In our efforts to raise awareness among users of the importance of cybersecurity and the part they have to play in it, we sometimes go about things in a long-winded manner.
Many times, organisations spend a long time trying to convince people why they should take security seriously. They will come up with elaborate explanations as to why reusing passwords is a bad idea, or how the Wi-Fi in their favourite coffee shop could lead to their demise, or how minting NFTs will cause the world economy to collapse.
This does work in many cases. You inform someone of the underlying reasons and the broad impact of their actions > they understand and change their behaviours accordingly > this leads to better security and everyone lives happily ever after.
But this approach does not work on everyone, and is not the most effective in all scenarios.
So what do we do?
We start with the behaviour.
Consider the introduction of recycling bins. Yes, they are for the good of the environment, to prevent the ice caps from melting and to save polar bears. But is that what everyone is thinking about when they sort out their rubbish? In many cases, that is not the case. The fact that packaging usually mentions whether it can be recycled, and the provision of recycling bins next to general waste bins, makes it an easy and almost seamless behaviour to adopt.
Some people may not even be aware that recycling can potentially benefit the environment. But they will justify their doing so in their minds.
Give people a reason and they may not supply the behaviour. But give people a behaviour, and they will have no problem supplying the reasons themselves.
This is where building a strong security culture within an organisation can have massive benefits, like when people observe most of their colleagues behaving in a certain way. For example, they see everyone wearing their pass at all times and locking their workstations when away from it – they will adopt those behaviours too.
Will they understand all of the reasons? Probably not. But as long as they adopt the right behaviours, that goes a long way in reducing risk, which is ultimately what we want.
Behaviour comes first – attitude changes to keep up.
In this groundbreaking new research, KnowBe4 has been able to validate the link between security culture and secure behavior. Though it has been suspected that the two are intertwined, until now, it has never been proven with data. Improving one's security culture directly translates into more secure employee behaviors and to the overall reduction of organizational risk. 
