4 Steps For Changing Organizational Behavior Towards Cybersecurity

Learn how to drive changes in employee behaviour towards cybersecurity in our latest article by security analyst Jon Santavy.

4 Steps For Changing Organizational Behavior Towards Cybersecurity

Companies can transform organizational and employee behavior to better understand, measure, and reduce the risks of human error on cybersecurity.

Individual people are the biggest cybersecurity risk to organizations - a majority of breaches start with employee actions like clicking a malicious link, providing key information to someone impersonating IT, or downloading malware on a business machine. Today, organizations are combating these risks with cybersecurity awareness training that teaches employees best practices to prevent information loss.

While successful in training and certifying compliance of individual employees, awareness training falls short of creating organizational behavior change around cybersecurity. Without organization wide adoption and change, companies will fall short of their goal to reduce the human risks in cybersecurity.

While cybersecurity may be new for people, processes for organizational behavior are not. By aligning traditional organizational behavior methodology and a modern understanding of cyber risks, an organization can better understand, measure, and reduce the risks of human error on cybersecurity.

As risks and penalties for cyber loss increase, it’s become apparent that awareness training is not enough. Organizations must go beyond training to ingrain cybersecurity into the culture of an organization and truly reduce risk. You can use the process below derived from traditional methodologies to drive your organization's cybersecurity culture.

1. Develop a purpose to believe in

Creating change in cybersecurity isn’t unlike creating change anywhere in an organization. It starts with a vision, a purpose to believe in. This is easier today with the realization that cybersecurity is a management issue impacting the entire organizations, not just IT - breaches impact customers, sales, branding, finance, legal, and more.

That means creating a purpose to believe in should be about the company, its customers, and its future. The purpose of organization wide adoption is protect the organization's stakeholders and allow it to grow for decades to come.

2. Start at the top, and lead by example

A few years ago cybersecurity was an IT issue. Today, cybersecurity is a leadership issue and likely addressed in every boardroom. Creating actual change in organizational behavior must also be addressed in the boardroom - starting with the executive team.

One common attack is impersonating a CEO with an email to the CFO requesting a money transfer to help pay for travel - the boardroom is under attack. Raising awareness of the risks in the boardroom and creating a shared vision for the organization is the best place to start creating organizational wide behavior change.

  • Lead by Example. Executives are not immune to best practice, so they must understand and follow policy at all times - that means if employees can’t BYOD, neither can executives. If employees have to sign in all guests, so do all executives. Lead by example.
  • Improve Communication. Employees are resistant to change if they don’t believe that leadership has adopted the change or even believes in the change themselves.

One way to improve communication is to share challenges that executives have had with security, and share their stories of understanding, awareness, and change so that management and employees can more easily accept new policies and changes.

3. Create an employee awareness program

An employee awareness program is essential to creating an organization wide change. A good program does the following:

  • Raises awareness of best practices and company policies
  • Establishes acknowledgement from staff that they understand and have been trained on the policies
  • Allows for tracking and measuring results so that the organization can continually improve

4. Focus on Communication

Just as you can improve cybersecurity adoption and communication by sharing executive stories, you can improve organization wide adoption by sharing staff and/or customer stories.

Create a bi-weekly email that shares two quick internal stories of something that happened, how an employee responded, and the potential outcomes dependent on the response.

This is critical in achieving your main objective - by communicating near ‘real-time’ challenges happening to peers in the organization, a culture of cyber awareness. The main message - cyber risks are happening every minute of every day; not just once during annual awareness training.


Creating organizational behavior change doesn’t happen by checking a few boxes, and it doesn’t happen overnight. Real change requires a vision, a strategy, execution, and continuing organizational awareness.

Before you go…

Wuvavi is an employee cybersecurity awareness company that helps businesses to create organizational behavior change and develop a culture of awareness. Learn more about the Wuvavi process for creating organizational behavior change that prevents cyber breaches at https://wuvavi.com/organizational-behavior/.