What are the unwritten rules of security in your organisation?

For running a tight ship – policies and procedures are essential, but when it comes to day-to-day cyber security, the essential things that really shape behaviour and change aren’t always written down.

Unspoken expectations, habits, and cultural cues often define how people respond to risk. This hidden layer of behaviour, the unwritten rules or “tip of the iceberg”, if you will - can either support your security goals or quietly undermine them. Much of what influences an organisation’s security culture comes from the implicit elements below the surface.

At Phriendly Phishing, we believe building a strong security culture means recognising and addressing these subtle influences. Managing human risk isn’t just about ticking compliance boxes, and we do say that a lot, but what does the move away from compliance look like? It’s about shaping attitudes and empowering people to do the right thing, ensuring that there is less misalignment in the workplace norms.

Here are some questions worth asking in your organisation:

Is security seen as a shared responsibility, or just IT’s problem?

When employees view security as someone else’s responsibility, you create blind spots. Human risk management requires everyone to be on board. There are many times when an explicit duty is “not your job”, but that is different from it implicitly being part of your responsibilities. If this expectation of implicit duty isn’t clear, then collaboration and communication suffer.

Do people feel safe reporting issues?

If the culture around reporting is punitive or unclear, people will hesitate to speak up. Fear of blame can delay responses to real threats, or some people will ignore them entirely and leave it “To the experts”. This is where leadership needs to lay down a non-punitive attitude to reporting issues. Our “train not trick” philosophy demonstrates that, in that there is no lengthy counselling or retraining if you do miss a simulation cue, and you certainly aren’t called out for it.

Is security awareness training meaningful or just mandatory?

Security awareness shouldn’t be a cumbersome exercise. Are your people actively engaging with training, or simply clicking through? Making training interactive and engaging can help with knowledge retention. It can be useful to look at what other training is deployed to your people, and is it presented with the same urgency? If your security awareness training is done in a different way than other training, is the why being communicated well?  

Watch now: Compliance to Culture webinar with Karina Mansfield

Are security-conscious behaviours recognised?

If team members go out of their way to protect the organisation, is their effort acknowledged? Reinforcing positive behaviour builds long-term culture change. Having cyber champions that are more than just a “Shout out”  are essential for behaviour modelling. Having them share the why, and what they have learned is a great way for the team to get involved and have a sense of purpose, which can serve as a guiding force to influence other employees.

How is change communicated and adopted?

Introducing new security controls or processes can cause friction – everyone dreads UAT (User Acceptance Testing). But with transparency, empathy, and the right education, resistance can become readiness. Accepting employee feedback on change is also crucial to culture – any conversation that leads to more trust can reinforce the messaging.

Are expectations clearly defined?

Common sense is subjective. Without clarity and consistent messaging, people are left to interpret security awareness in their own way and often incorrectly. Ask questions to clarify that all understand it and put it in simple terms without too much jargon. Remember that culture in the workplace is often ingrained and there is no overnight solution without clear expectations and foundational process. These invisible dynamics matter. They reveal whether your organisation is fostering a healthy security culture-or just hoping for the best.

By understanding and addressing your unwritten rules, you can turn culture into a strategic advantage. Because at the end of the day, your people are your strongest defence. Contact us today for a demo of our human risk management program and training platform.

‍