Category: Security

What is Security Culture? by Colin Pecats

It’s security. It’s culture. It’s the vibe, and uh, that’s it, it’s the vibe!

‘We have such a great culture at our office.’ are words which could mean so many different things to different people.

When “culture” takes on different meanings to different people, cultural change becomes highly prone to failure.

If nobody bothers to define what this apparently mystical thing is that we refer to as “culture”, how can we expect to begin to change it?

The reality is, security culture (any type of “culture” for that matter) is not some ethereal concept, it is measurable, enforceable, and it is malleable. Security culture is both the desirable and undesirable security behaviours of people.

Bad Behaviour

Basic security culture change is about transitioning an organisation from a purely forced compliance environment where people are not required or encouraged to think about security (think air-lock doors and forced password resets) to behavioural compliance (people choosing to follow rules when required).

Negative behaviours can make organisations vulnerable to security threats, creating security risk, and those behaviours must stop if the organisation is to be protected.

Behaviour may be influenced with policies such as:

  • ‘Don’t write your password on a sticky note next to your keyboard.’
  • ‘Don’t chock the back door open when you go on your lunch break.’

These simple instructions are an attempt to shape a positive security culture through behavioural compliance. They promote measurable, enforceable and malleable behaviours through instruction.

Is a compliance-based approach enough to effect positive security culture change? Based on my experience, I would suggest this approach is failing in most organisations.

Some reasons for the failure of the compliance-based approach include:

  • Limited or no connection is made between the requirement and the associated benefit to the organisation and its personnel (the why).
  • Limited or no mechanisms exist to deter, detect and report on non-compliance incidents and trends.
  • Limited or no mechanisms exist to respond to detected incidents and reported patterns of non-compliance.
  • Limited or no consequences exist for non-compliance offenders.

If a compliance-based approach to security culture is generally failing, should we move away from it?

Arguably not, because we cannot expect people to do (or not do) something we haven’t communicated the expectation for.

My experience shows that a compliance-based approach is never enough to induce positive behaviours in all people, all of the time.

Good Behaviour

A compliance-based security culture tells people what to do and not do.

A security leadership culture engages with people on why security matters to them personally, and to the organisation, and then continuously models what to do, when, where and how to do it, so that good behaviour begins to permeate the organisation both vertically and laterally. It also empowers people to pro-actively challenge bad behaviour without reprisal and enables them to exercise greater agency in decision making.

‘That sounds amazing, how do we achieve this?’ I hear you ask.

Firstly, context is key; imagine working in a benign office environment, and employee Joe “jumps down your throat” every time you move two feet away from your unlocked computer terminal – that’s a ticking timebomb in terms of workplace culture. The fact is, not every workplace needs to be a high security environment; it all depends on the risk context.

This is where security risk assessment comes in, to establish the context, understand the criticality of the assets you’re working with, and assess the level threat posed to your organisation, so that an appropriately risk-based security culture strategy can be developed.

To move an organisation towards good security behaviour, following the security risk assessment, a clear strategy including intended outcomes, workstreams and milestones should be developed. Be sure to identify potential hurdles before they arise, and plan effective mitigation strategies.

Perhaps the most critical elements of your security culture strategy are leadership and education.

Who is going to champion the proposed changes, and how will the messages be reinforced?

Everett Rogers’ theory of Diffusion of Innovations is one useful tool that can be adapted for understanding and planning how to effect change across large organisations.

All too often, organisations spend tens of thousands of dollars having strategies developed, only to fail to have identified and defined the root causes of their problems, and consequently fail to implement the desired changes, especially when nobody takes change leadership responsibility and enlists the help of other organisational influencers.

To effect and maintain positive change requires genuine commitment, substantial effort and material resources.

In Summary

Culture is not an immaterial concept; it is the tangible, measurable, enforceable and malleable behaviours of real people.

Security culture exists in different forms according to the maturity and context of the organisation, including forced compliance, behavioural compliance and security leadership culture.

Security culture change is never easy or simple, but it can be made easier and simpler by gaining a sound appreciation of the organisational security context, conducting sound planning, and engaging change leadership support from across the organisation at all levels.

R2S Consulting has effected large scale cultural change projects for organisations as diverse as major banks, law enforcement agencies and major federal government departments. We would welcome your enquiry if you have a need in this space.

About The Author


Colin Pecats is a security risk and intelligence specialist with exposure across a diverse range of contexts since 2002 at the tactical, operational, and strategic levels in the public, private, and Defence sectors. As a security risk management and intelligence specialist within the Royal Australian Air Force Security Police – Counter-Intelligence unit, he supported senior commanders with security planning, risk management, and intelligence programs. Colin is a senior consultant for the R2S Group and has been instrumental in achieving excellent customer satisfaction on a number of complex and challenging projects.



R2S at the Protective Security in Government Conference

Risk 2 Solution were delighted to again be part of the Protective Security in Government conference, organised and hosted by the Australian Security Research Centre in Canberra, ACT.

Group CEO Dr Gav Schneider had the honour of being named course convenor, while R2S Aggression Management Lead Joe Saunders delivered a presentation on the research project into Workplace Violence he is currently coordinating with the ASRC. More information on the research project can be found here.

R2S was also proud to present our offerings from both R2S Security and R2S Academy as exhibitors at the conference.


R2S Academy Top 3 Finalist in OSPA and ASIAL Awards 2019

Risk 2 Solution are proud and humbled to make the final three for both an Outstanding Security Performance Award (OSPA) and the ASIAL Award for Excellence this year. While we didn’t leave with the hardware this time, it was tremendous to share the room with so many professionals striving to deliver quality outcomes to customers and communities. R2S CEO Dr Gav Schneider and State Manager Joe Saunders were honoured to share the stage with our valued clients, V/Line, who partnered with us in creation of the nominated project. We look forward to being back next year and continuing to Protect What Counts for our clients, colleagues and communities.