Building a Resilient Security Culture: 3 Steps to Turn Employees Into Your Best Defence

Cyber security threats are evolving rapidly, but one constant remains: human behaviour is a critical factor in cyber risk. According to the Verizon Data Breach Investigations Report, 68% of cyber security breaches involve the human element. Despite significant investments in security technology, organisations continue to experience breaches due to human error, social engineering, and poor security habits.

The solution lies in building a resilient security culture, one where employees are not just informed but actively engaged in protecting their organisation.

This was the focus of our recent Secon Cyber webinar, Building a Resilient Security Culture: 3 Steps to Turn Employees Into Your Best Defence, featuring Hoxhunt’s Maxime Cartier, a leading expert in security awareness and behaviour design.

If you were unable to attend, you can watch the full webinar recording below.

This rest of this blog explores the key insights shared during the session, outlining a three-step framework for turning employees into proactive defenders against cyber threats.

Why Traditional Security Training Fails.

Traditional security awareness training often falls short because it focuses on compliance rather than behavioural change. Many organisations require employees to complete annual security training, but this approach is rarely effective in fostering long-term security-conscious behaviour.

A useful analogy shared in the webinar compared security awareness to eating healthy food. Many people know that eating broccoli is good for their health, yet they do not always make it a regular part of their diet. Similarly, employees may understand cyber security best practices but still fail to apply them in real-world situations.

This highlights the need for a more strategic, data-driven, and human-centric approach to security culture, one that moves beyond compliance checkboxes to drive real behavioural change.

Step 1: Identify and Measure Human Risk.

The first step in building a resilient security culture is identifying and prioritising the greatest human risks within the organisation. A one-size-fits-all approach does not work; security teams need to assess, and measure risks specific to their workforce.

To do this effectively, organisations should:

• Identify the biggest human risk factors – Determine whether phishing, weak passwords, or data mishandling are the most significant vulnerabilities.
• Measure behaviours and attitudes – Use phishing simulations, security tool data, and employee surveys to assess security awareness.
• Prioritise the highest-risk areas – Focus efforts on specific teams, departments, or locations where security awareness is lowest.

By taking a data-driven approach, security teams can allocate resources effectively and focus on the areas that present the highest risk.

Step 2: Deploy Targeted and Engaging Interventions.

Once risks have been identified, the next step is to deploy targeted interventions that effectively drive behavioural change. Traditional security awareness approaches, such as generic phishing simulations and static training modules, often fail because they do not account for individual differences in knowledge and experience.

Instead, organisations should:

• Customise training for each employee – Adaptive training programs, such as those powered by artificial intelligence, can tailor content to employees’ skill levels and job roles.
• Use positive reinforcement – Reward employees for recognising and reporting threats, rather than penalising them for mistakes.
• Deliver security training continuously – Rather than an annual training session, security awareness should be short, frequent, and integrated into daily workflows.

One case study shared during the webinar demonstrated the impact of personalised training: employees who received adaptive, gamified security training were six times less likely to click on phishing emails and seven times more likely to report them.

This evidence reinforces the need to move away from generic training programs and instead focus on engaging, personalised learning experiences that make security a natural part of employees’ daily routines.

Step 3: Measure and Communicate Impact.

The final step in transforming security culture is measuring success and communicating impact to key stakeholders. Many security programs focus on metrics such as training completion rates, but these do not provide meaningful insight into actual risk reduction.

Instead, organisations should track:

• Phishing click rates and reporting rates – Assess how many employees not only avoid phishing attempts but also report them.
• Risk reduction over time – Analyse whether high-risk behaviours are decreasing as a result of training initiatives.
• Employee engagement levels – Evaluate whether employees are actively participating in security programs.

Maxime Cartier emphasised the importance of presenting results in a compelling way to gain executive buy-in. Demonstrating a clear reduction in risk, backed by data and real-world success stories, strengthens the case for continued investment in security culture initiatives.

One particularly impactful case study shared in the webinar showed that employees trained using a behaviour-driven approach not only reduced their phishing click rates but also significantly improved their incident reporting habits over time. This shift in behaviour ensures that security teams receive timely alerts about potential threats, allowing them to take proactive action.

Key Takeaways.

• Traditional security awareness programs are ineffective in driving behavioural change.
• Security teams must identify and prioritise human risk factors rather than applying a one-size-fits-all approach.
• Effective training programs should be personalised, engaging, and continuously reinforced.
• Measuring and communicating real impact is essential for gaining leadership support and ensuring long-term success.

Building a resilient security culture requires a shift in mindset, from compliance-driven approaches to data-driven, human-centric security strategies. By following the three-step framework, organisations can turn employees into proactive defenders against cyber threats.

To learn more about Human Risk Management and how we at Secon can support you, get in touch.