Of people and security: To build a working security culture, focus first on empathy and communication

In this guest blog, Leron Zinatullin, author of The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour, explores how to build a security culture.


A security department may sometimes be referred to by executives as the ‘Business Prevention Department’. Cyber security professionals, eager to minimise potential risks, can put controls in place that may stifle productivity and innovation.

Cyber security professionals are often too concerned with what the business shouldn’t do and forget to mention what it should be doing instead. OK, USB ports are now blocked, but have we provided people with an alternative to share files securely? Yes, we might have mitigated the risk of introducing malware through a flash drive, but have we considered the wider impact on the ability of employees to perform their core business activities, and, in turn, on the overall profitability of the company?

Instead of saying ‘No’ to everything, let’s try to understand the business context of what we are trying to protect and why. Because that’s what actually matters and is absolutely key when designing security solutions that work.

To do this effectively, security must be a vocal influence in the design process, not an afterthought. But it can only gain this influence if the value to the people and business is first demonstrated.

Wondering why your security policies don’t work? Ask your staff! Empathy, communication and collaboration are vital to build a culture of security. Security professionals need to shift their role from that of policeman enforcing policy from the top-down through sanctions to someone who is empathetic to the business needs and takes time to understand them.

Security mechanisms should be shaped around the day-to-day working lives of employees, not the other way around. The best way to do this is to engage with employees and to factor in their unique experiences and insights into the design process. The aim should be to correct the misconceptions, misunderstandings and faulty decision-making processes that result in non-compliant behaviour.

Changing culture is not easy and takes time, but it is possible. Check out Leron’s book to find out more about developing an effective business-oriented security programme and improving security culture in your organisation.

This January save 20% on The Psychology of Information Security with discount code Jan19