When organizations think about cybersecurity, the conversation almost always starts with technology: firewalls, encryption, multifactor authentication. These tools are essential, but they often overshadow the fact that the weakest link in security is still people. Human employees make daily decisions about clicking links, sharing passwords, reporting incidents, or helping a colleague troubleshoot. Whether those choices strengthen or weaken the organization depends not just on awareness, but also on the social dynamics inside the workplace.
In a study I published in the A-ranked research journal Computers in Human Behavior (2017), we asked a simple but powerful question: why do employees share information security advice — and what patterns shape how that advice flows? To answer, we applied network analysis to data collected inside a large Vietnamese company. The results highlight not only how security knowledge spreads, but also why relying only on individual training programs misses the bigger picture. These insights are just as relevant today, not only for security but also for broader people analytics and organizational resilience.
What We Found About Security Advice Sharing
Our research uncovered three main sets of findings: the individual drivers of sharing, the network patterns that structure it, and the risks of overreliance on a few key employees.
1. Individual Drivers: Attitude and Accountability Matter Most
Employees who had a positive attitude toward security behaviors (for example, seeing them as useful and important rather than annoying or unnecessary) were far more likely to share advice with their peers. Similarly, those who felt a sense of accountability for protecting the company’s information assets were also more proactive in giving advice.
In contrast, feeling social pressure to comply actually reduced sharing. In other words, when employees felt their environment was pushing them too hard to “always think about security,” they became reluctant to spread advice. Pressure created resistance rather than engagement.
2. Network Patterns: Advice Flows Through a Few Influencers
When we visualized the network of security advice, we saw a pattern: advice was not evenly distributed across the organization. Instead, it was transitive and non-reciprocal. A small number of employees acted as dominant hubs, giving advice to many others but not necessarily receiving much in return.
This meant that information flowed outward from certain technical staff or trusted colleagues, often moving through multiple intermediaries before reaching someone else. The advice-sharing network wasn’t a web of mutual exchanges — it was more like a set of rivers flowing from a few sources.
3. Risks of Overdependence: Informal Experts Hold Too Much Power
Because advice concentrated around a handful of people, the organization became dependent on them for maintaining security culture. Some were IT staff, but others were non-technical employees who had earned trust in their departments. The danger here is clear: if those individuals leave, are overloaded, or spread incorrect advice, the whole network suffers. Moreover, “shadow security groups” can emerge, where workarounds or informal practices circulate without oversight.
Why These Findings Matter
The implications go well beyond cybersecurity. This research shows that workplace security behaviors are inherently social. They depend on trust, work relationships, and informal communication channels as much as on policies and training.
For security leaders, this means:
- Training alone is not enough. Even if every employee receives the same message, the way advice circulates through networks determines whether that knowledge becomes embedded in daily work.
- Influencers are critical. Identifying and supporting the employees who naturally emerge as advice hubs can help scale good practices.
- Pressure can backfire. Environments that create constant “compliance fatigue” risk reducing voluntary knowledge sharing, which is essential for resilience.
- Network effects matter. Employees often seek advice from those who already help them with work tasks or troubleshooting. Building on these natural connections is more effective than fighting them.
Practical Recommendations for Organizations
Based on our findings, here are concrete steps organizations can take to strengthen both security and knowledge-sharing culture:
- Measure the Real Networks, Not Just the Org Chart
Formal structures rarely reflect how advice and expertise actually move. Social network analysis can reveal hidden influencers, bottlenecks, and silos. This gives leaders a realistic picture of how information flows. - Empower Key Connectors
The few individuals who act as hubs of advice should not be left to carry the burden informally. Recognize them, provide training, and ensure they are supported rather than over-relied upon. - Reduce Compliance Fatigue
Shift the message from “you must comply” to “security is useful, and you can make a difference.” Focus on building positive attitudes rather than applying pressure. - Leverage Trust and Work Relationships
Employees often seek advice from trusted colleagues or those who already provide work help. Building mentorship programs, communities of practice, or cross-functional teams can strengthen these channels. - Watch for Shadow Security Practices
Informal advice networks can also spread risky behaviors or shortcuts. By mapping and monitoring them, organizations can detect and address shadow practices early.
From Research to Practice: Introducing NetIQ
These insights formed the foundation of NetIQ, our People Analytics consulting service. Just as we mapped security advice sharing in our study, NetIQ maps collaboration, trust, influence, and knowledge flow across your workforce. The goal is simple: help leaders see how work really happens, not just how it looks on paper.
With NetIQ, organizations can:
- Identify hidden influencers and key connectors who shape culture and performance.
- Detect bottlenecks and silos that slow down change or innovation.
- Build resilient leadership pipelines by spotting emerging talent who already act as informal leaders.
- Design targeted interventions that strengthen collaboration and knowledge sharing.
The same network science that revealed how security advice circulates can help organizations transform in areas like digital transformation, cultural change, and employee engagement.
Conclusion
The central lesson from our research is that people, not just policies or technologies, determine the strength of organizational security and performance. Advice sharing is not random — it follows patterns shaped by attitudes, accountability, trust, and relationships. By paying attention to these networks, organizations can move from a reactive “compliance” mindset to a proactive, people-centric approach.
With tools like NetIQ, leaders can finally see these invisible dynamics and act on them. In a world where knowledge is power and collaboration is resilience, understanding your networks isn’t optional — it’s essential.
References
Dang-Pham, D., Pittayachawan, S., & Bruno, V. (2017). Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace. Computers in Human Behavior, 67, 196–206.
https://doi.org/10.1016/j.chb.2016.10.025
