Security Awareness Video
Building a Security Culture Without Creating Resistance
Learn how to build a security culture that makes secure behaviour easier, clearer, more normal, and safer to report — without making teams feel blamed, watched, or controlled.
What this video covers
Security culture should not feel like control
A strong security culture is not built by making people afraid of getting security wrong. It is built by creating the conditions where safer behaviour is easier to repeat.
Why security culture creates resistance
Learn why fear, blame, surveillance, and generic training can make people defensive instead of engaged.
How resistance shows up quietly
Understand why people may delay reporting, use shortcuts, hide mistakes, or treat security as “not my job”.
How to make secure behaviour normal
See how trust, clarity, manager reinforcement, usability, and leadership modelling shape everyday security behaviour.
Core idea
A strong security culture helps people make safer decisions without making work harder.
People are not usually trying to be insecure. They are trying to serve customers, close sales, ship products, onboard employees, pay suppliers, answer clients, hit deadlines, and solve problems quickly. Security culture works when it supports that reality instead of fighting against it.
- Stop framing people as the weakest link.
- Make security relevant to each team’s actual work.
- Make reporting psychologically safe.
- Reduce security friction and unclear processes.
- Use managers as security culture carriers.
- Make leadership follow the same rules.
Common mistakes
Security culture can backfire when it feels like policing
The words and behaviours used to communicate security matter. If people feel blamed, dismissed, or punished, they become less likely to report early or engage honestly.
“Users are the weakest link”
This makes people feel blamed and treated as the problem rather than supported in making safer decisions.
“You should have known better”
This can make people hide mistakes instead of reporting quickly when speed matters most.
“Just follow the policy”
This often feels dismissive when the policy is hard to find, hard to understand, or unrealistic under pressure.
“Security says no”
This positions security as the blocker rather than a practical partner in helping the business operate safely.
Resistance-building culture
This is the version of security culture that makes teams defensive.
- Fear-based messaging
- Blame when mistakes happen
- Overly technical communication
- Processes that are harder than shortcuts
- Leaders who bypass the rules
Adoption-building culture
This is the version that helps secure behaviour become normal.
- Clear and practical expectations
- Safe early reporting
- Role-specific guidance
- Manager reinforcement
- Leadership modelling
Behaviour signals
Measure behaviour, not just awareness completion
A stronger security culture shows up in how people act during real work — not just whether they completed annual training.
Time to report
Shows whether people feel safe escalating quickly when something looks wrong.
Access route adoption
Shows whether people are using approved processes instead of informal shortcuts.
Policy exceptions
Shows where security processes may be creating too much friction for real work.
Supplier checks before access
Shows whether teams understand when security applies before suppliers receive data or system access.
Near-miss reporting
Shows whether people are willing to raise concerns early before they become incidents.
Manager reinforcement
Shows whether team leaders are helping make secure behaviour part of everyday work.
Next step
Need security culture materials people can actually use?
The Security Awareness Pack helps organisations make reporting, phishing guidance, manager reinforcement, new starter awareness, and everyday security behaviours clearer and easier to adopt.
Related programmes
Build the right security layer for your stage
Choose the right level of support depending on whether you need templates, implementation support, audit readiness, or ongoing advisory.
Layer 1 — Startup Security Toolkit
A DIY toolkit for founders who need practical templates across risk management, access control, vendor risk, incidents, and security actions.
Layer 2 — Startup Security Implementation Kit
Guided support to help you apply the toolkit, prioritise gaps, assign owners, and move from documentation to implementation.
Layer 3 — Security Readiness Audit
An expert review of your current security position, helping you identify gaps, risks, and priority improvements.
Layer 4 — Fractional Security Advisor
Ongoing cyber security advisory support for growing startups that need strategic guidance without hiring a full-time security leader.
FAQ
Security culture questions
What does security culture mean?
Security culture is the way people behave, make decisions, report concerns, follow processes, and respond to risk in everyday work. It is shaped by leadership, managers, processes, communication, and what behaviour gets rewarded or tolerated.
Why do teams resist security culture?
Teams often resist security culture when it feels like blame, control, surveillance, restriction, or extra work. Resistance increases when security is unclear, hard to follow, not relevant to the team’s role, or not modelled by leadership.
How do you build security culture without creating resistance?
Build security culture by making expectations clear, making reporting safe, translating security into each team’s work, reducing friction, using managers to reinforce behaviour, and ensuring leaders follow the same rules.
What should security awareness training measure?
Security awareness should not only measure completion. Better measures include time to report, report quality, use of approved access routes, supplier checks before access, policy exceptions, manager reinforcement, and near-miss reporting.