Making Cyber Security Part of Your Culture: Incentives, Recognition, and Leadership.

Security awareness training alone does not change behaviour. Here is how Irish SMEs build a security culture where doing the right thing is the path of least re

Making Cyber Security Part of Your Culture: Incentives, Recognition, and Leadership Behaviour.

At a Donegal financial services firm, the managing director sent an all-staff email after a staff member reported a suspicious payment request — which turned out to be a genuine CEO fraud attempt. The email named the staff member, described what they had done (followed the verification procedure and called to confirm before processing), and thanked them specifically. It noted that the verification call had prevented a €24,000 loss.

Six months later, at the same firm, reporting of suspicious emails had increased by 60%. The phishing simulation click rate had dropped to 8%. No additional training had been purchased. No new policies had been written.

The single most impactful security awareness intervention in that business was a one-paragraph email from the managing director.

Why Training Alone Does Not Build Security Culture

Security awareness training provides knowledge. Security culture determines behaviour. These are not the same thing.

A staff member who has completed an annual security awareness module knows — conceptually — that they should report suspicious emails. Whether they actually do depends on culture: whether reporting is expected and valued, whether it is easier to report than to ignore, whether doing the right thing has ever been acknowledged, and whether the people they respect model the behaviour they are being asked to adopt.

Most Irish SME security programmes invest in knowledge — training videos, e-learning modules, compliance exercises — and relatively little in the cultural conditions that determine whether that knowledge changes what people actually do.

Leadership Behaviour Is the Strongest Signal

Staff take their cue on security behaviour from management. A managing director who uses a weak password because it is convenient, who bypasses MFA when it is inconvenient, who never locks their screen, and who sends sensitive documents via WhatsApp is communicating more clearly than any security policy about what security behaviour is actually expected.

Conversely, a managing director who visibly follows the security procedures — who calls to verify unusual payment requests, who locks their screen, who uses the password manager, who mentions security in team meetings — sets a behavioural norm that permeates the organisation.

This does not require the managing director to become a security expert. It requires them to visibly follow the same procedures they are asking staff to follow. The gap between leadership's behaviour and the policy's requirements is the space in which the policy fails.

Do you follow, visibly and consistently, the same security procedures you are asking your staff to follow? If not, the gap is the most powerful security awareness message in your organisation — and it is working against you. Book a free 20-minute strategy call — security culture development is a specific focus of our vCISO advisory work with Irish SME leadership teams.

Recognition: The Underused Security Tool

The Donegal financial services example above illustrates the disproportionate impact of recognition on security behaviour. Recognition works for several interconnected reasons.

It identifies and amplifies the specific behaviour being sought, making it concrete and visible to everyone in the organisation. It signals that the behaviour is valued — not just required. It provides social proof that other staff are doing this thing. And it creates a positive association between reporting and outcomes, which overcomes the natural reluctance to raise potential problems.

Recognition does not need to be elaborate. A brief mention at a team meeting — "Sarah spotted a suspicious payment request and followed the verification procedure last week, which is exactly what we ask everyone to do" — takes thirty seconds and has a measurable impact on the behaviour of everyone who hears it.

What it must not be is accidental. Build recognition into the rhythm of how the business communicates. A monthly security note that includes one specific example of a staff member doing the right thing costs nothing and systematically reinforces the behaviour the business needs.

Removing Friction From Reporting

A staff member who spots a suspicious email faces a choice: report it, which requires finding the right contact, writing a message, and potentially facing a conversation about whether they were right to be suspicious — or ignore it, which requires nothing. The default option is always the one with the least friction.

Reduce the friction of reporting to the absolute minimum. A single email address that goes directly to the security contact. A physical poster in the office with the reporting email and a mobile number. A Teams channel named "Report Something Suspicious" where staff can post without formality. The easier it is to report, the more reporting happens.

Remove the penalty for false positives explicitly. A staff member who reports something that turns out to be legitimate should receive the same positive acknowledgment as one who reports a genuine threat. The behaviour being rewarded is the reporting, not the accuracy of the judgement.

Incorporating Security Into Existing Rhythms

Security culture does not require additional meetings or parallel communications infrastructure. It requires incorporating security into existing rhythms.

A monthly five-minute security item in the all-staff meeting — one current example of an attack type, one update on what the business is doing, one recognition of a staff behaviour — is more effective than a quarterly security training session that staff regard as a compliance exercise.

An annual security briefing that is integrated into the performance review cycle — with a specific security responsibility for each role — creates individual accountability that a generic awareness programme does not.

What Next

  1. Recognise a specific security behaviour at the next team meeting. Name the person. Describe what they did. Note the outcome. Thirty seconds.

  2. Create a single, simple reporting channel and tell everyone what it is. One email address. A poster in the office. A Teams channel. Make reporting easier than ignoring.

  3. Review your own visible security behaviour. Password manager in use? Screen locked when you leave your desk? MFA on every account? Calls to verify unusual payment requests? Your visible behaviour is your most powerful awareness programme.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call at www.pragmaticsecurity.ie/book-a-call.

Related Reading

[^1]: NCSC Ireland — Security Culture Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.