What does clear, usable guidance mean in NCSC cyber security culture?

In NCSC cyber security culture, clear, usable guidance means that people know exactly what to do in real situations, the secure way of working is realistic in terms of time and tools, and instructions are written in human language with concrete examples—not just generic policy text.

Why do unusable security processes increase risk?

When security processes are slow, confusing, or hard to find, staff fall back on guessing, copying old emails, or using risky shortcuts that ‘get the job done.’ Over time these workarounds become the real process, undermining controls and creating hidden vulnerabilities.

How can I tell if our security guidance is truly usable?

Ask frontline staff to walk through a common risky scenario and see how long it takes them to find and follow the ‘right’ process. If they have to dig through multiple SharePoint pages, ask around in chat, or invent steps, your guidance is not truly usable and needs to be simplified and embedded into their workflow.

NCSC Cyber Culture Principle 6: Designing Usable Security Policies and Processes

This is a quick deep dive into one of the NCSC cyber security culture principles, designed to help you understand what it actually means in plain English, why it matters in real organizations, and how to spot it in your own world.

If you’re looking for the bigger picture on NCSC culture and how to turn these principles into a real program, you might also like:

Our overview of the NCSC cyber security culture principles and why they matter
How to operationalize the NCSC culture agenda step by step
How to build a 12-month NCSC-aligned cyber security culture roadmap
Measuring cyber security culture with NCSC-aligned metrics that actually work
The NCSC Cyber Culture FAQ: 21 Questions Answered

Use this post to get your head around this principle quickly, then jump into the longer guides when you’re ready to design or evolve your culture program.

6. Clear, Usable Guidance & Processes

The sixth principle is the usability one: can people actually do what you’re asking? NCSC’s culture principles and related commentary emphasize clear, usable rules and guidance—policies and processes that are accessible, shaped by real-world input, and practical for everyday work. ^NCSC

The reason this made the cut is that a lot of “non-compliance” is really non-usability. If "the secure way" is buried in SharePoint, slow, or confusing, staff will invent their own version that actually fits the job. Over time, those workarounds become the real process. NCSC is effectively saying: if you don’t design for usability, your culture will design its own security—quietly, informally, and usually with more risk.

What this principle really means

NCSC is blunt about this: if your rules and processes aren’t usable, people will not follow them.

This principle is about:

clarity (“What do I do, in my job, in this situation?”),
usability (“Can I do that without jumping through flaming hoops?”),
and embedding guidance where and when decisions are made.

What goes wrong if you ignore it

When guidance is confusing or painful:

People guess, copy old emails, or ask a friend.
Workarounds become the “real process.”
Policy compliance looks fine on paper but fails in reality.

You end up with a culture where secure behavior feels impossible in the time and tools people have.

Quick self-diagnosis

Ask:

Could a new starter in Finance, Sales, or Ops explain how to handle a specific risky situation without digging through SharePoint?
How many steps does it take to do the “right thing” vs the workaround?
Are your most important security instructions written in human language, with concrete scenarios?

If secure = slow + confusing, you know what people will choose.

Practical shifts / quick wins

Rewrite one high-risk policy area (e.g., data sharing, access requests) as a short, scenario-based playbook.
Put micro-guidance where the action happens (in tools, forms, FAQs, chatbots), not just on your intranet.
Ask 3–5 frontline people to do a live walkthrough of a secure process and note every friction point.

Where Cybermaniacs fits

We make “usable” real:

Converting policies into stories, checklists, and scenarios people remember
Layering human, humorous guidance on top of your existing processes
Feeding what we learn from content engagement back into your NCSC “usable guidance” metrics

More from the Trenches!

We've Got You Covered!

Subscribe to our newsletters for the latest news and insights.

NCSC Cyber Culture Principle 6: Designing Usable Security Policies and Processes

6. Clear, Usable Guidance & Processes

What this principle really means

What goes wrong if you ignore it

Quick self-diagnosis

Practical shifts / quick wins

Where Cybermaniacs fits

More from the Trenches!

We've Got You Covered!

Engage

SECURE

About

NCSC Cyber Culture Principle 6: Designing Usable Security Policies and Processes

6. Clear, Usable Guidance & Processes

What this principle really means

What goes wrong if you ignore it

Quick self-diagnosis

Practical shifts / quick wins

Where Cybermaniacs fits

More from the Trenches!

We've Got You Covered!

For Practitioners

For Executives