Security Awareness Video

Building a Security Culture Without Creating Resistance

Learn how to build a security culture that makes secure behaviour easier, clearer, more normal, and safer to report — without making teams feel blamed, watched, or controlled.

What this video covers

Security culture should not feel like control

A strong security culture is not built by making people afraid of getting security wrong. It is built by creating the conditions where safer behaviour is easier to repeat.

Why security culture creates resistance

Learn why fear, blame, surveillance, and generic training can make people defensive instead of engaged.

How resistance shows up quietly

Understand why people may delay reporting, use shortcuts, hide mistakes, or treat security as “not my job”.

How to make secure behaviour normal

See how trust, clarity, manager reinforcement, usability, and leadership modelling shape everyday security behaviour.

Core idea

A strong security culture helps people make safer decisions without making work harder.

People are not usually trying to be insecure. They are trying to serve customers, close sales, ship products, onboard employees, pay suppliers, answer clients, hit deadlines, and solve problems quickly. Security culture works when it supports that reality instead of fighting against it.

  • Stop framing people as the weakest link.
  • Make security relevant to each team’s actual work.
  • Make reporting psychologically safe.
  • Reduce security friction and unclear processes.
  • Use managers as security culture carriers.
  • Make leadership follow the same rules.

Common mistakes

Security culture can backfire when it feels like policing

The words and behaviours used to communicate security matter. If people feel blamed, dismissed, or punished, they become less likely to report early or engage honestly.

“Users are the weakest link”

This makes people feel blamed and treated as the problem rather than supported in making safer decisions.

“You should have known better”

This can make people hide mistakes instead of reporting quickly when speed matters most.

“Just follow the policy”

This often feels dismissive when the policy is hard to find, hard to understand, or unrealistic under pressure.

“Security says no”

This positions security as the blocker rather than a practical partner in helping the business operate safely.

Resistance-building culture

This is the version of security culture that makes teams defensive.

  • Fear-based messaging
  • Blame when mistakes happen
  • Overly technical communication
  • Processes that are harder than shortcuts
  • Leaders who bypass the rules

Adoption-building culture

This is the version that helps secure behaviour become normal.

  • Clear and practical expectations
  • Safe early reporting
  • Role-specific guidance
  • Manager reinforcement
  • Leadership modelling

Behaviour signals

Measure behaviour, not just awareness completion

A stronger security culture shows up in how people act during real work — not just whether they completed annual training.

Time to report

Shows whether people feel safe escalating quickly when something looks wrong.

Access route adoption

Shows whether people are using approved processes instead of informal shortcuts.

Policy exceptions

Shows where security processes may be creating too much friction for real work.

Supplier checks before access

Shows whether teams understand when security applies before suppliers receive data or system access.

Near-miss reporting

Shows whether people are willing to raise concerns early before they become incidents.

Manager reinforcement

Shows whether team leaders are helping make secure behaviour part of everyday work.

Next step

Need security culture materials people can actually use?

The Security Awareness Pack helps organisations make reporting, phishing guidance, manager reinforcement, new starter awareness, and everyday security behaviours clearer and easier to adopt.

Related programmes

Build the right security layer for your stage

Choose the right level of support depending on whether you need templates, implementation support, audit readiness, or ongoing advisory.

Layer 1 — Startup Security Toolkit

A DIY toolkit for founders who need practical templates across risk management, access control, vendor risk, incidents, and security actions.

View toolkit →

Layer 2 — Startup Security Implementation Kit

Guided support to help you apply the toolkit, prioritise gaps, assign owners, and move from documentation to implementation.

View implementation kit →

Layer 3 — Security Readiness Audit

An expert review of your current security position, helping you identify gaps, risks, and priority improvements.

View audit →

Layer 4 — Fractional Security Advisor

Ongoing cyber security advisory support for growing startups that need strategic guidance without hiring a full-time security leader.

View advisory →

Karimah, CISSP-certified cyber security consultant

Created by Karimah

Karimah is a CISSP-certified cyber security consultant helping startups and growing teams turn security from scattered tasks into clear priorities, evidence, decisions, and behaviours.

FAQ

Security culture questions

What does security culture mean?

Security culture is the way people behave, make decisions, report concerns, follow processes, and respond to risk in everyday work. It is shaped by leadership, managers, processes, communication, and what behaviour gets rewarded or tolerated.

Why do teams resist security culture?

Teams often resist security culture when it feels like blame, control, surveillance, restriction, or extra work. Resistance increases when security is unclear, hard to follow, not relevant to the team’s role, or not modelled by leadership.

How do you build security culture without creating resistance?

Build security culture by making expectations clear, making reporting safe, translating security into each team’s work, reducing friction, using managers to reinforce behaviour, and ensuring leaders follow the same rules.

What should security awareness training measure?

Security awareness should not only measure completion. Better measures include time to report, report quality, use of approved access routes, supplier checks before access, policy exceptions, manager reinforcement, and near-miss reporting.