Cybersecurity professionals. Administrative assistants. Engineers. HR professionals. Managing directors. Sales consultants.

What do they all have in common?

Simple. They all play a vital role in maintaining the security of today’s organizations, whether that means reporting potential phishing emails, writing secure code, using strong passwords, implementing multi-factor authentication, or not sticking unknown USBs into work machines. Everyone’s actions make a difference.

Debates about the role of human behavior in cybersecurity have moved from viewing an organization’s people as its weakest link to maximizing their potential to be its strongest asset.

This perspective shift is a welcome change, but knowing how best to enable this in practice is easier said than done.

Many people are not cyber security experts. Employees are often navigating high workloads and competing priorities in order to maintain delivery and business as usual.

So, how can we best support a true culture of people-centric cybersecurity that acknowledges these challenges while keeping organizations secure for the future?

Foster a “just culture”

Safety science is the study of ways to prevent accidents and disasters in industries where safety is extremely important. In the past, safety experts tried to prevent accidents by changing individual behavior. Today, we understand that accidents often happen because of complicated systems that can be affected by many different things, including the culture of an organization.

The concept of just culture within organizations emphasizes understanding the range of factors that can influence outcomes in the workplace, focusing on learning from incidents and the complexities that led to them rather than simply assigning blame. The concept demonstrates a shift from focusing on WHO caused an incident to WHY did the incident happen.

Think about it: In the context of cybersecurity, what does someone falling victim to a phishing email actually mean? Were they not paying sufficient attention in your training session or were they operating in a work context where similar poorly-worded, yet legitimate, emails are received all the time? Were they intentionally not prioritizing security or were they operating under substantial pressure to meet deadlines or achieve competing priorities?

Anyone can make a mistake; it’s what you do in response that matters most. Identifying and addressing the role that the wider organizational system plays in these actions is a key aspect of just culture.

Stigmatizing individuals for cyber mistakes will only stifle employees from escalating cyber concerns or incidents in the future for fear of punishment. It’s better to promote an open and understanding culture.

Promote understanding

What does this mean for how we respond to the people-centric cybersecurity challenge?

Developing positive security cultures focuses on learning from incidents, openly discussing and identifying areas of concern, and effectively reporting incidents where they do occur. This is vital to enable true resilience in a system.

None of this will be a quick fix. Opening up proactive discussion on where potential risk areas lie, whatever their cause, is a first step. Only then can we begin to understand what may be influencing these risks and the range of interventions that may be needed to address them–at all levels.

Implement people-centric cybersecurity

At Immersive Labs, we support organizations in accessing the data they need to identify potential risk areas. Although this may be most visible in ‘insecure’ behaviors at the individual level, it’s vital that this information supports a wider positive conversation on what may be contributing to these outcomes and how they can best be addressed.

Through targeted, meaningful learning implemented at a regular cadence, organizations can show improvement and confidence in policies and procedures, benchmark individual and team progress, and promote a cultural shift toward people-centric cybersecurity.

To learn more about how Immersive Labs helps organizations like yours build a positive cybersecurity culture, click here.

Check Out Immersive Labs in the News.


February 24, 2023


Emma Walker

Principal Workforce SME, Immersive Labs