Can Cyber Metrics Promote a Secure Culture Within Business?

Can Cyber Metrics Promote a Secure Culture Within Business?

According to a report from the Ponemon Institute, human error is the biggest contributing action to breaches of information within businesses.

The security risk from an organisation’s own employees likely keeps its information security staff awake at night.

The challenge is not in finding ways to communicate the importance of basic security security practices; i.e leaving your laptop logged in on a train whilst you nip to the sandwich cart or clicking a link on some dodgy email. The challenge is in communicating that every action has a consequence, and the impact on the company’s bottom line could be drastic. For the average end user cyber security professional, promoting a security standards process and getting buy-in from the board is more of a challenge than it should be. Even when companies invest resource in getting teams to take mandatory security awareness training, there is still no guarantee of behavioural change. So, in this case, where does the fault lie if there is a successful breach?

Is it with an employee who flouted the rules and ignored the warnings they were given? Is it with the staff who delivered the training to a sub par standard for it not to have made the desired impact? Or is it with the security team, who have a level of visibility on the organisation to be able to identify targets, and who are responsible for preventing attacks or mitigating the extent of damage from the attacks that do succeed?

The cyber security technology that businesses invest in needs to be utilized at every stage of the business if its going to be valuable. It is the information security professional’s responsibility to take some of the information and performance metrics from these technological systems, and communicate them in real terms to senior management. To change user behaviour, it seems logical to communicate in a way that relates cyber security to employees own personal well-being, and their responsibility to the company. It should be less about holding employees to account, but to educate them on what you monitor in terms of threats as proof of the challenges the organisation is facing. This highlights that their stance on taking it seriously could have fortuitous or dire consequences. Rather than rely on sending out awareness messages or mandatory training, perhaps the best way to engage employees is to show a direct correlation to their behaviour and the impact on the business by sharing these metrics internally.

To get buy in from employees about how they can have a impact on driving risk of a successful attack on the organisation down, perhaps it’s within the board’s interest not to treat employees like naughty school children if they fail the quarterly fake phishing attack test. It would be much better for information security staff to connect with teams over the information that they have access to, to show the potential impact of an employees actions and determine the level of understanding and appropriate training moving forward on a case by case basis.

Time consuming, yes. Likely to foster more of an impact on employee personal awareness than putting a poster up in the coffee area of a 2 hour training session on a Friday morning? Definitely.

Acumin Consulting’s sister company RANT is working with the Department of Digital, Culture, Media and Sport to deliver a trio of invite only cyber security events. They bring together a room of 100+ senior cyber security professionals to discuss issues affecting effective security controls within organisations, part of a project that will help determine national cyber security policy. For more information on the events or some of the content and reports to come out of them speak to myself or RANT directly.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy