đź“Š What We Learned From Measuring Security Habits in 400+ Employees

Written By Bodil Biering

You’ve got the policies.
You’ve run the awareness training.
You’ve reminded people to stay vigilant, report phishing, and use strong passwords.

And yet…

People are still reusing weak passwords.
Security incidents aren’t being reported.
Your “awareness program” feels more like a checkbox than a culture shift.

So how do you actually know if your people are following the policies?

That’s what we set out to answer.

The Setup

Recently, we ran a managed security habit survey in a 400-person organization.

Their leadership had already invested in ISO 27001 compliance and built out a full suite of internal policies.

But they were still asking the big question:

“How do we know if our security policies are actually working?”

We deployed the CyberJuice habit survey tool to measure real-world behavior—
what people actually do, not just what they remember from training.

Here’s what we found:

1. Password Sharing Was Shockingly Common

A significant number of employees reported sharing passwords with colleagues.

This wasn’t malicious. It was about convenience.

But it was happening quietly, against company policy, and with zero visibility from leadership.

2. Most Employees Weren’t Using the Company’s Password Manager

Even though a password manager had been rolled out months before, the majority weren’t using it.

Why?

  • Lack of training

  • Confusion over whether it was optional

  • People sticking with old habits

This was a classic case of:

“We implemented the tool—but didn’t build the behavior.”

3. Sales Had Better Habits Than Finance

This one caught us off guard.

The Sales team showed stronger day-to-day habits: device locking, phishing awareness, using MFA.

Meanwhile, the Finance team—handling highly sensitive data—had lower reported awareness and less consistent practices.

What it confirmed for us:

Security culture doesn’t follow job titles. It follows clarity, communication, and reinforcement.

What This Tells Us About Security Culture

Many companies assume:
Policies = Protection

But if no one reads the policy—and the behaviors don’t follow—then you’re still exposed.

Here’s what we learned:

  • Security isn’t just about awareness—it’s about habit formation

  • Teams need ongoing nudges, not just annual training

  • And most importantly:

    You can’t improve what you don’t measure

How CyberJuice Helps

We help turn security policies into real-world habits—without overwhelming your people.

Here’s how:

  • 🔍 Habit surveys tied directly to your policies

  • 🎥 Short training videos that explain policies in plain language

  • đź“Š A dashboard showing where behavior gaps actually live

  • âś… Optional managed delivery: We can handle rollout, follow-up, and reporting—or you can self-manage using the platform

Most people don’t read policies.
We help them live them.

Policies don’t protect you—habits do.

We measured real-world behavior across 400+ employees and uncovered major gaps in password hygiene, tool usage, and cross-team consistency.


CyberJuice helps make security culture visible, measurable, and actionable.

🎯 Want to see where your biggest risks actually live?
👉 Book your free Security Culture Snapshot

Bodil Biering https://www.bodilbiering.com
Next

đź“ť Security Questionnaires: The Startup Deal-Killer Nobody Talks About