No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

How Organizations Can Leverage Human Nature to Instill Security Culture

Training is important, but it’s not enough

by Perry Carpenter
October 11, 2023
in Cybersecurity
rendering of human brain

Most cyber breaches are the result of human error — or the exploitation of human nature. KnowBe4’s Perry Carpenter talks about how bad actors rely on human nature and how organizations should respond.

The one thing that organizations cannot do without is people. But organizations all too often forget that we’re more than just a workforce; we’re an active part of the organization’s cybersecurity arsenal. Managing people can be tricky. Human behavior is not software that can simply be configured or programmed. While human emotions make us unique and intelligent beings, emotions can also cause misjudgments, making us vulnerable to cyber threats.

Hackers, fraudsters and cybercriminals have a keen understanding and awareness of our inherent flaws and weaknesses, which is why they regularly abuse and target human emotions. But by building a pervasive security culture, organizations can turn human nature into an advantage.

How bad actors take advantage of employee emotions

It’s completely natural to be triggered by emotions such as fear, anxiety, greed and lust. We also trust easily. We are predictable. We have mental biases, beliefs and feelings that often affect our judgment and decision-making. This is why an overwhelming majority of breaches (74%) start with humans.

Cybercriminals are known to social engineer behavior by manipulating emotions: Between 80% and 95% of all cyberattacks begin with phishing .

The latest FBI internet crime report notes that most incidents and cybercrime losses can be attributed to other social engineering schemes like phishing, business email compromise (BEC), investment scams, romance scams, call center fraud and impersonations.  

The role of security culture in managing human emotions

As technological defenses mature, it’s likely that attackers will double down on social engineering to circumvent or compromise advanced cybersecurity systems. The only solution to this growing problem is improving security awareness in employees so they can make smarter security decisions.

However, most organizations don’t realize that knowledge is just one part of the equation and information alone won’t always lead to secure behavior.

For instance, we all know that speeding is against the law, but we’re all guilty of exceeding the speed limit from time to time. Similarly, organizations spend a lot of money training people. Despite these efforts, organizations continue to get hacked because the fact is, even though people receive training, they seldom have the motivation or intent to behave securely (also referred to as the knowledge-intention-behavior gap). So how can organizations sculpt and leverage employee behavior? The answer to this lies deeper in the concept of security culture.

Security culture is the ideas, customs and social behaviors of a group that influence the security of an organization. Think of culture in this way: You see a hallway in your office, there’s trash on the floor. There’s nobody around, no cameras or colleagues. If you pick up the trash and throw it in the bin without anyone seeing or thanking you, then basically that’s your culture at work. The same concept applies for security. The idea is to develop the right attitudes and value system so that people act securely without anyone telling them. 

illustration representing sec cybersecurity rules
Cybersecurity

Everything You Need to Know About the SEC’s New Cybersecurity Rules

by David Lynn
September 6, 2023

Following the release of much-anticipated cybersecurity reporting guidelines for public companies, questions may persist about specifics of the new rules. Attorney David M. Lynn of Morrison & Foerster dives into all the details.

Read moreDetails

Building an organizational culture that values security

Even if organizations do not invest in cultivating a culture, it always exists in some form. If culture is not controlled, it could manifest into something that the organization does not want or need. This is why it’s important to track and foster security culture. Here are some best practices to keep in mind:

Assess your cultural baseline

If you don’t know where you are, then it’s hard to know where you’re going. Organizations can improve security culture by conducting surveys (computer-based surveys that help understand the values, attitudes and beliefs in the organization); culture maturity indicators (i.e., training frequency, average attendance, click-through rates in phishing simulations, frequency of security incidents being reported); face-to-face interviews as well as data collected from security controls, such as endpoint protection platforms, user and entity behavior analytics and data leakage prevention. Once a baseline is determined, chart out a plan, keeping desired metrics and goals in mind.

Engage leadership

Leaders don’t just control budgets; they’re also in a position of power and influence. This is critical. Culture is top-down — and it’s contagious. What’s more, employees need to understand why you’re doing this, what is expected of them and the value to the business. Not only is it important to track culture from a maturity perspective, but it’s also necessary to measure and report it in terms of return on security investments, such as reduction in security incidents over time, reduction in downtime, improvement in scale and performance.

Use positive reinforcement

You can’t force security onto someone. You must be empathetic in your approach when training people, keeping their feedback, requirements and current level of security maturity in mind. Positivity and encouragement work. If people are rewarded, it improves the likelihood of them repeating the desired behaviors. If you punish people, you risk losing their loyalty and focus. Studies show that continuous reinforcement leads to behavior change. Therefore, organizations must run regular phishing simulations and bite-sized training sessions at regular intervals so that employees are constantly reminded of their own responsibility and accountability toward security.

Security culture is an evolution, a journey — not a destination. It takes a great deal of effort, and it needs collaboration from leaders and employees. A positive security culture is the only way to offset opportunistic cybercriminals from exploiting employee emotions for their misdeeds.


Tags: Cyber RiskCybercrimeTraining
Previous Post

Survey: Few Companies Subject to New CTA Reporting Requirements Are Aware of Them

Next Post

Corruption Down Under (Part II): New Zealand Losing Its Grip

Perry Carpenter

Perry Carpenter

Perry Carpenter is an award-winning author, podcaster and speaker, with over two decades in cybersecurity focusing on how cybercriminals exploit human behavior. He is the chief human risk management strategist at KnowBe4. His latest book, “FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation and AI-Generated Deceptions” (2024 Wiley), explores AI's role in deception.

Related Posts

news roundup green bars

In-House Counsel Salary Increases Slow

by Staff and Wire Reports
May 2, 2025

Majority of execs predict rise in fincrime in ’25

data abstract green purple

66% of CISOs Worry Cyber Threats Are More Advanced Than Companies’ Defenses

by Staff and Wire Reports
April 25, 2025

US business sector falling behind in adoption of renewable energy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data abstract pixelated

GenAI Adoption Surging in Professional Services

by Staff and Wire Reports
April 18, 2025

Fewer than 1 in 3 organizations consistently meet cyber compliance standards

Next Post
new zealand flag

Corruption Down Under (Part II): New Zealand Losing Its Grip

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights