Security Strategy, Plan, Budget

Nine human-centric strategies that strengthen security teams

Happy business people smile during a planning meeting in a startup marketing agency office.

Today’s columnists, Dr. Dustin Sachs and Parham Eftekhari of CyberRisk Alliance, offer nine ways to motivate cybersecurity teams. (Adobe Stock)

COMMENTARY: CISOs and senior cybersecurity leaders have the power to shape their organization's technical defenses, as well as its security culture.

Success in cybersecurity isn’t just about tools and technologies. It’s about how top managers lead and inspire people to adopt secure behaviors.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Today’s column offers practical, human-centered strategies to help managers become more effective leaders. Throughout the year, we’ll further explore the nine topics we’re covering here in CyberRisk Collaborative’s new leadership-focused curriculum, now available to our community of more than 2,000 CISOs and other cybersecurity leaders.  Here's a thumbnail look at each of the topics:  

The Boomerang Effect – Focus on Empowerment

When security awareness campaigns rely heavily on fear (A single click can ruin the company), they can backfire, leaving employees powerless or indifferent. This phenomenon, called the Boomerang Effect, undermines trust and engagement. Instead of emphasizing fear, focus on empowerment. Frame security behaviors as achievable steps employees can take to protect themselves and the organization. For example, reward employees for spotting phishing attempts rather than just warning them about the consequences of failure.

Hyperbolic Discounting – Incentivize Desired Behavior

Like everyone else, employees tend to prioritize immediate convenience over long-term benefits. Skipping a security update or reusing passwords feels easier now, even if it increases future risk. Tie immediate incentives to secure behaviors. Whether through recognition, gamification, or small rewards, show employees that secure actions yield tangible, near-term benefits.

Effort Justification (IKEA Effect) – Involve the Team

People tend to overvalue the projects they've invested effort in. Employees who have mastered old workflows may resist adopting new systems, even if those systems are more secure or efficient. To reduce resistance, involve employees in shaping new security protocols or tools. When employees feel a sense of ownership, they're more likely to embrace changes and advocate for them within their teams.

Pluralistic Ignorance – Make Security Norms Visible

In many organizations, employees underestimate how seriously their peers take cybersecurity. This misconception, called pluralistic ignorance, can erode the culture of accountability. Make security norms visible. Share metrics on training completion rates, celebrate secure practices publicly and communicate success stories of employees who thwarted potential threats. Correcting misperceptions strengthens collective responsibility.

Goal Gradient Effect – Motivate with Recognition

People are more motivated when they see themselves approaching a goal. For example, employees are more likely to finish security training if they can track their progress and see how close they are to completion. Design security initiatives with clear milestones and visible progress tracking. For employees moving closer to the finish line, amplify recognition and incentives to sustain engagement.

Negativity Bias – Be Empathetic to Frustrations

One negative experience with a security tool—like being locked out of an account during a critical moment—can overshadow dozens of positive ones. This negativity bias can breed resentment and reduce compliance. Address employee frustrations quickly and publicly. Highlight positive outcomes from security measures, such as how multi-factor authentication stopped a phishing attack. Balancing the narrative helps maintain trust and cooperation.

Signal Detection Theory

Constant alerts and false positives lead to a desensitization challenge explained by Signal Detection Theory. Employees and teams lose vigilance when they can’t distinguish between genuine threats and background noise. Fine-tune the company’s alerting systems to minimize noise. Equip teams with clear protocols for triaging and prioritizing incidents. Invest in technologies that use behavioral analytics to reduce false positives.

Reactance – Frame Security Measures as Enablers

When employees feel their freedom to choose has been restricted, they may push back, even against reasonable security measures. This reaction, called Reactance, can manifest as bypassing protocols or using insecure workarounds. Frame security measures as enablers rather than obstacles. For example, emphasize how password managers reduce hassle rather than adding steps. Use messaging that focuses on collaboration, not control.

Reciprocity Principle – Take Care of the Team

People are more likely to engage in secure behaviors when they feel the organization has given them something first. This principle of reciprocity can be a powerful tool for building trust and encouraging compliance. Offer employees the tools that benefit them personally, such as free password managers or cybersecurity training for their families. By demonstrating care and investment, management will foster goodwill and cooperation.

Becoming a successful cybersecurity leader goes beyond merely managing risks—it requires the ability to influence behaviors and foster a robust security culture. A deep understanding of behavioral science insights is essential, as it lets leaders address the human element of cybersecurity effectively.

By embracing these insights and applying them in practical ways, top managers can drive meaningful change within the organization and cultivate a culture of shared accountability. Additionally, actively engaging with professional communities and seeking support from industry peers will help managers stay ahead of emerging challenges and leverage collective expertise. This proactive approach strengthens the leadership team and also enhances the organization's resilience in an ever-changing threat landscape. In doing so, the company empowers the team to navigate complexities with confidence and foster innovation in security practices.

Dr. Dustin Sachs, Chief Technologist, CyberRisk Collaborative; Parham Eftekhari, Executive Vice President, Communities, CyberRisk Alliance

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Dustin Sachs

Dr. Dustin Sachs is the Chief Technologist and Sr. Director of Programs at the CyberRisk Collaborative. He is a highly accomplished cybersecurity professional with a proven track record in risk management, compliance, incident response, and threat mitigation.  He is CISSP-certified and holds a Doctor of Computer Science (DCS) degree in Cybersecurity and Information Assurance.  Dr. Sachs has worked in various industries, including public utilities, food distribution, and oil and gas.  He is a respected thought leader in the cybersecurity community.

Parham Eftekhari

Parham Eftekhari is a trusted leader serving investors, organizations, and decision-makers at the intersection of critical infrastructure, cybersecurity, national security, and policy. He currently leads CyberRisk Alliance Communities, which offers memberships and education to 30K+ cyber professionals, serves as Chairman and Founder of the Institute for Critical Infrastructure Technology (ICIT), and advises Gray Space Strategies and Mazebolt Technologies. Parham regularly shares his expertise through media and speaking engagements at forums ranging from Congress, Ted, and the WSJ, and has received several honors including the (ISC)2 Government Information Security Leadership Award in 2018 and a commendation from the Ranking Member of the House Subcommittee on Cybersecurity in 2024.

Related

One breach to rule them all: The security perils of digital consolidation

The Institute for Critical Infrastructure Technology (ICIT) Digital Consolidation Risk and National Security briefing addresses the growing risks associated with IT and cybersecurity consolidation. The briefing showcases the findings and recommendations of ICIT's six-member Task Force, composed of industry experts and leaders to shape cybersecurity policy for the next Administration. Panel 1: Fireside Chat- Digital Consolidation

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Business Continuity Plan (BCP)Cost Benefit Analysis

You can skip this ad in 5 seconds