Five corporate security users standing together wearing sunglasses

I’ve seen a variety of corporate security user archetypes over my career as a security leader. These include individuals who are proactive about security, those who may have some concerns but may not fully understand the risks, and those who are simply not interested.

It is important for organizations to consider the attitudes and behaviors of their internal users towards security in order to effectively design and implement security policies and procedures that will be followed and effective.

The following are the 5 Security Archetypes I’ve encountered.

Archetypes

Avoidant

These are individuals who are not interested in security and may actively avoid following security protocols and procedures. They may view security as an inconvenience or burden and may not understand the importance of adhering to security measures. They may also be resistant to change and may resist implementing new measures.

In my experience, end users who are Avoidant types tend to go to great lengths to avoid communication and collaboration with security teams. This is often because they have a negative view on security and this can lead to incidents occurring due to misconduct, either internally or externally.

Laggard

These are individuals who are not proactive about security and may be slower to adopt new security measures. They may view security as less important or may not fully understand the risks associated with not following security protocols. They may also be resistant to change and may not follow security protocols and procedures consistently.

While Laggards are not typically malicious in their intentions, their lack of attention to security can result in negligent behavior. This can lead to the introduction of vulnerabilities or the use of shadow IT. Shadow IT refers to the use of unauthorized or unsupported software or hardware within an organization. Shadow IT can present security risks as it may not be properly managed or secured, and it can also create challenges for IT teams who may not be aware of its existence or use.

Doubter

These are individuals who may have some concerns about security, but may not fully understand the risks or the importance of following security protocols. They may question the need for certain security measures or may not be sure how to implement them correctly.

Doubters who are skeptical about security measures may often question their implementation. While they may be able to provide specific arguments, they may not have a full understanding of the broader security landscape and the potential risks from both upstream and downstream attacks. These individuals may tend to ask “What if?” and “Yeah, but…” but may not be able to argue beyond a limited perspective.

Adopter

These are individuals who are proactive about security and are willing to follow security protocols and procedures. They may view security as important and understand the need to protect sensitive data and systems. They may also be open to learning about new security measures and adopting them in order to ensure the security of the organization.

Encouraging these Adopter archetypes can be beneficial for an organization, as they can help to promote a culture of security and set a positive example for others to follow. There are several ways to encourage adopter behavior including providing training and resources, recognizing good behavior, and involving adopters in security decision making.

Champion

These are individuals who are highly proactive about security and are willing to take on a spotlight role in promoting security within the organization. They may view security as a top priority and be willing to go above and beyond to ensure the security of the organization. They may be involved in implementing and enforcing security policies and procedures, and may be instrumental in raising awareness about security issues within the organization.

Having Champion archetypes can be extremely beneficial for an organization, as they can help to drive a culture of security and set an example for others to follow. Some benefits of having this archetype include a high level of leadership, awareness, influence, and expertise within the organization.

Summary

In summary, understanding and recognizing the different security archetypes within an organization can be critical for effectively designing and implementing security policies and procedures. By considering the diverse needs and attitudes of security end users, organizations can create a secure and effective environment for all stakeholders.