Security Culture Tool

NPSA SECURITY CULTURE TOOL
Workshop	Workforce Surveys
Cultural Style Workshop	Security Behaviours Survey	Personal Attitudes & Skills Survey	Organisational Influences Survey
Supports your senior leaders in agreeing on the desired style of security culture that best suits your organisation.	Measures the frequency with which particular security behaviours are being demonstrated.	Assesses your workforce’s awareness of the threats they face, alongside their security responsibilities.	Evaluates your workforce’s perceptions of how well security is managed within the organisation.

How should you use it?

Each component allows you to better understand a different aspect of your organisation’s security culture. You can run any combination of survey(s) or workshop in any order, but certain options and orders may be more effective depending on what you want to get out of them and the organisational data you may already have available to you.

Tip: NPSA guidance in the Resources section of Tool’s web platform provides a more in-depth overview of the benefits and limitations of each survey.

Below is a more in-depth description of each component of the Tool:

The Cultural Style Workshop is an interactive, vision-setting session designed for your organisation’s leadership. Using our in-depth facilitator guide and simple web platform, walk your senior leaders through the process of exploring and aligning on your organisation’s current and desired styles of security culture. Secure their sponsorship and support as you set out to improve your security culture.

The remaining three components of the tool are individual workforce surveys that will help you to understand different aspects of your organisation’s security culture. You can customise each of these surveys to include bespoke questions and collect key demographic information that will help you to structure and analyse your survey responses.

The Security Behaviours Survey helps you to build an understanding of the relevant security behaviours that are a priority for your organisation. The tool allows you to select relevant security behaviours questions from a predefined list, alongside adding custom questions to ensure the survey relates to your current priorities.

The Personal Attitudes and Skills Survey allows you to assess your workforce’s awareness of the threats faced by your organisation, alongside their knowledge of expected practices and how motivated they are to behave securely. Baselining how well security threats are understood across your workforce, and how motivated they are to act, can help you decide whether and where to invest further resource in education, awareness, or incentivisation.

The Organisational Influences Survey helps you to measure your workforce’s perceptions of how well security is managed within your organisation. The survey provides you with an overview of how well your organisation uses different ‘levers’ – such as incentives, policies and processes, and management commitment – to instil good security practice/behaviours. It also helps you to understand how satisfied your workforce are with your security initiatives.

The results from any component of the tool are then presented to you in an interactive dashboard that can be used to interrogate your workforce data, identify trends, and target areas for improvement.

Tool Development and Feedback

This is a newly developed tool, which will continue to evolve as we develop new functionalities and resources. In late 2025 we are aiming to launch a new ‘interventions’ functionality that will take the outputs from any combination of survey(s) and/or workshop, and generate a prioritised list of the types of intervention that can help you to form the basis of a strategy to improve your security culture.

As the tool continues to develop we would welcome your feedback on what works well, any other functions that would be useful, and how we could improve the user journey.

Are you ready to use the Security Culture Tool?

Using the Security Culture Tool as part of a security change programme is a commitment that your organisation should consider carefully. There is no one right way to deliver change; ultimately, what will work best is a bespoke approach that is tailored to the needs and requirements of your organisation.

Tip: take a look at NPSA’s 5Es Approach to Organisational Behaviour Change for some overarching principles that can support you in developing a security change programme.

Were you sent here by the Personnel Security Maturity Assessment (PSMA)?

The NPSA Personnel Security Maturity Assessment has been designed to specifically assess an organisation's personnel security maturity. Security Culture forms one of the seven core elements of the model.
If you recently completed the assessment and scored Level 3 (Developing) or above for Security Culture and Behaviour Change, we advise you to begin using the tool starting with the Cultural Style workshop in order to ensure your organisation’s seniors are taking a consistent approach to security culture. After this, you will be in a good position to develop your strategy.

Why are you thinking of using the tool?

If used for the right reasons, the tool can provide you with valuable information about your organisation’s security culture and workforce behaviours. However, to get the best out of the tool, you need to be clear about your needs and why you want to use the tool.

Unclear on why you’d want to use it? Take a look at our Intro to Security Culture pages to build your understanding of security culture, why it’s important, and how to identify the security risks that matter to you by visiting NPSA’s Protective Security Risk Management page.

How committed are your leadership and senior managers to investing in your security culture?

The commitment of leadership/senior management is not essential for using the Security Culture Tool, however you are unlikely to get full value from the tool without it. Senior endorsement typically enables the time, resources, and support required to both use the tool, and implement the guidance and advice generated.

Need help securing senior support? Take a look at our 'Why Should I Care About Security Culture?' section and think about how you can build support and momentum amongst your seniors using your organisational risks to illustrate the benefits of a strong security culture.

What do you want the Security Culture Tool to do for you?

The Security Culture Tool can serve a number of different but related purposes. Achieving these purposes will require using the package in different ways. It’s therefore important to be clear about what you want the tool to do; if there are specific issues you want to explore or resolve, you might not need to run every single component of the tool.

Not sure about your objectives? Take a look at our 'How Should You Use It?' section above for a description of each component of the tool. As long as you have a clear understanding of how and where the tool can support you to build your understanding of your organisation, it’s okay to be a bit uncertain about what to expect. We would suggest adopting a light touch approach; use those parts of the tool which will be least demanding on your time and resources in the first instance. This will allow you to explore your issues in more detail and help you decide how to get best value.

Is your workforce likely to engage in the process?

Is your workforce likely to participate and engage in the process? This will, in part, depend on their understanding of the process and its purpose, and how it might benefit them. Have they experienced similar data gathering activities and interventions, and how have these been received?

Suffering from survey fatigue? If your workforce is exhausted from being asked to complete one survey after another, they are unlikely to devote the time and effort to the full suite of surveys and so other approaches to assessing and understanding security behaviours and culture may be more appropriate. Alternatively, you might want to think about reviewing the ‘Why should I care?’ principles in order to build a strong coalition of senior sponsors to help motivate staff to participate.

If you’ve considered the above and feel you are now in a position to proceed, please proceed to Security Culture Tool to create an account and begin using the tool. Further guidance and supporting resources are provided within the tool itself.

The Security Culture Tool is a newly launched tool, which will continue to evolve as we develop new functionalities and resources. User feedback on your experience will help us improve your user journey, as well as to address any issues that you encounter whilst navigating the web platform. Please take the time to provide us with any thoughts or observations that you think may help us improve the tool, either via the NPSA General Enquiries Form, or using the ”Need Help?” button within the tool itself.

Frequently Asked Questions

Where is my information being stored when I create an account and log on to the Security Culture Tool?

When an account is created for the Security Culture Tool, it is stored securely in the platform's database - this is hosted in UK-based data centres.
The hosting is set up using what is known as serverless architecture, the architecture and technical approach for which has been reviewed and approved by NPSA. Our software development partner for the Security Culture Tool is ISO 27001 (Information Security Management) accredited, as is the 3rd party for hosting and infrastructure, with all servers provided in the London region.
The platform is built on serverless technology, meaning it will spin its server provisions up and down as they are needed, and legitimately accessed, adding an extra layer of security against any unauthorised access attempts.
Data stored is encrypted at rest, and data transfer systems are protected by agreed web application firewall (WAF) setups.

Who can access the information from any surveys or workshops I complete using Security Culture Tool?

The external back-end development team that built and work on the Security Culture Tool is able to access all account and assessment data in the database.
Only developers who are security assured by NPSA can work on NPSA projects, and access control to systems and setups is limited and follows a number of strict security procedures.

Why should I request an Organisation Code from NPSA?

Users can create an account using an organisation code system.
By requesting an organisation code from NPSA, you can ensure that no one with access to the database will know who the completed assessment data relates to.
The organisation code is the only information linked to any data entered - meaning there is a full separation between the account owner and any data entered into it.
To request an Organisation Code please use the NPSA General Enquiries Form.

What additional processes are used by the supplier?

User account management and developer access to code and platforms is based on approved technology providers, and credentials and tokens are regularly rotated.
The system infrastructure and approach is documented in a detailed tech spec that was reviewed and approved by NPSA
Code is peer reviewed internally, tested against web security standards and assessed for code quality and security, before any launch of new features.
All 3rd party systems and platforms involved in our supplier processes are kept up to date with security and other updates on a regular basis.

Security Culture Case Study 1

Organisation – Nuclear Restoration Services (NRS) Dounreay

What was Security Culture like in your organisation prior to using the Tool?

Dounreay has always performed quite well with Security Culture. We have had good security staff driving forward physical, personnel and cyber disciplines, understanding Security Culture and organising security awareness campaigns. Dounreay has always embraced NPSA for the value it adds to the overall security of our site.

We define Security Culture as “a way of life for all staff, contractors and visitors to our site”. Alongside the physical security apparatus, our culture is the lifeblood that keeps our site safe, secure and compliant with regulations.

Why did you use the tool and what were your experiences of using it?

Dounreay had used NPSA’s SeCuRE 4 tool in the past, so using the new Security Culture Tool and being involved in the pilot was a natural step. We also wished to understand our culture further following our transfer to Nuclear Restoration Services, plus recent industrial action at the site. The ability to measure our people, processes, tools and our likelihood of doing the right thing and acting as required, in a safety or security-related time of need, is crucial in identifying our strengths and weaknesses.

Dounreay opted to pilot two of the Tool’s workforce surveys: Security Behaviours and Organisational Influences, in addition to the Cultural Style workshop which was attended by our senior management. Support from senior managers, including our new Managing Director, who has an interest in Security, was crucial in moving the pilot forward.

The tool itself is very intuitive. Once registration was completed, following NPSA’s guidance enabled us to set up the surveys and include demographics and bespoke questions with ease.

What are your next steps and do you have any advice for organisations considering using the tool?

NPSA is currently providing some support to us by way of helping us think through the most impactful types of intervention that could help address some of our areas of concern. [NPSA note: This is a planned feature that will be released as part of a future update to the Security Culture Tool.] Early indications are that our culture is good; results will be analysed further over the coming weeks.

The Security Culture Tool is part of a toolset for supporting the Insider Threat Mitigation Programme at NRS Dounreay. It will become the benchmark for annual Security Culture assessments at Dounreay and we will use these initial surveys as baselines for further work, highlighting issues and publicising our successes. The results will also show where we can add value within the Nuclear Decommissioning Authority Group and wider Nuclear Restoration Service corporate spheres.

Our advice would be to embrace the surveys. Tailor them all to optimise your post-survey analysis, particularly the demographics questions on the Security Behaviours survey (working routines, ages, management posts etc).

Maximise uptake by selling the benefits to your staff and include options for accessing and completing the surveys, including the newer feature of completing the surveys on mobile devices.

Secure the support of your managing director/CEO and Board; ensure they are engaged from the outset. Finally - difficult comments are the most useful. Only through honesty and clarity will you learn the true culture of your organisation.

Security Culture Case Study 2

Organisation – Nuclear Transport Solutions

What was Security Culture like in your organisation prior to using the tool?

We have a very diverse and mixed culture within Nuclear Transport Solutions (following the integration of Direct Rail Services and International Nuclear Services ) which makes our commitment to security even more important. In December 2024, we conducted an internal Security Culture baseline assessment which provided insights on areas for improvement, and allowed us to plan training and awareness programmes.

NTS is committed to getting our security culture right; we want to understand what is going well, and what improvements we can make. This will help us to direct and shape future initiatives and to better understand the sources of problems we have already identified. To measure our progress we use internal reporting of close calls and security events – these metrics allow us to monitor trends.

We wish to embed an effective security culture where security is a collective responsibility shared by everyone. To achieve this we deliver a range of education and awareness campaigns including animations, scenarios, modules and quizzes. Staff have the opportunity to attend briefings and engage in practical training sessions.

Why did you use the tool and what were your experiences of using it?

NTS have a ‘Culture Blueprint’ that states “great organisations that achieve great things are driven by great cultures”. We want everyone in NTS to perform to the best of their ability to achieve the best possible results. With this in mind, and given changes to the threat landscape and working practices, we want to best support staff to act securely. Further to this, our senior management are invested in improving our security culture.

NTS was therefore drawn to the Security Behaviours survey within the Security Culture Tool to explore and understand specific behaviours demonstrated by staff across the organisation, enabling us to identify how frequently staff engage in those behaviours. This would then allow us to enhance our security practices and foster a culture of security awareness across the organisation.

The Tool was very easy to navigate, and the user guidance provided by NPSA was concise and easy to follow. As a pilot partner, it was expected that we might encounter technical glitches when using the tool. These were reported the NPSA team and fixes released as part of subsequent updates to the tool.

What are your next steps and do you have any advice for organisations considering using the tool

We are in the process of sharing our results with our senior leadership team and identifying new initiatives to drive Security Culture forward in the organisation

Our advice would be to consider how your workforce will complete the surveys. We flagged to NPSA that some of the workforce are not in desk-based roles and we did not want to have to exclude them from the process. NPSA supported us in planning around this and have since developed mobile-friendly versions of the surveys that mean all of our workforce would be able to participate.

Think about the wording of any custom questions to reduce the number of ‘not applicable’ options. This will allow you to better understand your staff’s attitudes towards security.

Did you find this page useful? Yes No