The lack of reliable indicators means senior management does not know if recommended security behavior is actually followed in practice. In today’s modern organizations, employee attention and efforts are consumed with constant messages that take time and attention away from primary productive activity. Since current CET often recommends behaviors that conflict with productive tasks, it is ignored as just another part of the background noise of a multitude of corporate messages.

The paper “Awareness Is Only the First Step” sets out a framework for security awareness that employees will actually engage with, and which empowers them to become the strongest link rather than a vulnerability in defending the organization.

Security Behavior Engagement

This paper details the best ways to engage employees. In addition to formal employment contracts, organizations manage employee behavior through informal psychological contracts, whose nature depends on the company and its structures. Security is currently not part of the psychological contracts in most organizations.

Once the organization has identified the assets and ways of protecting them, and ensures that they can be followed, doing the right thing by security can also become part of the psychological contract with employees. One objective of the company should be to explain security topics in the context of the company and communicate them.

The paper spells out the key points in engaging employees, including:

• Achieving lasting behavior change
• Improving current approaches
• Thinking differently about security behavior
• Achieving unconscious competence
• Using a framework for progressive engagement
• Transforming awareness and involvement

Engaging employees is essential for raising security awareness in enterprises. Download the full paper, „Awareness Is Only the First Step.“

Source: DXC