Man with glasses looking at monitor

Cyber risk culture survey

Back to Cyber Risk Overview
Cyber Risk Services

Assess: Cyber risk culture survey

Diagnosing company culture to mitigate risk

With the majority of all cyber breaches resulting from some type of human error or behavior (whether negligent or malicious acts), many organizations have an interest in identifying key employee behaviors and aspects of workplace culture that may be contributing to information security risk. Willis Towers Watson provides insight into the people risk and is well-positioned to help clients address the vulnerabilities created by their workforce.

Sources of risk can include employees’ lack of awareness and personal responsibility for cyber risk, poor understanding of steps the organization is taking to address cybersecurity, and a low “cyber IQ” resulting in behaviors that increase risk to internal systems and processes. Vulnerabilities can be present generally or in pockets within the organization.

How employee behavior drives cyber risk

  • Employee negligence or malicious acts are responsible for 61% of cyber breaches.1
  • Companies experiencing cyber breaches lack these critical aspects of employee experience: purpose tied to customer centricity (e.g. responsiveness and optimizing processes); work marked by speed & flexibility in making decisions and managing teams; people practices that empower staff through voice, respect, support for teamwork, and stress training and development that align with pay and performance.2
  • Companies’ perceptions of their cyber risk readiness and governance are not matched by actual employee actions. For example, nearly half of employees think it’s safe to open any email on a work computer.3

Only by investigating vulnerabilities in detail and raising employee awareness can organizations take appropriate corrective and preventative action.

Willis Towers Watson Cyber Risk Culture Survey

Using our vast experience in employee research and cyber risk management, Willis Towers Watson’s Cyber Risk Culture Survey collects data directly from employees regarding frequency of cyber-savvy behaviors and perceptions of cyber risk challenges in the workplace.

The result is a profile of the current state of cybersecurity awareness and employee actions across the organization that points the way to building a cyber smart workforce. Results provide a clear picture of an organization’s internal risk culture and allow senior leadership to take decisive action to create solutions.

The reports provide rich cyber risk culture insights that enable you to:
  • Identify employees with the greatest likelihood of causing a cyber incident and predict frequency of high-risk cyber behavior.
  • Categorize those employees by function, geography, title and/or role — enabling the efficient targeting of an appropriate mitigation plan.
  • Prioritize for action to promote a “cyber-savvy” workforce.
  • Extend to vendors to determine “people risk” of supply chain and other business partners.
Sample screenshots, showing the category breakdown, team profile, training, and 'how to read results' screens

Deployment options

The survey is tailored to your organization’s needs and preferences. Options include:

  • Vulnerability index — included within existing employee engagement surveys to obtain a high-level cyber risk culture profile. The index highlights areas of greatest cyber vulnerability via a heat map.
  • Self-administered pulse survey — deployed across an organization or targeted to specific groups, it provides a more detailed examination of the cultural elements of an entity’s cyber risk.
  • Full-service survey — developed from over 100 customizable questions, it provides a deep-dive assessment of an organization’s cyber risk culture with in-person consultative engagement and other scoping options adaptable to small, mid-size, and large organizations.

Why Willis Towers Watson?

More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem, too. No one decodes this complexity better than Willis Towers Watson. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks. Explore comprehensive cybersecurity solutions at 


  1. Willis Towers Watson 2017 Reported Claims Index
  2. Proprietary Willis Towers Watson analysis of employee survey data against Global High Performance Norm and Global IT Functions Norm benchmarks
  3. 2017 Willis Towers Watson employer and employee cyber risk surveys