The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners. The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment. They are intended to support leaders and cybersecurity professionals in creating conditions where secure behaviours can take root and endure. The principles also draw attention to how weak or misaligned cultures can lead to poor security outcomes, and encourage organizations to view such outcomes as symptoms of deeper cultural issues that require attention.
Recognizing that people are vital to cybersecurity, Kate R, a sociotechnical lead at the NCSC, wrote that “Every day they make decisions that impact cyber, from reporting a phishing email to choosing strong passwords to ensuring their software is up to date. NCSC research has shown that people’s ability to support security is closely linked to the health of their organization’s culture around cyber.”
Cybersecurity culture reflects the shared understanding of what is considered normal and important in the workplace regarding security. It shapes expectations around behavior and interactions, directly influencing collaboration, trust, and the capacity to learn and adapt. The cybersecurity culture principles identify that cybersecurity professionals play a central role in shaping and strengthening an organization’s security culture, beginning with a reflection on how current practices influence that culture.
It is important to consider whether day-to-day work actively contributes to a healthy security environment, examining aspects such as whether colleagues see cybersecurity teams as supportive and approachable, whether there is trust that help will be available when something goes wrong, and whether cybersecurity is viewed as a business enabler rather than just a compliance function. If so, that mindset should be evident in the language used and in the way interactions are handled across the organization.
While the process of transforming cybersecurity culture is still evolving, there are immediate and practical steps that can be taken to support positive change. This includes building trust, communicating with clarity and empathy, and aligning security practices with the realities of how people work.
The six cybersecurity culture principles are:
- Frame cybersecurity as an enabler, supporting the organization to achieve its goals
- Build the safety, trust, and processes to encourage openness around security
- Embrace change to manage new threats and use new opportunities to improve resilience
- The organization’s social norms promote secure behaviours
- Leaders take responsibility for the impact they have on security culture
- Provide well-maintained cybersecurity rules and guidelines, which are accessible and easy to understand.
The first principle identifies that cybersecurity exists to protect the technology and information that keep an organization running. But when it operates in isolation, its role as an enabler of every other function is often overlooked. This disconnect creates tension. Security may be seen as a blocker, its policies misunderstood or ignored, and controls bypassed, opening the door to further risk.
A shared purpose across the organization changes this dynamic. When everyone understands and works toward common goals, decisions reflect what supports the whole rather than just individual departments. Cybersecurity becomes part of how work gets done, not an obstacle in the way.
An effective culture recognises that secure behaviour is essential to meeting shared goals. Staff understand the value of cybersecurity in protecting systems and information. Controls are designed with an awareness of how people work, and security teams engage directly to reduce friction.
Clarity around purpose, consistent internal messaging, and strong leadership support all help integrate cybersecurity into the wider mission. When people no longer see security as a separate concern, but as part of their contribution to organizational success, stronger and more resilient practices follow.
The second principle notes that strong cybersecurity depends on a culture where people feel safe to speak up. No amount of training can replace the value of open dialogue, especially when facing unfamiliar or fast-moving threats. When people are comfortable reporting mistakes, raising concerns, or suggesting improvements, the organization becomes more adaptive and resilient.
Without psychological safety, self-protection takes over. People stay silent, avoid reporting errors or tolerate behaviour that undermines security. Fear of blame or punishment blocks the flow of vital information and ideas.
To counter this, organizations need trusted, accessible channels for communication. Whether through help desks, portals, or local experts, these paths must be easy to use and free from friction. When people do reach out, their efforts should be acknowledged and, where possible, acted upon. This reinforces a culture where contributions are valued and where learning, not blame, drives response.
Security incidents should be investigated to understand what happened and how to improve, not to assign fault. Fair treatment and transparent processes build trust and make it more likely that people will engage in the future. Psychological safety is not a soft extra. It is a core condition for real-time responsiveness and continuous learning in security. When people trust the system and those behind it, they help protect it.
The third principle perceives resilient organizations treat change as a constant and improvement as a shared responsibility. In cybersecurity, this mindset is critical. As threats evolve and technologies shift, staying still is not neutral, it increases exposure and limits growth. Rather than viewing incidents or disruptions as setbacks, forward-looking organizations treat them as signals for refinement. Ignoring these moments in favour of maintaining the status quo leads to blind spots and missed opportunities.
Change must be coordinated across the organization. If one area races ahead or stalls without alignment, the imbalance can cause harm. Cybersecurity teams have a key role in guiding this process. They help ensure that risks are managed by those equipped to handle them, instead of being pushed onto teams lacking the resources or context to respond effectively.
Strong cultures embrace change as a path to better outcomes. They are measured in how and when they implement changes, mindful of fatigue and disruption. People feel supported during transitions and trust that new risks are handled responsibly. To sustain this, organizations need systems in place to identify emerging challenges and bring the right voices into decision-making. Clear roles, timely choices, and shared accountability allow security and resilience to move forward together.
The fourth principle identifies that workplace behaviour is shaped not just by formal rules but by unwritten ones picked up through observation. These social norms often influence how people approach cybersecurity. When aligned with security goals, they help reinforce good habits and guide new staff toward secure practices.
But not all norms work in favour of security. Some, like cutting corners to be helpful or following senior examples, can quietly encourage risky behaviour. These norms are hard to change if they help people get their work done more easily than formal processes allow. Addressing this requires understanding the values behind these norms. Without doing so, even well-designed policies will be ignored, increasing risk and weakening trust in security measures.
A strong security culture identifies both helpful and harmful social norms and finds ways to align them with formal policies. This may involve redesigning controls to support productivity or shifting behaviours through influence, incentives, and role models. The goal is to shape a culture where secure behaviour feels natural and supported.
The fifth principle recognizes that cybersecurity culture depends on leadership that leads by example. When leaders align with a shared purpose, model secure behaviours, and foster trust, they help embed security into daily work. Their influence shapes norms and drives change.
Leaders who engage openly and share lessons from past challenges build confidence and inspire action. Those who ignore this responsibility risk undermining progress, as teams often follow their lead. Strong leadership means linking security to business goals, promoting learning, and removing incentives for risky behaviour. Supporting leaders with the right knowledge and encouraging honest dialogue strengthens a culture where security becomes a collective effort.
The sixth principle calls for creating a cyber-secure workplace that depends on finding the right balance between clear expectations and practical flexibility. Rules must support people in solving problems locally while setting consistent standards across the organization. When done well, this balance builds trust between staff and leadership.
Overly rigid rules risk becoming outdated and burdensome, while vague guidance leaves teams confused and vulnerable. Both extremes can lead to frustration and disengagement from cybersecurity efforts. A better approach involves understanding where different teams struggle, inviting their input, and refining the rules based on real-world use and ongoing feedback.
Security rules should be integrated into daily workflows and onboarding. They must be easy to find, clearly written, and regularly updated, with changes communicated. Where gaps exist or the rules do not apply, teams must have quick access to experts who can help manage risk at the moment.
In practice, effective cybersecurity guidance is inclusive, tested for usability, and aligned with organizational goals. People should know what is mandatory and what is advisory. Feedback is actively used to improve the rules, and outdated material is removed to prevent confusion.
Implementation begins with reviewing existing rules and confirming their value. A representative stakeholder group should help shape guidance, evaluate its impact, and ensure clarity across teams. A strong feedback loop and update process completes the cycle, reinforcing security as a shared and evolving responsibility.
The NCSC invites cyber professionals, leaders, and culture specialists to take a collaborative approach to the cybersecurity culture principles and drive progress in this area. “By working together to apply the principles and focusing effort on addressing the cultural aspects, you will positively enhance the UK’s cyber security, helping to make ours the safest place to live and work online.”
In March, the NCSC introduced a comprehensive set of eight principles for privileged access workstations, designed to assist organizations and cybersecurity experts in deploying privileged access workstation solutions. The principles detail the key features of these workstations and offer practical advice for their implementation in everyday scenarios. Additionally, they provide a framework for evaluating whether third parties with high-risk access to the environment are utilizing securely configured devices.
