{"id":5988,"date":"2025-11-28T07:00:00","date_gmt":"2025-11-28T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5988"},"modified":"2025-11-28T07:00:00","modified_gmt":"2025-11-28T07:00:00","slug":"empathetic-policy-engineering-the-secret-to-better-security-behavior-and-awareness","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5988","title":{"rendered":"Empathetic policy engineering: The secret to better security behavior and awareness"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

<\/a> <\/p>\n

In many companies, IT security guidelines encounter resistance because employees perceive them as obstructive or impractical. This makes implementation difficult, undermines effectiveness, and strains collaboration between the security department and business units.<\/p>\n

As a result, instead of being seen as a partner, cybersecurity is often perceived as a hindrance \u2014 a fatal security risk. For CISOs, this means that, in addition to technically sound guidelines, acceptance in everyday work is crucial. A new approach with empathetic policy engineering and strategic security communication can help foster a sustainable security culture.<\/p>\n

IT security: Work pressure and social influences<\/h2>\n

Many IT departments believe that users are poorly motivated to comply with security guidelines. Companies rely on sanctions and security awareness training<\/a> to enforce compliance. However, a two-day experiment investigating the impact of security designs on policy-compliant user behavior revealed that while participants initially had a positive attitude toward security guidelines, these guidelines became increasingly perceived as a hindrance under rising work pressure, leading to more frequent violations. Stress and situational factors had a noticeable influence on the participants\u2019 security-related behavior.<\/p>\n

Safe behavior therefore does not arise solely from knowledge transfer, but depends heavily on individual risk assessment and concrete everyday situations. Users do not always act as the guidelines prescribe \u2014 often not out of unwillingness, but because other factors outweigh or are considered more important. Ambitious goals, time pressure, and the need for seamless collaboration frequently conflict with abstract\u00a0security requirements. These conflicts of interest quickly lead to tensions between security, IT, and other departments. This ultimately jeopardizes the security culture.<\/p>\n

Security managers can counteract this by addressing three points.<\/p>\n

1.\u00a0Conduct stakeholder analysis<\/h2>\n

CISOs should first ask themselves why users are not behaving securely. A variety of factors play a role here: For example, users may not be aware of the threat, may not see the benefits of secure behavior, or may perceive security measures as hindering their work. There may also be a conflict of interest with the users\u2019 goals, or they may be under time pressure. Often, the resources are simply lacking \u2014 for example, if regulations require secure data exchange with suppliers and customers, but employees are not provided with a platform for such data exchange \u2014 or there may be a lack of role models in the environment<\/p>\n

Before implementing security measures, it is important to identify and balance conflicting goals and priorities among the various stakeholder groups (IT department, technical departments, management, administration, production staff). This can be done, for example, through stakeholder analysis \u2014 a method from business informatics used to ascertain the preferences of all stakeholders involved. The more security managers know about the realities of work and the goals of the different departments, the better they can tailor security measures accordingly \u2014 leading to greater acceptance and ultimately successful implementation<\/p>\n

2.\u00a0Design security guidelines with the user in mind<\/h2>\n

Insecure behavior is often blamed on users, when the problem often lies in the measure itself. In IT security research, the focus is often on individual user behavior \u2014 for example, on whether secure behavior depends on personality traits. The question of how well security measures actually fit the reality of work \u2014 that is, how likely they are to be accepted in everyday practice \u2014 is neglected.<\/p>\n

For every threat, there are usually several available security measures. But differences in effort, acceptance, compatibility, or complexity are often not taken into account in practice. Instead, security or IT departments often make decisions based solely on technical aspects.<\/p>\n

To establish effective IT security policies, they must not only be technically correct \u2014 they must also be sensible and practical from an employee perspective. The key to this lies in\u00a0empathetic policy engineering: Security guidelines should be designed so that they are understandable, accepted, and compatible with everyday work goals. This is best achieved when employees are involved in the development process early on \u2014 including their conflicting goals and practical challenges.<\/p>\n

A subsequent pilot project helps to identify potential stumbling blocks and obstacles early on and to adjust the measures accordingly. It has proven effective to start with the \u201cearly adopters\u201d \u2014 that is, the group of users who are open to innovations and can subsequently provide constructive feedback. This should be taken into account before the large-scale rollout. In this way, a safety culture can develop that is effective \u2014 and actually practiced in everyday work.<\/p>\n

3.\u00a0Communicate with respect<\/h2>\n

Safety measures and guidelines are often communicated in a way that doesn\u2019t resonate with users\u2019 work reality because they don\u2019t aim to engage employees and motivate them: for example, through instructions, standard online training, or overly playful formats like comics that employees don\u2019t take seriously. A \u201crespect approach\u201d works better: It relies on communication on equal terms, instead of prohibitions and punishments.<\/p>\n

The crucial difference: Employees are treated as competent, responsible adults. The focus is on an empathetic understanding of their needs and work realities \u2014 without losing sight of safety goals.<\/p>\n

There are several techniques for successfully communicating safety policies and avoiding conflicts:<\/p>\n

Tactical empathy:<\/strong>\u00a0This creates recognition, strengthens trust, and thus ensures that employees feel heard and are willing to accept security-relevant information.<\/p>\n

\u2018Help me to help you\u2019instead of \u2018No\u2019:<\/strong>\u00a0Instead of enforcing security requirements, CISOs can use targeted \u201chow\u201d questions to encourage users to think about the proposed solutions. If users have change requests regarding the security requirements, security shouldn\u2019t simply say \u201cno.\u201d It\u2019s helpful to ask what the employees themselves suggest to both comply with security requirements and enable efficient work. This creates a dialogue and makes it easier to find a compromise acceptable to all parties involved<\/p>\n

Practical experience instead of dry theory:<\/strong>\u00a0A training concept that relies on direct experience confronts participants with realistic scenarios \u2014 such as cyberattacks like phishing,\u00a0ransomware, or USB attacks. They experience firsthand, in a realistic environment that replicates typical workplaces in small and midsize enterprises, how cyberattacks unfold. This creates a deep, lasting understanding of IT security. Instead of lectures, the focus is on people and their experiences.<\/p>\n

CISOs as shapers of an effective security culture<\/h2>\n

The limited success of many security measures is not solely due to the users \u2014 often it\u2019s unrealistic requirements, a lack of involvement, and inadequate communication. For security leaders, this means: Instead of relying on education and sanctions, a strategic paradigm shift is needed. They should become a kind of empathetic policy architect whose security strategy not only works technically but also resonates on a human level. They create frameworks in which secure decisions are naturally integrated into everyday work. This requires a good sense of conflicting objectives, communication on equal terms \u2014 and the ability to anchor security as a shared value within the company.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In many companies, IT security guidelines encounter resistance because employees perceive them as obstructive or impractical. This makes implementation difficult, undermines effectiveness, and strains collaboration between the security department and business units. As a result, instead of being seen as a partner, cybersecurity is often perceived as a hindrance \u2014 a fatal security risk. For […]<\/p>\n","protected":false},"author":0,"featured_media":5989,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5988"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5988"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5988\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5989"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}