Using communication and culture to change behaviours

The Role of Culture in Shaping Cybersecurity Behaviors

Organizational culture plays a crucial role in shaping the behaviors and attitudes of employees toward cybersecurity. The success of any behavior change initiative largely depends on how well it aligns with the existing culture of the organization. Understanding and leveraging culture is essential for promoting positive security behaviors and ensuring that cybersecurity policies are followed consistently.

1. Understanding Organizational Culture

• Definition: Organizational culture refers to the shared values, beliefs, norms, and practices that shape the behavior of individuals within an organization.
• Impact on Behavior: Culture influences how employees perceive security policies, their willingness to comply with these policies, and their overall attitude towards cybersecurity. A positive security culture encourages proactive behavior, while a negative culture may lead to negligence or even resistance to security measures.

Theories and Models of Behavior Change Aligned with Culture

To effectively change behaviors within an organization, communication strategies and behavior change models must be implemented in a way that resonates with the organizational culture.

2. National Cyber Security Centre (NCSC) – ‘A Positive Security Culture’

• Key Concepts: The NCSC emphasizes the importance of creating a positive security culture where security is seen as a shared responsibility. This involves leadership commitment, clear communication, and integrating security into everyday activities.
• Cultural Alignment: The NCSC suggests that for behavior change to be successful, security initiatives must be communicated in a way that aligns with the values and practices of the organization. This includes understanding the motivations of employees and addressing any cultural barriers to compliance.

3. Communication Strategies

• Tailoring Messages: Communication should be tailored to the specific culture of the organization. This means using language, symbols, and examples that resonate with employees. For instance, in a collaborative culture, emphasizing teamwork and collective responsibility in security messaging can be effective.
• Leadership and Role Models: Leaders play a critical role in shaping and reinforcing security culture. When leaders prioritize security and model secure behaviors, employees are more likely to follow suit.
• Regular Training and Engagement: Continuous communication through regular training, workshops, and awareness campaigns helps to reinforce the desired behaviors. These should be interactive and culturally relevant to keep employees engaged.

Implementing Behavior Change through Cultural Alignment

4. Doing Safety Differently – The Movie

• Overview: This film explores innovative approaches to safety and security within organizations, emphasizing the need to move away from traditional, top-down compliance models to more collaborative and culturally aligned approaches.
• Key Takeaways:
  • Human-Centric Approach: The film advocates for a human-centric approach where the focus is on understanding the needs and perspectives of employees. This aligns with creating a security culture that respects and integrates employee input.
  • Empowerment over Compliance: Rather than forcing compliance, the film suggests empowering employees to take ownership of security by providing them with the tools, knowledge, and support they need to make secure decisions.
  • Cultural Sensitivity: It highlights the importance of being culturally sensitive in designing and implementing security interventions. This means considering the diverse backgrounds, values, and experiences of employees.

Practical Steps to Align Behavior Change with Culture

5. Steps for Implementation:

• Cultural Assessment: Begin with a thorough assessment of the organizational culture. Understand the existing values, beliefs, and practices related to security.
• Engage Stakeholders: Involve key stakeholders, including leaders, managers, and employees, in the design of behavior change initiatives. This ensures that the initiatives are culturally relevant and widely accepted.
• Develop Tailored Interventions: Create interventions that align with the cultural context of the organization. This could include using culturally relevant examples in training materials, or designing communication strategies that resonate with the organizational ethos.
• Monitor and Adapt: Continuously monitor the effectiveness of the behavior change initiatives. Be prepared to adapt the approach based on feedback and changing cultural dynamics within the organization.

References

• National Cyber Security Centre (NCSC). (n.d.). “A Positive Security Culture.” Available at: NCSC – A Positive Security Culture
• Reason, J. (1997). Managing the Risks of Organizational Accidents. Ashgate Publishing.
• Schein, E. H. (2010). Organizational Culture and Leadership. Jossey-Bass.
• Doing Safety Differently – The Movie. Available at: Vimeo

These references provide a deeper understanding of how communication and culture can be leveraged to effectively change behaviors in cybersecurity. The NCSC guide and the film “Doing Safety Differently” are particularly useful resources for practical insights on aligning behavior change with organizational culture.