Spring. The season of decluttering your desk, pretending you'll finally organise your inbox, and — if you work in security — a good time to look at the small habits that have quietly gone rogue since January.
Security culture doesn't crumble overnight. It erodes. A propped-open door here. A shared password there. Nobody notices until it's become just how things are.
And behaviour doesn't change just because people are aware of the rules. It happens when the right conditions are in place — motivation, ability, and prompts. Take one away, and even the best intentions don't translate into consistent action
So rather than focusing on what people should do, it's worth looking at where behaviours tend to break down — and how small design tweaks can make the right behaviour easier to follow.
Consider this your annual behavioural spring clean. Five gaps, five fixes.
The Knowledge Gap
Everyone knows they should wear their badge, challenge unfamiliar faces, follow procedures. They also know they should drink more water, eat more vegetables, and respond to that email from three days ago.
Knowing things is easy but doing them consistently, that's where knowledge has to become habit – and habit doesn't come from a policy document nobody's opened since induction.
Real stories, relatable scenarios, and the occasional moment of "oh, that could genuinely happen here" tend to work much better. These are the things that help build motivation.
The fix: Swap the policy lecture for storytelling. Make security feel like something people are part of and something they can relate too.
The Convenience Gap
Clear desk policy. Visitor sign-in. Locking your computer, every single time.
All perfectly reasonable. All competing with the very human instinct to take the path of least resistance. And when the secure option feels even slightly more effortful than the shortcut — even slightly — consistency quietly slides and it’s not because people are reckless. They're corporate world is a buys place and the brain is very good at finding easier routes.
The fix: Make the right behaviour the easy behaviour. Break processes into simple steps. Reduce unnecessary friction. Put guidance where people actually need it — in the moment, and make them noticeable and well-timed.
The Clarity Gap
In a large organisation, not recognising everyone in the corridor is completely normal. What's less clear is what you're actually supposed to do about it.
Challenge them? Say something to someone? Smile and carry on?
In a global organisation it gets more complicated still. What feels like a reasonable challenge in one culture can feel genuinely uncomfortable in another. Norms around confrontation, authority, speaking up — they vary a lot. So the hesitation isn't always about not caring. Sometimes it's just not wanting to get it wrong.
And when people don't know what the expected response is, most will default to doing nothing. Which is understandable, but not ideal.
The fix: Give people a clear, simple script — and genuine reassurance that using it is the right call, wherever they're based. Once a few people start doing it, it stops feeling like a rule and starts feeling normal.
The Prompt Gap
Someone sits through a security briefing. They're engaged, they get it, they fully intend to follow the process. Then they walk back into their day and, well — life happens.
Checking badges, reporting something unusual, following the visitor procedure. None of it is hard. It just needs a trigger. Without one, these things slip down the priority list quietly and never quite come back up.
The fix: A well-timed prompt beats a once-a-year training session, every time. Signage at entry points. A quick nudge at the start of a shift. Something small, at exactly the moment it's needed. Timing matters more than volume.
The Norm Gap
Nobody decides to make tailgating the official culture. It just sort of happens.
Someone holds a door — friendly. Someone shares access — efficient. Someone skips a step because they're late. Fine, once. But do it enough times and the exception quietly becomes the expectation. And at that point, what people see around them every day carries more weight than anything written in a policy.
The fix: If the secure behaviour is the easiest, most obvious option — it sticks. If it isn't, workarounds fill the gap. Environment shapes behaviour whether you design it intentionally or not. So it's worth being intentional.
Time for a Reset
Security culture is shaped by how people feel about it, how easy it is to act on it, and whether the right behaviours get nudged at the right moment.
Small changes go a long way. A well-placed prompt. A simpler process. A clearer expectation.
Spring is a good excuse to start. But honestly, so is any Tuesday.
