1. Home
  2. Training Library
  3. Procedural and people security [CISMP]

People security implications and security culture

People security implications and security culture

One of the four principles of adult learning theory highlights that in effect, adults want to know why they’re doing something, its relevance to their role, and how they can use that information immediately.

Applying that thinking to the distribution of security measures means that team members and leaders alike will have the access and motivation to use the tools and information they need to keep safe. So, let’s look closer at how you can cultivate an understanding of the need for security, and learn how a positive security culture can make all the difference. 

Circular diagram of Security culture, featuring elements: Training; ‘No. However...’; Best business practice; Attachment; Audience

Understanding the need for security and awareness of threats    

It’s easy to assume that everyone is security aware in today’s digital world. Every organisation needs to be confident in the knowledge that their members are not only well informed but trained on organisation specific and global security measures.  

Security training is, in relative terms, a low-cost assurance control that can create a positive and lasting change in users’ behaviour. By understanding the risks, the users are more likely to remember what they need to do to protect the organisation’s information and the systems containing it. For example, most people would realise that leaving their wallet on display in an unlocked car could attract an opportunist thief. They would certainly have a personal appreciation of the loss and inconvenience caused by its theft. However, they might not equate the loss of information assets in quite the same way. They also might not be aware that disclosure of sensitive information could lead to a breach of current data protection legislation or that not following a set procedure, such as a data backup, could result in a severe financial loss to the organisation.  

Anyone with access to the enterprise’s information systems should receive some form of information security education and training. The level of training that they may need can vary with their role, but it should be sufficient to ensure that they can carry out essential assurance procedures and have sufficient understanding of the correct use of their information systems. 

Security culture  

Your organisation should be striving to achieve a strong security culture all round, so, what does that involve? A strong security culture involves every member of staff actively participating in making your organisation as secure as it can be and implementing security measures that are aligned with your organisation’s needs. Leaders are a great asset in developing a strong security culture; as they lead by example and set the right standard for acceptable security practices, their example becomes the norm for everybody.  

Amongst all members of staff, there should be a competent understanding of:  

  • Password management 
  • Acceptable use 
  • Sensitive information 
  • How to keep equipment safe 
  • The escalation process
  • Evaluation 
  • Metrics/feedback 

Now, you’ll take a look at some of these areas in more detail - it’s important to understand that there’s more than just passwords when it comes to a competent security understanding. A positive security culture will reduce the number of incidents. Without it, people will either not use the countermeasures or find ways round them. Be proactive in promoting this culture throughout the organisation and keeping the topic fresh in people’s minds. 

What's next?

We’ll now look at what kind of policy can help us combat these threats.


Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.