Security policies are worthless unless employees see security as a priority, according to consulting firm The Security Company.
Security is often regarded as something negative that stops people from doing their job, Bernadette Palmer, communications specialist at The Security Company, told the first annual Human Factors in Information Security Conference in London.
Success depends on employees understanding what the business wants to achieve, why that is important, and how they can contribute, she said.
Security needs to be engaging, relevant and ongoing. It should also have the full support of senior management, Palmer said. "Without senior management support, security will neither be taken seriously within the organisation nor receive the necessary air time in communication channels."
One of the most effective ways to make security engaging is for businesses to answer the employees' question: What's in it for me?
Organisations could, for example, invite staff to share personal stories of being victim to identity theft and award prizes for the best submissions, said Palmer.
"HMRC conducted a very successful programme like this and published the winning stories in an internal magazine, alongside a best practice guide on how to prevent identity theft," she said.
"It is always important to measure the effectiveness of these campaigns to see what progress has been made by conducting security perception surveys before and after."
Palmer said another useful measure is to look at the number of security incidents reported in the organisation. These will typically increase to indicate a growing security awareness among employees.