Cyber Risk Culture Survey

Diagnosing company culture to mitigate risk

With the majority of cyber breaches resulting from some type of human error or behavior (whether negligent or malicious acts), many organizations are identifying root causes of these employee behaviors and aspects of workplace culture that may be contributing to information security risk. With combined expertise in human capital and cyber risk solutions, WTW provides insight into people-related risks to help clients address workforce vulnerabilities.

Vulnerabilities can be present generally, or in pockets within the organization. Sources of risk can include:

• A lack of employee awareness and personal responsibility for cyber risk
• Poor understanding of steps the organization is taking to address cybersecurity
• A low "cyber IQ" resulting in behaviors that increase risk to internal systems and processes

How employee behavior drives cyber risk

Companies experiencing cyber breaches tend to lack certain critical aspects of the employee experience, including:

• Purpose tied to customer centricity (e.g. responsiveness and optimizing processes)
• Work marked by speed and flexibility in making decisions and managing teams
• People practices that empower staff through voice, respect and support for teamwork
• Stress training and development that align with pay and performance

Companies' perceptions of their cyber risk readiness and governance are not matched by actual employee actions.¹ Only by investigating vulnerabilities, raising awareness and moving employees from compliance to conversion can organizations assess their risk, take appropriate preventive measures and move toward sustainable engagement.

Cyber Risk Culture Survey helps you identify employee threats

Using our vast experience in employee research and cyber risk management, WTW's Cyber Risk Culture Survey collects insights directly from employees regarding frequency of cyber-savvy behaviors and perceptions of cyber risk challenges in the workplace.

The result is a profile of the current state of cybersecurity awareness and suggested employee actions across the organization that can lead the way toward a cyber smart workforce.

Arming leadership with key insights

Results of the survey provide a clear picture of an organization's internal risk culture and enable senior leadership to take decisive action to create solutions in four key ways:

1. Provide data breach benchmarks that help prioritize culture challenges

Global database of 1.3 million respondents from companies that have experienced a cyber incident.

2. Obtain ideas for improvement directly from employees

Two custom comment questions:

1. What are we doing now that is working well to manage date privacy and information security risks?
2. What actions should we take in the next 12 months to reduce data privacy and information security risks?

3. Segment your workforce to locate the most vulnerable populations

Graph showing awareness and action across 4 sections: secure, complacent, misdirected and vulnerable

4. Identify what experiences drive optimal behavior

Chart showing how to drive optimal behaviors

Options for deployment

The survey can be tailored to your organization’s needs and preferences, including these options:

• Vulnerability index — Included within existing employee engagement surveys to obtain a high-level cyber risk culture profile, this index highlights areas of greatest cyber vulnerability via a heat map.
• Self-administered pulse survey — Deployed across an organization or targeted to specific groups, this survey provides a more detailed examination of the cultural elements of an entity’s cyber risk.
• Full-service survey — Developed from over 100 customizable questions, this survey provides a deep-dive assessment of an organization’s cyber risk culture with in-person consultative engagement and other scoping options adaptable to small, mid-size and large organizations.

More than half of all cyber incidents begin with employees. Know your people risks so you can take appropriate measures as you build a cyber-savvy workforce.

Footnote

¹ WTW Employer and Employee Cyber Risk Surveys