Journey Mapping: Cultivating a Mindset for Security Awareness


When was the last time you crawled inside someone’s mind? You would probably perceive it as not a very comfortable place to be. After all, people are generally impatient. They don’t follow policy and they find tech speak frustrating. Let’s face it, everybody is a bit quirky when you get down to it.

This may all be true; but what’s also true is that, until you get them by perceiving who they are as fellow workers, they will never get you. And this situation of ‘not getting each other’ translates into fighting an uphill battle when attempting to get fellow workers to follow basic security protocols with the end goal of ensuring corporate data remains protected.

Spelunking Gear for the Mind

Journey mapping is a concept that was originally developed by marketers and product teams to help them better understand their customers and prospects. But you can use this same concept to help understand “a day in the life” of your typical user or worker. The process can take time and will require some conversations and observations, but the time spent will be worth it.

Let’s take a look at the steps behind leveraging journey mapping within the context of your security program:

  • Identify and segment employee roles. Different roles impact systems differently. It’s important to map people based on the roles they have within the organization.
  • Understand the typical day of an employee in each role.
  • Consider how an employee in a specific role is influenced by their emotions and motivations. Consider also how these emotions and motivations change as they’re dealing with different technology and/or security touchpoints.
  • Consider how employee experiences in a specific role may change with the time of year, day of week, etc.
  • Consider how their moods, emotions, and ability to perform tasks might change based on aspects of work demands—e.g. busier times like holiday seasons.
  • Identify each role’s physical, technological and social touchpoints. Where do they go throughout the day? Who do they see? What distractions do they have?

At a high level, what you will be looking for as you complete the journey map are opportunities to capture the attention of these employees. You’ll want to identify the points of time, locations, and contexts that you can design for within your security training regimen.

You want to understand—deeply understand—the journey an employee takes in each role you’ve identified in their day-to-day activities and how these interactions might vary by day of week or time of year, as well as by various job-related impacts.

A Focus on Behaviors

As you consider each role you’ve identified, you’ll benefit from using a Journey Map Brainstorming Sheet where you can jot down answers to questions such as:

  • Who are they?
  • Where are they?
  • What are they doing or about to do?
  • What is their goal?
  • How are they feeling? (emotions)
  • Who else is around? (social)

There are other prompts I’d recommend, but this should give you a sense of the type of behavioral and attitudinal detail you want to drill down into. Why? Because the more you understand “a day in the life,” the better you’ll be able to identify the opportunities you have to deliver messages and behavioral interventions at points in time when they are most likely to be receptive and act upon them.

You’re attempting to find points of time, locations, and contexts to design for within your security program. Can you add a gentle nudge at the point of behavior? How about a timely reminder? Or maybe find a way to alter the social dynamic around a type of behavior. At these points of intersection, you may also consider how you might reward and reinforce successes while providing just-in-time, at the point of behavior interventions to help minimize failures.

Understanding Leads to Intervention Opportunities

That’s what happens when you take the time to climb inside the mind of your people and understand—really understand—a day in their lives. A day that is filled with myriad interactions and opportunities for you to reinforce key messages and actions that will enliven a degree of security awareness in the effort to keep your systems and data safe.

Gleaning these insights through journey mapping can help to understand how your program elements intersect with discrete points in the lives of your employees. This, in turn, will help you become more intentional about how and when you deliver your security program elements.

The bottom line: You need to understand the lives, actions, and interactions of your people so that you can more strategically intersect their lives with relevant awareness and security-first behavior.

Keep in mind, also, that these maps will change over time as the internal and external environment changes. Consider, for instance, how journey maps created before March 2020 and the spread of the coronavirus looked when compared to how they would look today. Environmental impacts aren’t usually this extreme, but things do change.

Journey mapping is a process, not an event. It’s a process that, when carefully considered and frequently revisited, can help you ensure that your employees “get it” because now you “get them.”

About the Author

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Related Articles

Supporting Field Service Workers with Human-Centered Mobile Apps

By: Matthew Vulpis    5/26/2022

The Future of Work: As the world continues to enter a digital age, more technology becomes available that can add ease and optimization to daily busin…

Read More

Mastercard Launches Cyber Front Threat Simulation Platform

By: Greg Tavarez    5/25/2022

Attack simulation and assessment platform Cyber Front will help businesses and governments enhance their cybersecurity operational resilience.

Read More

5 Development Tools Every Tech Engineer Should Have Access To

By: Contributing Writer    5/25/2022

Technology has become an essential part of our lives. We use it to communicate, learn, and entertain ourselves. As a tech engineer, it is vital to hav…

Read More

MindFly, EuroLeague Announce Player Bodycams for 1st-person Perspective

By: Greg Tavarez    5/24/2022

MindFly and EuroLeague will fit players with a MindFly AI-powered bodycam, letting fans watch, hear and experience everything their favorite player do…

Read More

5 Content Creation Tips Successful Digital Marketing Agencies Use

By: Contributing Writer    5/20/2022

Content creation is the foundation of any successful digital marketing campaign, but that doesn't mean it's easy. The best digital marketing agenci…

Read More