NCSC Cyber Culture Principle 4: Using Social Norms to Drive Secure Behavior

This is a quick deep dive into one of the NCSC cyber security culture principles, designed to help you understand what it actually means in plain English, why it matters in real organizations, and how to spot it in your own world.

If you’re looking for the bigger picture on NCSC culture and how to turn these principles into a real program, you might also like:

• Our overview of the NCSC cyber security culture principles and why they matter

• How to operationalize the NCSC culture agenda step by step

• How to build a 12-month NCSC-aligned cyber security culture roadmap

• Measuring cyber security culture with NCSC-aligned metrics that actually work

• The NCSC Cyber Culture FAQ: 21 Questions Answered

Use this post to get your head around this principle quickly, then jump into the longer guides when you’re ready to design or evolve your culture program.

4. Social Norms That Support Security (“People Like Us Do X”)

This principle tackles the unwritten rules: the jokes, habits, and “people like us” behavior that define what’s really normal. NCSC’s culture commentary highlights that strong security culture identifies both helpful and harmful social norms and works to align them with formal policies. ^Intrucept

Why does this matter enough to become its own principle? Because people follow the local norm more than they follow the policy PDF. If the heroes in your stories are the folks who “get it done no matter what,” even if that means cut corners, then your controls are fighting your culture. NCSC is calling out that you can’t just design rules—you have to design the social gravity around them, so that secure behavior feels like “what people like us do.”

What this principle really means

Social norms are the unwritten rules:

• how “people like us” behave,

• what gets quietly admired,

• what gets quietly mocked.

NCSC’s social norms principle asks:

Does the everyday vibe nudge people toward secure behavior—or away from it?

What goes wrong if you ignore it

If your norms are off:

• Security behaviors feel “weird” or “over the top.”

• Shortcuts and workarounds are seen as clever, not risky.

• People who follow the rules get eye-rolls, not respect.

You can have the best policy in the world—and still lose to the local jokes and habits.

Quick self-diagnosis

Ask:

1. What do people joke about when it comes to security?

2. Who gets praised more: the person who “gets it done no matter what” or the person who pushes back for safety?

3. Does anyone ever say, “That’s not how we do it here—we do it this way because of security”?

If the norms point away from secure behavior, that’s your culture talking.

Practical shifts / quick wins

• Tell peer stories: “Someone in Sales did X and it saved us from Y.”

• Make “doing it right” visible and a little bit cool—gamified leaderboards, shout-outs, micro-rewards.

• Give team leads simple scripts for reinforcing norms (“In this team, we always… when it comes to data.”).

Where Cybermaniacs fits

We live in the land of norms:

• Characters, inside jokes, and storylines that make “people like us” act securely

• Campaigns that gently (or loudly) call out risky “heroics” and celebrate safer habits

• Support to align these creative nudges with your NCSC social norms focus