👀🧠 Security starts with switching off the brain – and real awareness with conscious action

Daniel Eberhorn
Jul 8
5 min read

Flat-style digital illustration divided into two halves. On the left, a muted orange background shows a dark silhouette with a faded brain and two warning symbols, representing inattentiveness and security risks. On the right, a teal background displays a bright, glowing brain inside a focused silhouette, accompanied by a shield with a checkmark and a secure password field, symbolizing cybersecurity awareness and conscious action.

Image generated by OpenAI's DALL·E

Why this title?

Security problems rarely arise because someone intentionally violates rules. Much more often, they occur because people act out of habit – without conscious thought.

"Turning it off" doesn't mean forgetting or deliberately ignoring security. Rather, people often react automatically in everyday life – and good security decisions quickly fade into the background.

Therefore, it is not just about having knowledge, but about developing safe habits that also persist in everyday life.

Security awareness does not arise in the seminar room

Awareness training often remains an alibi exercise in cyber security.

Real security does not come from completing a course, but from consistent, daily behavior.

Security as a Social Norm

People almost always orient their behavior according to their environment – consciously or unconsciously. What is considered "normal" is often adopted without much reflection. This principle of social norms guides many everyday decisions:

People speak quietly in the library, sort garbage in Germany, or wear shoes in the supermarket – not because rules are constantly being read out, but because everyone does it.

Examples outside of security:

Healthcare: Hospitals have clear standards for hand disinfection. Studies show that if compliance is made publicly visible (e.g., posters stating "90% of our employees disinfect their hands regularly"), the rate increases significantly ( "social proof," see [Cialdini, Influence: The Psychology of Persuasion ] ).
Environmental protection: The message "80% of guests in this hotel reuse their towels" has been shown to lead to higher reuse than mere appeals to environmental awareness ( Study: Goldstein, Cialdini, Griskevicius, 2008 ).

Security-conscious behavior only becomes sustainable when it is seen, expected and confirmed – not because a policy requires it, but because it is perceived as a natural part of social reality.

People constantly adapt their behavior to what they believe others are doing or expecting. When safe behavior is visibly modeled and recognized, a tacit social expectation emerges.

This social confirmation often has a stronger effect than any formal requirement.

It's becoming "normal" to ask questions if an email seems suspicious. It's also becoming common sense to consistently lock mobile devices and avoid sharing sensitive information via unsafe channels.

Cultural design in the workplace – and beyond

Safe workplace habits don't just happen. They must be consciously created and modeled across all levels—by managers and employees alike.

Cultural design here means shaping the daily work environment so that safe behavior doesn't feel like an additional task, but rather a natural part of professional activity. Policies and training merely form the foundation for this. Real change only occurs when rules are visibly implemented in everyday life.

Examples of cultural design in practice:

Accessible security: Work devices are preconfigured with encryption, two-factor authentication, and automatic lockouts enabled by default. No one has to configure anything extra – secure defaults lower the barrier.
Visible example: Managers consistently lock their laptops even during short breaks, enforce secure communication channels, and intervene early in unsafe situations. Security is not just a theoretical requirement, but a practical example.
Positive reinforcement: Employees who discover a security issue or take proactive action (for example, reporting a suspicious email) are praised rather than burdened with additional tasks or blame. Recognition encourages repetition.
Open communication: Instead of assigning blame when mistakes happen, they are discussed openly. Mistakes are viewed as learning opportunities, not as career setbacks.
Security-conscious standards: Projects and internal processes are thought through from the outset with security questions in mind: “What data do we process?”, “How do we secure it?”, “What minimum authorizations are necessary?” – and these questions are not seen as a hindrance, but as a quality feature.

A cultural design that translates security into small, regular actions has a lasting effect: If it is a matter of course to log in using secure, identity-based access (e.g. single sign-on with multi-factor authentication) or not to leave confidential documents lying openly on the desk, there is no longer any need for constant reminders.

The decisive factor is:

Safety must become a matter of daily practice for all employees—not a special topic that will be addressed "someday." Only when safety is no longer an additional expense, but an integral part of the normal work style, will it be truly practiced.

Social Media: Posted privately, used professionally

Security awareness extends beyond the office. Especially on social media, information is often shared unknowingly that can be valuable to attackers – and thus also endanger the company.

Even small details are enough: A vacation photo published in real time reveals absences. Photos from the office can reveal sensitive information in the background. And a seemingly harmless image of a company ID or access card can inadvertently reveal technical details that can be used for imitation or forgery.

Typical risks on social media:

Photos of workstations, screens or internal spaces – often with visible documents, plans or equipment.
Photos of company ID cards, access cards or visitor badges – enable technical reconstruction or identity theft.
Publication of location data – can allow conclusions to be drawn about internal structures or security zones.

The Federal Office for Information Security (BSI) in Germany points out in BSI-CS 044 (german only - sorry!) that special caution should be exercised when sharing on social media:

Photos of ID cards, internal areas or security-relevant information should generally be avoided.

Metadata such as geotags can also unintentionally reveal sensitive information and allow conclusions to be drawn about internal structures.

It's not about preventing social media use or no longer celebrating professional positions or successes. Rather, it's about developing a conscious sense of proportion: Which details could pose a risk? What content should be kept off the public internet?

Practical approaches for more data economy in everyday life:

Do not post photos of company IDs, access cards, or internal areas.
Obscure or avoid sensitive technology or documents in the background.
Remove location and metadata from photos before sharing.
Regularly question publications from the attacker’s perspective: What am I unintentionally revealing?

Any information that is not published reduces potential attack surfaces.

Better together: Supporting others without proselytizing

Safe behavior cannot be prescribed. It develops through role models, trust, and small stimuli in everyday life.

Those who consciously handle sensitive information can exert a significant influence on others – without coming across as preachy. In the workplace, this means, for example, addressing security risks in a friendly manner, offering help when uncertainties arise, or setting a natural example of good habits like locking devices. Even small gestures make a difference: Reporting a phishing email and communicating this openly, consciously using secure communication channels, or briefly checking with colleagues when something seems suspicious will have a lasting impact on the security climate.

It's important to act on an equal footing. Not everyone has the same technical knowledge or risk awareness. Supporting others instead of embarrassing or lecturing them builds trust – and thus lays the foundation for establishing safe behaviors.

Concrete examples of unobtrusive support in everyday life:

Check an unsafe link together instead of just pointing out the danger.
Suggest setting up secure passwords or password managers together.
Demonstrate security routines such as device locks or MFA logins to new employees directly in their daily work routine.
Intentionally hide sensitive information during presentations or meetings and briefly explain why (“security reasons”).

Cultural design thrives on the spread of good behavior – not through pressure, but through the feeling that it is natural and right.

Those who model security make it accessible to others.