Security has long focused on making employees aware of cyber risks and mitigating actions to take, yet this approach hasn’t been particularly effective in stopping dangerous behaviours.
According to a Gartner survey, 93% of employees knowingly carry out actions that increase risk to the organisation. In addition, 74% of employees would violate a cyber security policy to achieve a business objective.
It’s not that employees are malicious or careless; they’ve simply become used to bypassing controls like any other daily work expediency to finish activities faster and with minimal effort. One of the top three reasons cited by individuals for these types of behaviours is a lack of consequences.
This problem needs to be attacked culturally and by changing values. Security leaders must adapt how they’re reaching employees by finding new ways to make cyber risk feel real enough for them to avoid dangerous behaviours, other than direct punishment. Leveraging cultural levers like peer pressure is useful in enforcing it.
A great example is the famous “loose lips sink ships” campaign the US used during World War II. It became a very effective slogan that made war…
