Cultivating Security Culture

39% of UK workers wouldn't report a cyber attack to their cyber security teams. The reason isn't lack of knowledge, (79% can identify attacks). It's psychology. A recent article by Craig Hale (TechRadar) reveals employees stay silent due to: ➡️ Fear of blame (17%) ➡️ Getting into trouble (17%) ➡️ Not wanting to cause a fuss (15%) ➡️ Preferring to "fix it themselves" (11%) IBM data shows this silence costs organisations an average of $2.03 MILLION more per breach. This connects to our earlier research on social engineering psychology. The same vulnerabilities that make us susceptible to attacks also prevent us from seeking help when we need it most. The solution isn't always better technology. It's psychological safety. Organisations with strong incident reporting cultures achieve: ✅ 58% lower breach costs ✅ 61-day faster incident resolution ✅ $1M savings from internal detection ✅ 75% reduction in successful cyber incidents Do your staff feel safe admitting mistakes? Building trust-based security cultures requires: ▶️ Framing incidents as learning opportunities, not failures ▶️ Leaders modelling vulnerability and admitting their own mistakes ▶️ Separating incident response from disciplinary processes ▶️ Celebrating reporters as security champions, not problems The human element shouldn't be seen or treated as your weakest link - it's your strongest defence when properly supported. What psychological barriers have you observed in cyber security incident reporting? Please share your experiences in the comments 👇 Read our full thoughts and analysis: https://lnkd.in/eEUNDjmc #Cybersecurity #PsychologicalSafety #IncidentResponse #Leadership #CyberResilience #SecurityCulture Source: Craig Hale, TechRadar - https://lnkd.in/ekG5xVBm

This morning I joined Dobro jutro, Hrvatska (Good Morning, Croatia) on HRT (Croatian national television) to talk about something that often gets overlooked in cybersecurity. The human mind. Even though I’m not a psychologist, the human factor is a big part of my doctoral research. We call it cyber psychology, the study of how technology shapes the way we think, feel, and behave online, and how attackers use those reactions against us. We also touched on a tougher question, who is actually behind all this? I explained how many online scams today are run by transnational crime networks, operating out of so-called “scam farms” in places like Myanmar and Cambodia, where human trafficking and cybercrime often intersect. It’s a human crisis as much as a digital one. And finally, we talked about why we’re so vulnerable in the digital world. How emotions like trust, fear, or urgency can override logic in a split second. One simple tip I shared: before you click or react, take 20 seconds. That short pause gives your brain time to switch from emotion to reason. Cybersecurity doesn’t start with firewall. It starts with awareness. #Cyberpsychology #Cybersecurity #HumanFactor #DigitalResilience

Is Your Personality Making You a Cybersecurity Risk? We often talk about firewalls, complex passwords, and multi-factor authentication as the foundations of strong cybersecurity. But what if the real vulnerability in your organisation is not a system flaw or a missing update, but human nature? Recent research suggests that cyber attacks do not just succeed because of technical weaknesses. Often, they exploit something far more personal: how we think, feel, and behave. Our individual psychometric profiles, how we respond under pressure, how trusting we are, and how curious or impulsive we can be, may shape our vulnerability to phishing, scams, and social engineering attacks more than we realise. Here are just a few examples of how personality traits may influence cyber risk: - High Agreeableness – People who are helpful and trusting may be more likely to comply with suspicious requests. - High Openness – Curious individuals might click unfamiliar links or download unknown files without hesitation. - Low Conscientiousness – Less organised employees may skip policy updates, reuse passwords, or ignore alerts. - High Neuroticism – Those prone to anxiety may fall more easily for urgent or fear-based scams (“Act now or lose access!”). - Overconfidence – Individuals who believe they are “too smart to be phished” may let their guard down entirely. Supporting studies include: Halevi et al. (2013) – Linked impulsiveness and neuroticism with phishing susceptibility. McCormac et al. (2017) – Found personality traits were more predictive of cyber risk behaviour than awareness levels. CybSafe Behavioural Study (2021) – Used psychometric models to identify risk profiles and tailor security training accordingly. This raises an important question: Are we doing enough to address human behaviour in our cybersecurity strategies? Generic awareness sessions and policy emails may no longer be enough. As cyber threats grow more sophisticated, should we tailor cybersecurity training to individual personality traits? This is not just about reducing risk. It is about creating a smarter, more engaged cyber culture, one where every person understands their unique role in defending the organisation. Let us start a real conversation. I would love to hear your thoughts: - Should an individual's personality be considered in a cyber risk assessment? - Can we build a true cyber culture without understanding human psychology? - And how far is too far when profiling staff for security purposes? Let us stop thinking of cybersecurity as just a technical challenge. People are the frontline, and understanding them may be the next frontier. #alvinsrᴏdrigᴜes ✦ #ExecutiveDirector ✦ #cybersecurity ✦ #cyberhygiene ✦ #Cyberawareness ✦ #BusinessTechnologist ✦ #Cyberculture

In the U.S. alone, cybercrime caused $16 billion in damages in 2024 - a 33% increase from the year before. And most of these breaches weren’t due to complex hacks or advanced malware. They happened because of simple human errors: misconfigured systems, unsecured devices, careless behavior, or being tricked by a convincing phishing email. That’s why the human factor is often the weakest link in cybersecurity, but also where the biggest gains can be made. So how do we build a human-centered security culture? It’s about shaping behavior and habits. A proven approach is Neidert’s Core Motives Model, which helps leaders guide employees toward secure behavior through three stages: 🔹 Connect – Build trust and rapport. People follow leaders they like and feel connected to. Gamified training sessions, team bonding, and small acts of reciprocity go a long way. 🔹 Reduce Uncertainty – Show credibility and social proof. When senior leaders take part in security efforts, or when teams see peers taking security seriously, they’re more likely to follow suit. 🔹 Inspire Action – Reinforce commitments. Use nudges, timely reminders, and even friendly competitions to encourage continuous attention to cybersecurity practices. A collective mindset where everyone feels responsible for protecting company assets, and each other. Security doesn’t live in IT alone. It lives in everyone’s daily choices.

Yesterday my daughter made an observation that’s relevant to all mid-market CISOs. While speaking to her on voice call, my father-in-law struggled to switch the WhatsApp call to video to show their dog’s antics. He asked my mother-in-law to help. While on the call, my mother-in-law needed to transfer money via UPI to someone. So they had to cut the call - because my father-in-law needed to step in! My daughter came to me with this question: Two people. Same house. Same everyday things. Yet their skill levels are so different. Now, imagine this inside a company with hundreds or thousands of employees. - Some struggle to identify phishing emails - Some don’t understand the risk of weak passwords - Some click on malicious links without a second thought - Some approve payment requests based on text messages - Some download & install unauthorized software - Some share sensitive information over email without realizing - Some upload company secrets into ChatGPT for projects Yet, many CISOs run just 𝙤𝙣𝙚 𝙤𝙧 𝙩𝙬𝙤 cyber awareness simulations per year & think it’s enough. It’s not. Cyber awareness needs to be continuous, personalized & measurable. A strong cyber awareness program should: 𝟭) 𝗧𝗲𝘀𝘁 𝗲𝗺𝗽𝗹𝗼𝘆𝗲𝗲𝘀 𝘄𝗶𝘁𝗵 𝗿𝗲𝗮𝗹-𝘄𝗼𝗿𝗹𝗱 𝗮𝘁𝘁𝗮𝗰𝗸 𝘀𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 Phishing, smishing, vishing, and deepfake attacks that mimic what attackers actually do. 𝟮) 𝗔𝗱𝗮𝗽𝘁 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗯𝗮𝘀𝗲𝗱 𝗼𝗻 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹 𝘀𝗸𝗶𝗹𝗹 𝗹𝗲𝘃𝗲𝗹𝘀 A finance executive needs different training than a new intern. 𝟯) 𝗢𝗳𝗳𝗲𝗿 𝗲𝗻𝗴𝗮𝗴𝗶𝗻𝗴, 𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 Gamification, role-based training, and bite-sized learning improve retention. 𝟰) 𝗧𝗿𝗮𝗰𝗸 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁𝘀 & 𝗿𝗶𝘀𝗸𝘆 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 Identify employees who need extra training instead of treating everyone the same. 𝟱) 𝗥𝘂𝗻 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝘀𝗶𝗺𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀, 𝗻𝗼𝘁 𝗼𝗻𝗲-𝘁𝗶𝗺𝗲 𝗲𝘃𝗲𝗻𝘁𝘀 Cyber threats evolve daily; training should too. 𝟲) 𝗚𝗶𝘃𝗲 𝘁𝗵𝗲 𝗰𝘆𝗯𝗲𝗿 𝗮𝘄𝗮𝗿𝗲𝗻𝗲𝘀𝘀 𝗽𝗼𝘀𝘁𝘂𝗿𝗲 𝗮𝘁 𝘁𝗵𝗲 𝗰𝗹𝗶𝗰𝗸 𝗼𝗳 𝗮 𝗯𝘂𝘁𝘁𝗼𝗻 Department-wise reports of people & the potential learning gaps Awareness is not running a simulation & calling it a day. It's the actions & the next steps: - for improvement - knowing the awareness posture of everyone - for building a culture where employees become security assets If you’re a CISO evaluating solutions that train employees further based on their actual responses, DM me. My team works with a platform designed to make cyber awareness practical, engaging & effective. -- Hi, I’m Rajeev Mamidanna. I help mid-market CISOs strengthen their Cyber Immunity.

This is how you handle a security incident 👏 Sophos just published a detailed analysis of how one of their senior employees fell for a phishing attack that bypassed MFA. But here's what impressed me most: ✅Transparency:They didn't hide it. They published a full root cause analysis for everyone to learn from. ✅Culture: The employee immediately reported they'd been phished. No fear, no shame, no trying to hide it. ✅Mindset: Quote from their post: "We don't reprimand or discipline users who click on phishing links... we try to foster a culture in which the predominant focus is solving the problem and making things safe, rather than apportioning blame." This is exactly right. Anyone can fall for a well-crafted phish given the right circumstances. The difference between a minor incident and a catastrophic breach often comes down to: ❓Will people report when something feels wrong?❓ If your employees are afraid of getting in trouble for clicking a suspicious link, they won't tell you. They'll hope it goes away. That's when small problems become big problems. Sophos contained the threat because: • Their employee felt safe reporting the incident immediately • Their controls worked in layers • Their teams cooperated without blame • They learned and improved afterward More companies should follow this model: psychological safety + defense in depth + continuous learning. Great writeup, Sophos. The security community is stronger when we share our failures AND our lessons. Link: https://lnkd.in/eSN4xPBc What's the best example you've seen of positive security culture in action? #CyberSecurity #IncidentResponse #SecurityCulture #Transparency #Sophos

In the blink of an eye, what you hold sacred can be breached. 💔 Imagine this: You’re a leader at a financial institution and in one click, a decade of customer trust evaporates. A cyber-attack doesn’t just hit your systems; it shatters confidence, relationships, and your bottom line. Cybersecurity isn't just about firewalls and passwords. It’s about culture. 🛡️ It’s about realizing that the most sophisticated technology can fail if a single employee clicks on a malicious link. Today, let’s not talk about tools. Let’s talk about people. Your team. The beating heart of your organization. 🏢🧡 - Empower your staff with knowledge. Regular training isn't just good practice; it's a lifeline. - Foster a culture of vigilance. Phishing scams evolve daily. Staying ahead means staying aware. - Celebrate the wins. When someone reports a potential threat, make it a teachable moment for all. Cyber threats are the modern Pandora's box – once opened, they can wreak havoc. But unlike the myth, we have the power to close the lid. 📦💪 Leaders, let's shift focus from fear to empowerment. Investing in a cybersecurity-aware culture isn't an option; it's a necessity. This is about safeguarding more than data; it's about protecting our future. Share your experiences, encourage dialogue, and let’s strengthen our defenses through unity and knowledge. Because when it comes to cyber threats, education is just as powerful as encryption. #CyberSecurity #Leadership #RiskManagement #InformationSecurity #CorporateCulture

Cybersecurity is a team sport. 🤝 If a cyberattack hits tomorrow, will you tell the board that IT missed something, or admit the process was never owned by everyone? Incidents happen where risks aren't managed. For example: ⚠️ A phishing email fools an employee who wasn't trained on how to spot them. ⚠️ An unpatched server with a known vulnerability is left exposed to the internet. ⚠️ An ex-employee's privileged account wasn't deactivated after they left the company. Cybersecurity isn't just an IT task. It's a core business function like finance or operations, spanning people, processes, and technology. What's your team's role? ✅ Board & CEO: Is cyber risk a standing agenda item? Do you run tabletop exercises? ✅ CISO & IT: Do you have a live asset inventory, patching SLAs, and measured response times? ✅ Finance, HR, Legal & Ops: Are budgets tied to risk reduction? Are regulatory duties and "secure by design" practices enforced? ✅ Communications: Is a crisis comms plan written and tested? There is no 100% security. There is discipline, preparation, and resilience when everyone on the team knows their position. Your move: ➡️ Leaders: Is cyber risk still "an IT topic," or is it a board-level responsibility? ➡️ Teams: Do you know your role and metrics in the plan? Let's make cybersecurity a true team sport. #CyberSecurity #Leadership #RiskManagement #CybersecurityCulture #Governance

Cybersecurity isn’t just about protecting data—it’s also about safeguarding mental health. In the wake of a cyberattack, the psychological toll on individuals and organizations can be profound. Yet, this aspect of cybersecurity is often overlooked. Here’s the reality: Digital threats don’t just compromise your systems—they can also: 👉 Trigger anxiety and stress 👉 Lead to burnout among IT and security teams 👉 Damage trust and morale across the organization But it doesn’t have to be this way. 🛡️ Here’s what you need to do to address the mental health impact of cybersecurity threats: 1️⃣ Acknowledge the Psychological Impact → Understand that cyberattacks can cause significant emotional distress. Recognize the signs of stress and anxiety in your team. 2️⃣ Offer Mental Health Resources → Provide access to counseling and support for employees affected by cyber incidents. Encourage open conversations about the emotional challenges they face. 3️⃣ Build a Resilient Culture → Foster a supportive work environment where employees feel valued and understood. Promote work-life balance and stress management practices. 4️⃣ Prepare for the Human Side of Cybersecurity → Include mental health support in your incident response plan. Ensure that your team knows how to access help when they need it most. 5️⃣ Invest in Continuous Training and Support → Regularly train your team on cybersecurity best practices to reduce the likelihood of attacks, and offer ongoing mental health resources to help them cope with the pressures of their roles. Cybersecurity is not just a technical issue—it’s a human one. By addressing the mental health impact of digital threats, you’re not only protecting your systems but also supporting your most valuable asset: your people. 👉 Ready to explore how you can better support your team’s mental health in the face of cyber challenges? Let’s connect and discuss strategies to build a more resilient organization.

Most data breaches don’t start with hackers. They start with culture. We tend to picture cyberattacks as technical events. But in reality, many of them begin with small decisions, unspoken assumptions, and habits that fly under the radar — until they don’t. 🔍 According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. That’s not bad intent — it’s unclear ownership, rushed delivery, and systems people work around because they don’t trust them. Here are 5 signs you might have a data culture problem long before a security breach ever happens: No clear data ownership Governance gets messy when no one knows who’s responsible. Security is seen as a blocker If teams feel security slows them down, they’ll avoid it. Shortcuts become the norm Skipping checks to ���just get it done” quietly increases risk. Shadow systems appear Unofficial spreadsheets and dashboards are usually a sign of frustration — and exposure. People are afraid to ask questions If no one feels safe raising concerns, problems will stay hidden. 💡 As Harvard Business Review says, psychological safety is just as important as policy. And as Gartner and Forrester remind us, culture is just as critical as technology. It’s time we treated data culture as a frontline defence. Security doesn’t start with firewalls. It starts with people. #CyberSecurity #DataCulture #DataGovernance #DigitalLeadership #AI #RiskManagement #TrustInTech #PublicSectorData