The threat dilemma

How to build a strong security culture without concrete threat information?


Accepted authority rests first of all on reason. If you ordered your people to go and throw themselves into the sea, they would rise up in revolution. I have the right to require obedience because my orders are reasonable.


As we have previously highlighted, educating employees about potential threats is crucial to fostering a strong security culture. However, it is often the case that concrete evidence of a threat is either lacking or classified. This absence of information presents a significant challenge for organizations striving to build a robust security culture, as it becomes difficult to convince employees of the reality of a threat without clear data. This is a common obstacle and one of the primary barriers to improving security culture. When staff do not perceive a threat as credible, they are more likely to view security measures as unnecessary. In such cases, regulations, incentives, and penalties may become essential to ensuring compliance during the development of a security culture.

So, how can an organization cultivate a strong security culture in the absence of explicit threat information? Some organizations attempt to address this by amplifying potential risks, citing global trends, referencing news reports, industry best practices, or loosely related incidents, or drawing parallels to similar cases in other sectors or regions. These approaches vary, but it is rare to find leaders who address the issue transparently and directly. I recall an instance where the director of a research facility handling radioactive materials addressed his 100 employees after implementing a new security system with the following message:

“I am unaware of any immediate threats to our facility at this time. Our city and neighborhood are safe, and nothing of concern has occurred here in the past. Nevertheless, despite believing the threat level to be low, I want us to launch a prevention campaign. I encourage all of you to adhere to the new security procedures and maintain our equipment. If we manage our security effectively, when someone decides to target a facility like ours, they will choose one with weaker security measures— and that will not be us. We cannot allow such an event, however unlikely, to endanger the livelihoods of our families or the safety of our community.”

This speech was a remarkable example of leadership. The director trusted his employees enough to be forthright with them, choosing to focus on motivation and shared interests rather than attempting to provide threat information he did not have. His sincerity and reasoning were compelling enough to inspire his staff to prioritize security tasks voluntarily, without the need for strict regulations or the backing of a concrete threat. Today, that facility ranks among the highest globally in terms of security performance metrics.

Achieving a high level of security culture is possible, and education plays a critical role. Lasting behavioral change occurs when employees understand why a shift is necessary and how they can contribute to it. When there is no concrete threat information available, it is essential to inspire, regulate, and educate. With a focus on effective education, organizations will gradually build a stronger security culture.