An action plan for improving workforce security decisions

Enterprise teams would be wise to begin implementing an action plan that will help guide employees toward making better cybersecurity decisions in their day-to-day work.

February 8, 2023

This is the final article in a five-part series from TAG Cyber focused on how positive influences on employee behavior can improve cyber risk posture. Read the other articles here.

Enterprise security teams will benefit from reviewing their existing approach to supporting, guiding, and training workforce teams on security decision-making. Most companies will find that they have implemented a security awareness program with phish testing, but often little more. While every organization has a different baseline posture, the following steps will generally apply to improving workforce security decisions:

Step 1: Review workforce security posture

Any plan for improving the security of workforce decision-making must start with a posture assessment of existing strengths and weaknesses. The security team should review whether significant incidents have occurred (or been avoided) as a result of employee behavior. Existing awareness, training, and user testing should also be identified and documented.

Step 2: Define objectives for workforce security decision-making

The security team is advised to identify reasonable improvement objectives for workforce security decision-making. This can be done informally as a series of stated goals, or it can be embedded into a more formal quantitative risk objective, usually expressed in a “from-to” statement where an existing level of unacceptable organization cyber risk is reduced to a more acceptable level.

Step 3: Review available platform solutions

Since effective automated platforms now exist that can guide the workforce toward improved security decision-making, security teams are advised to spend time in commercial source selection to review platform options. As one would expect, the TAG Cyber team recommends that the Nudge Security solution be included in the source selection process since the solution includes many desirable attributes as described in this series.

Step 4: Integrate the selected platform into workflows

The final step is to begin planning the integration of the selected workforce security platform into suitable and applicable business workflow. This is likely best done with assistance from the vendor, especially since this capability is new, and few security teams will have experience applicable to this type of control. As always, TAG Cyber analysts are available to assist enterprise teams with this process.

Step 5: Measure progress against defined objectives 

Once the Nudge Security platform is in place across the enterprise, the protection benefits to the organization should begin to emerge. The main objective, obviously, is not to just get the platform deployed, but rather to engage in using the automation and platform features to empower and guide employees toward proper security decision making. Once in place, cyber risks should begin to wane as employee-related incidents reduce in frequency and intensity.

Start your free, full-featured 14-day trial of Nudge Security today.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors