Journey Mapping: Cultivating a Mindset for Security Awareness


When was the last time you crawled inside someone’s mind? You would probably perceive it as not a very comfortable place to be. After all, people are generally impatient. They don’t follow policy and they find tech speak frustrating. Let’s face it, everybody is a bit quirky when you get down to it.

This may all be true; but what’s also true is that, until you get them by perceiving who they are as fellow workers, they will never get you. And this situation of ‘not getting each other’ translates into fighting an uphill battle when attempting to get fellow workers to follow basic security protocols with the end goal of ensuring corporate data remains protected.

Spelunking Gear for the Mind

Journey mapping is a concept that was originally developed by marketers and product teams to help them better understand their customers and prospects. But you can use this same concept to help understand “a day in the life” of your typical user or worker. The process can take time and will require some conversations and observations, but the time spent will be worth it.

Let’s take a look at the steps behind leveraging journey mapping within the context of your security program:

  • Identify and segment employee roles. Different roles impact systems differently. It’s important to map people based on the roles they have within the organization.
  • Understand the typical day of an employee in each role.
  • Consider how an employee in a specific role is influenced by their emotions and motivations. Consider also how these emotions and motivations change as they’re dealing with different technology and/or security touchpoints.
  • Consider how employee experiences in a specific role may change with the time of year, day of week, etc.
  • Consider how their moods, emotions, and ability to perform tasks might change based on aspects of work demands—e.g. busier times like holiday seasons.
  • Identify each role’s physical, technological and social touchpoints. Where do they go throughout the day? Who do they see? What distractions do they have?

At a high level, what you will be looking for as you complete the journey map are opportunities to capture the attention of these employees. You’ll want to identify the points of time, locations, and contexts that you can design for within your security training regimen.

You want to understand—deeply understand—the journey an employee takes in each role you’ve identified in their day-to-day activities and how these interactions might vary by day of week or time of year, as well as by various job-related impacts.

A Focus on Behaviors

As you consider each role you’ve identified, you’ll benefit from using a Journey Map Brainstorming Sheet where you can jot down answers to questions such as:

  • Who are they?
  • Where are they?
  • What are they doing or about to do?
  • What is their goal?
  • How are they feeling? (emotions)
  • Who else is around? (social)

There are other prompts I’d recommend, but this should give you a sense of the type of behavioral and attitudinal detail you want to drill down into. Why? Because the more you understand “a day in the life,” the better you’ll be able to identify the opportunities you have to deliver messages and behavioral interventions at points in time when they are most likely to be receptive and act upon them.

You’re attempting to find points of time, locations, and contexts to design for within your security program. Can you add a gentle nudge at the point of behavior? How about a timely reminder? Or maybe find a way to alter the social dynamic around a type of behavior. At these points of intersection, you may also consider how you might reward and reinforce successes while providing just-in-time, at the point of behavior interventions to help minimize failures.

Understanding Leads to Intervention Opportunities

That’s what happens when you take the time to climb inside the mind of your people and understand—really understand—a day in their lives. A day that is filled with myriad interactions and opportunities for you to reinforce key messages and actions that will enliven a degree of security awareness in the effort to keep your systems and data safe.

Gleaning these insights through journey mapping can help to understand how your program elements intersect with discrete points in the lives of your employees. This, in turn, will help you become more intentional about how and when you deliver your security program elements.

The bottom line: You need to understand the lives, actions, and interactions of your people so that you can more strategically intersect their lives with relevant awareness and security-first behavior.

Keep in mind, also, that these maps will change over time as the internal and external environment changes. Consider, for instance, how journey maps created before March 2020 and the spread of the coronavirus looked when compared to how they would look today. Environmental impacts aren’t usually this extreme, but things do change.

Journey mapping is a process, not an event. It’s a process that, when carefully considered and frequently revisited, can help you ensure that your employees “get it” because now you “get them.”

About the Author

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Related Articles

What Software Powers the Live Casino Experience?

By: Special Guest    5/10/2021

Live casinos have been around for some time, but they are still widely considered the new kid on the block. They've been a revelation for thousands of…

Read More

What Tech Do Designers Use to Make a Casino Game?

By: Special Guest    5/6/2021

Designers use the latest technology to bring you the great games you see at real money casinos in 2021. It is complex to the average person who simply…

Read More

World Password Day: Password Protection Needs a Fundamental Change

By: Special Guest    5/6/2021

A 2019 Google study found that 75% of the Americans admit to struggling with so many passwords, that many end up reusing the same password across mult…

Read More

Important Information About Bitcoin Wallets for Beginners

By: Special Guest    5/6/2021

Bitcoin is one of the most sought-after assets in any investor's portfolio. The price of BTC has exceeded $60,000, and its market cap has also exceede…

Read More

Is VR the Next Step for Mobile Gamers?

By: Special Guest    5/5/2021

Mobile gaming is fantastic. It is possible to sit on a train and play some of the latest video games using a mobile phone. If you look back at some of…

Read More