Journey Mapping: Cultivating a Mindset for Security Awareness


When was the last time you crawled inside someone’s mind? You would probably perceive it as not a very comfortable place to be. After all, people are generally impatient. They don’t follow policy and they find tech speak frustrating. Let’s face it, everybody is a bit quirky when you get down to it.

This may all be true; but what’s also true is that, until you get them by perceiving who they are as fellow workers, they will never get you. And this situation of ‘not getting each other’ translates into fighting an uphill battle when attempting to get fellow workers to follow basic security protocols with the end goal of ensuring corporate data remains protected.

Spelunking Gear for the Mind

Journey mapping is a concept that was originally developed by marketers and product teams to help them better understand their customers and prospects. But you can use this same concept to help understand “a day in the life” of your typical user or worker. The process can take time and will require some conversations and observations, but the time spent will be worth it.

Let’s take a look at the steps behind leveraging journey mapping within the context of your security program:

  • Identify and segment employee roles. Different roles impact systems differently. It’s important to map people based on the roles they have within the organization.
  • Understand the typical day of an employee in each role.
  • Consider how an employee in a specific role is influenced by their emotions and motivations. Consider also how these emotions and motivations change as they’re dealing with different technology and/or security touchpoints.
  • Consider how employee experiences in a specific role may change with the time of year, day of week, etc.
  • Consider how their moods, emotions, and ability to perform tasks might change based on aspects of work demands—e.g. busier times like holiday seasons.
  • Identify each role’s physical, technological and social touchpoints. Where do they go throughout the day? Who do they see? What distractions do they have?

At a high level, what you will be looking for as you complete the journey map are opportunities to capture the attention of these employees. You’ll want to identify the points of time, locations, and contexts that you can design for within your security training regimen.

You want to understand—deeply understand—the journey an employee takes in each role you’ve identified in their day-to-day activities and how these interactions might vary by day of week or time of year, as well as by various job-related impacts.

A Focus on Behaviors

As you consider each role you’ve identified, you’ll benefit from using a Journey Map Brainstorming Sheet where you can jot down answers to questions such as:

  • Who are they?
  • Where are they?
  • What are they doing or about to do?
  • What is their goal?
  • How are they feeling? (emotions)
  • Who else is around? (social)

There are other prompts I’d recommend, but this should give you a sense of the type of behavioral and attitudinal detail you want to drill down into. Why? Because the more you understand “a day in the life,” the better you’ll be able to identify the opportunities you have to deliver messages and behavioral interventions at points in time when they are most likely to be receptive and act upon them.

You’re attempting to find points of time, locations, and contexts to design for within your security program. Can you add a gentle nudge at the point of behavior? How about a timely reminder? Or maybe find a way to alter the social dynamic around a type of behavior. At these points of intersection, you may also consider how you might reward and reinforce successes while providing just-in-time, at the point of behavior interventions to help minimize failures.

Understanding Leads to Intervention Opportunities

That’s what happens when you take the time to climb inside the mind of your people and understand—really understand—a day in their lives. A day that is filled with myriad interactions and opportunities for you to reinforce key messages and actions that will enliven a degree of security awareness in the effort to keep your systems and data safe.

Gleaning these insights through journey mapping can help to understand how your program elements intersect with discrete points in the lives of your employees. This, in turn, will help you become more intentional about how and when you deliver your security program elements.

The bottom line: You need to understand the lives, actions, and interactions of your people so that you can more strategically intersect their lives with relevant awareness and security-first behavior.

Keep in mind, also, that these maps will change over time as the internal and external environment changes. Consider, for instance, how journey maps created before March 2020 and the spread of the coronavirus looked when compared to how they would look today. Environmental impacts aren’t usually this extreme, but things do change.

Journey mapping is a process, not an event. It’s a process that, when carefully considered and frequently revisited, can help you ensure that your employees “get it” because now you “get them.”

About the Author

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Shabodi Accelerates Adoption of Network-Aware Applications with CAMARA API Enterprise Reference Implementation

By: Special Guest    2/16/2024

Shabodi, an Application Enablement Platform (AEP) provider unleashing advanced network capabilities in LTE, 5G, 6G, and Wi-Fi 6, announced they have l…

Read More

How Much Does Endpoint Protection Cost? Comparing 3 Popular Solutions

By: Contributing Writer    2/2/2024

Endpoint protection, also known as endpoint security, is a cybersecurity approach focused on defending computers, mobile devices, servers, and other e…

Read More

What Is Databricks? Simplifying Your Data Transformation

By: Contributing Writer    2/2/2024

Databricks is an innovative data analytics platform designed to simplify the process of building big data and artificial intelligence (AI) solutions. …

Read More

What Is Blue/Green deployment?

By: Contributing Writer    1/17/2024

Blue/green deployment is a software release management strategy that aims to reduce downtime and risk by running two identical production environments…

Read More

The Threat of Lateral Movement and 5 Ways to Prevent It

By: Contributing Writer    1/17/2024

Lateral movement is a term used in cybersecurity to describe the techniques that cyber attackers use to progressively move through a network in search…

Read More