In many companies, IT security guidelines encounter resistance because employees perceive them as obstructive or impractical. This makes implementation difficult, undermines effectiveness, and strains collaboration between the security department and business units.
As a result, instead of being seen as a partner, cybersecurity is often perceived as a hindrance — a fatal security risk. For CISOs, this means that, in addition to technically sound guidelines, acceptance in everyday work is crucial. A new approach with empathetic policy engineering and strategic security communication can help foster a sustainable security culture.
IT security: Work pressure and social influences
Many IT departments believe that users are poorly motivated to comply with security guidelines. Companies rely on sanctions and security awareness training to enforce compliance. However, a two-day experiment investigating the impact of security designs on policy-compliant user behavior revealed that while participants initially had a positive attitude toward security guidelines, these guidelines became increasingly perceived as a hindrance under rising work pressure, leading to more frequent violations. Stress and situational factors had a noticeable influence on the participants’ security-related behavior.
Safe behavior therefore does not arise solely from knowledge transfer, but depends heavily on individual risk assessment and concrete everyday situations. Users do not always act as the guidelines prescribe — often not out of unwillingness, but because other factors outweigh or are considered more important. Ambitious goals, time pressure, and the need for seamless collaboration frequently conflict with abstract security requirements. These conflicts of interest quickly lead to tensions between security, IT, and other departments. This ultimately jeopardizes the security culture.
Security managers can counteract this by addressing three points.
1. Conduct stakeholder analysis
CISOs should first ask themselves why users are not behaving securely. A variety of factors play a role here: For example, users may not be aware of the threat, may not see the benefits of secure behavior, or may perceive security measures as hindering their work. There may also be a conflict of interest with the users’ goals, or they may be under time pressure. Often, the resources are simply lacking — for example, if regulations require secure data exchange with suppliers and customers, but employees are not provided with a platform for such data exchange — or there may be a lack of role models in the environment
Before implementing security measures, it is important to identify and balance conflicting goals and priorities among the various stakeholder groups (IT department, technical departments, management, administration, production staff). This can be done, for example, through stakeholder analysis — a method from business informatics used to ascertain the preferences of all stakeholders involved. The more security managers know about the realities of work and the goals of the different departments, the better they can tailor security measures accordingly — leading to greater acceptance and ultimately successful implementation
2. Design security guidelines with the user in mind
Insecure behavior is often blamed on users, when the problem often lies in the measure itself. In IT security research, the focus is often on individual user behavior — for example, on whether secure behavior depends on personality traits. The question of how well security measures actually fit the reality of work — that is, how likely they are to be accepted in everyday practice — is neglected.
For every threat, there are usually several available security measures. But differences in effort, acceptance, compatibility, or complexity are often not taken into account in practice. Instead, security or IT departments often make decisions based solely on technical aspects.
To establish effective IT security policies, they must not only be technically correct — they must also be sensible and practical from an employee perspective. The key to this lies in empathetic policy engineering: Security guidelines should be designed so that they are understandable, accepted, and compatible with everyday work goals. This is best achieved when employees are involved in the development process early on — including their conflicting goals and practical challenges.
A subsequent pilot project helps to identify potential stumbling blocks and obstacles early on and to adjust the measures accordingly. It has proven effective to start with the “early adopters” — that is, the group of users who are open to innovations and can subsequently provide constructive feedback. This should be taken into account before the large-scale rollout. In this way, a safety culture can develop that is effective — and actually practiced in everyday work.
3. Communicate with respect
Safety measures and guidelines are often communicated in a way that doesn’t resonate with users’ work reality because they don’t aim to engage employees and motivate them: for example, through instructions, standard online training, or overly playful formats like comics that employees don’t take seriously. A “respect approach” works better: It relies on communication on equal terms, instead of prohibitions and punishments.
The crucial difference: Employees are treated as competent, responsible adults. The focus is on an empathetic understanding of their needs and work realities — without losing sight of safety goals.
There are several techniques for successfully communicating safety policies and avoiding conflicts:
Tactical empathy: This creates recognition, strengthens trust, and thus ensures that employees feel heard and are willing to accept security-relevant information.
‘Help me to help you’instead of ‘No’: Instead of enforcing security requirements, CISOs can use targeted “how” questions to encourage users to think about the proposed solutions. If users have change requests regarding the security requirements, security shouldn’t simply say “no.” It’s helpful to ask what the employees themselves suggest to both comply with security requirements and enable efficient work. This creates a dialogue and makes it easier to find a compromise acceptable to all parties involved
Practical experience instead of dry theory: A training concept that relies on direct experience confronts participants with realistic scenarios — such as cyberattacks like phishing, ransomware, or USB attacks. They experience firsthand, in a realistic environment that replicates typical workplaces in small and midsize enterprises, how cyberattacks unfold. This creates a deep, lasting understanding of IT security. Instead of lectures, the focus is on people and their experiences.
CISOs as shapers of an effective security culture
The limited success of many security measures is not solely due to the users — often it’s unrealistic requirements, a lack of involvement, and inadequate communication. For security leaders, this means: Instead of relying on education and sanctions, a strategic paradigm shift is needed. They should become a kind of empathetic policy architect whose security strategy not only works technically but also resonates on a human level. They create frameworks in which secure decisions are naturally integrated into everyday work. This requires a good sense of conflicting objectives, communication on equal terms — and the ability to anchor security as a shared value within the company.
No Responses