Employees often follow the lead of those in charge. When senior leaders model strong security behaviours, it sends a clear and powerful message that shapes an organisation’s security culture and overall posture. As such, the success of an organisation’s security awareness programme largely depends on how leadership demonstrates their own secure behaviours.
Senior leaders hold great influence and, in the context of security behaviours, that influence can either support or undermine an organisation’s efforts to improve them amongst employees. This is evident when threat actors exploit authority bias by sending phishing emails that impersonate the CEO, knowing that employees often comply without question simply because the request appears to come from someone senior. Yet the reverse can be just as powerful, as when senior leaders demonstrate positive security behaviours, it can trigger a domino effect that can improve security behaviours across the business.
Ultimately, leaders in any organisation set the standard for behavioural norms. For instance, if a senior leader walks through the office without a visible security pass, others may assume this behaviour is acceptable. Similarly, just as peers influence one another, it’s important for individuals to set a positive example within their own sphere of influence. Even a single small act can impact an organisation’s security culture.
People learn most effectively when messages are positioned within context, making them relevant and relatable to their own experiences. Therefore, it is important for senior leadership to take this into consideration for effective learning, as educating employees about complex topics which aren’t relevant to their day-to-day roles, won’t be impactful as content that aligns with their goals, personal interest and priorities. Additionally, leaders can link their security messaging directly to the organisation’s strategic aims, to help improve its security posture.
An effective approach to improving security behaviours is to align with the EAST framework, a behavioural insights tool designed to influence behaviour change. The model emphasises making behaviours Easy, Attractive, Social, and Timely. The idea behind the framework is that content should be clear and simple (Easy), highlight benefits (Attractive), leverage social influence (Social), and prompt action at the right moment (Timely), enabling organisations to design more effective interventions, policies, and communications.
By applying these principles to any security awareness programme, organisations can create an environment that encourages secure behaviours in a way that feels natural and accessible to employees and achieving better outcomes.
Creating clear KPIs for security awareness training is crucial, as senior leaders need to understand how their involvement delivers a measurable return on investment (ROI). This means focusing on metrics that are meaningful, actionable, and free from excessive technical detail. We have formulated two types of measurements that can be used by senior leaders to achieve this:
Here are some examples of meaningful behavioural data:
By tracking data like this, senior leaders can show that risky behaviours have decreased following an intervention, demonstrating real impact and ROI.
Awareness efforts too often start with a video or phishing simulation, but without first establishing context or motivation, these initiatives are unlikely to have a lasting impact for users. Instead, think in terms of:
Additionally, identifying a champion among the team, someone already modelling good behaviours and nurture them. In doing so, their influence can ripple across peer groups, creating a culture shift from the top down.