Security Culture

Are you Managing Human Risk or Educating People?

Discover why trust is more effective than control and learn how modern learning platforms like CyberCoach empower employees to take ownership of security.

Subscribe

Subscribe

 

A critical shift is taking place—one that is altering the way organizations approach security training and awareness. Traditional management methods are giving way to a more contemporary leadership style that emphasizes trust and autonomy, rather than rigid rules and controlling every aspect of daily work.

Organizations are embracing the significance of psychological safety. We understand how crucial it is for employees to try new things, take risks, and make mistakes. Without risk-taking and mistakes, organizations stagnate. This change is now being reflected in how modern organizations choose to build their security training programs and controls.

 

"[Psychological Safety] shapes the learning behavior of the group and in turn affects team performance and therefore organizational performance”
Amy Edmondson, the Harvard Business School professor and author of The Fearless Organization

 

Why it's time to stop "managing human risk"

When we talk about the traditional "managing human risk" approach to security training, we typically go against every principle of contemporary leadership. We monitor employees, we profile them and we try to "nudge" them to change their behavior based on rules such as "don't click on suspicious links. We talk about "security culture", but what we really mean is "people following our rules even when we are not monitoring them." This approach erodes psychological safety and is closer to law enforcement than supporting learning. 

In the traditional "managing human risk" model:

  • Training Platforms Profile Users: Employees are risk-profiled based on their training performance, potentially creating a culture of judgment and fear.

  • Training is Targeted Based on Profiling: Employees receive training based on how they are categorized, which might not align with their actual skill level or learning needs.

  • Rule-Based Training: Training often boils down to a list of do's and don'ts, limiting the development of critical thinking skills.
  • Focus on Continuous Testing through Attack Simulations: Instead of addressing everyday cybersecurity and privacy questions employees face, the focus is on testing employee skills through attack simulations. Although most security incidents are caused by human error, only a minority of these incidents actually involve an active attack. See Do's and Don'ts of Phishing Simulations to read more about the negative consequences of continuous attack simulations.

Human Risk Management Platforms lead to the security team gaining a false sense of control, and employees feeling limited ownership of security. A true security culture, where employees feel empowered and supported in making educated decisions and manage security risks in their own roles, requires a culture of learning and psychological safety. 

 

Lenin quote

 

How does security training that supports a culture of learning look like?

It's not exactly rocket science. Modern security training is based on empowering employees, which starts with giving them control of their learning journey. In CyberCoach, users get to customize their own learning experience and style. 

1. Psychologically Safe, Anonymous Training

In a psychologically safe environment, employees are encouraged to take risks, share ideas, and admit mistakes without fear of repercussions. CyberCoach embraces this ethos by offering anonymous training and support, allowing individuals to learn and ask questions without concerns about their performance being linked to their identity.

2. Encouraging Critical Thinking and Self-Efficacy

Education goes beyond rules and checklists. CyberCoach's training encourages critical thinking and reinforces employee self-efficacy. Instead of rigid do's and don'ts, it empowers individuals to make informed decisions based on a deep understanding of risks.

3. Role-Relevant Skill Training

One size doesn't fit all in cybersecurity. CyberCoach provides role-relevant skill training targeted specifically based on employees' roles within the organization. This ensures that the training aligns with their daily responsibilities, making it highly practical and actionable.

 


Modern security training can be a game-changer for nurturing a culture of continuous learning and psychological safety 

Modern security training platforms like CyberCoach enable employees to take charge of their learning, make informed choices, and collaborate efficiently to reduce risks. By embracing this approach, organizations can move away from the limiting paradigm of merely managing human risk to truly motivating everyone to protect the organization.

Similar posts

Get notified of the latest security awareness insights

Expert Tips: Stay informed with curated content, expert opinions, and case studies that are relevant to your organization's security awareness strategy.

Special Offers:
 Access to CyberCoach discounts and early bird offers.

Stay Informed:
 Get the latest insights and updates on security trends, threats, and best practices delivered directly to your inbox.