the path of least resistance.
- Celebrating employees who exemplify secure practices.
As noted in Gartner’s research, organizations that embed cybersecurity into their culture see a 60% improvement in secure behaviors across teams.
By tying cybersecurity to personal and organizational values, amplifying consequences, and using creative communication, organizations can foster a culture of secure behavior. Remember, the most effective messaging connects with employees emotionally, aligns with their values, and provides practical steps they can take today.
How Keepnet Helps You Implement These Tactics
Keepnet Human Risk Management provides innovative tools and strategies to help organizations operationalize these communication tactics effectively:
- Tie Actions to Tangible Impacts: Use our phishing simulations and reporting tools to showcase real-world consequences of risky behavior, providing employees with actionable insights into their cybersecurity decisions.
- Align with Corporate Values: Leverage Keepnet’s customizable security awareness training modules to align security practices with your organization’s core values, whether it’s safety, innovation, or financial security.
- Amplify Consequences with Social Pressure: Utilize Keepnet’s behavior analytics to highlight team-wide performance and foster a sense of collective accountability through targeted communication.
- Make It Personal: Deploy Keepnet’s personalized learning paths and nudges to address individual vulnerabilities and help employees see the direct impact of their actions on their own security.
- Use Humor and Creativity: Access our library of engaging training content, including gamified simulations and creative scenarios, to make security practices memorable and fun.
SHARE ON