Get Secured
← All Posts People and Process

Web3 Security Culture: How to Build Security Behaviour in a Decentralised Organisation

Policies do not stop breaches. People do, or they do not, depending on whether the organisation has built a culture where secure behaviour is the default rather than the exception.

Most Web3 security failures are not caused by a missing control. They are caused by a person who knew the control existed and bypassed it anyway, because it was inconvenient, because no one was watching, or because raising a concern felt riskier than staying quiet. Access control policies, multisig thresholds and monitoring tooling all matter, but none of them work reliably without a supporting security culture: the set of shared beliefs and everyday habits that make secure behaviour the path of least resistance rather than a chore imposed from above.

This is the most under-invested part of the People, Process and Technology (PPT) framework in crypto organisations. Firms will spend heavily on audits and monitoring infrastructure while treating culture as an HR concern rather than a security control. That is a mistake, because culture determines whether the other two pillars actually get used correctly under pressure, at 2am, by someone who is tired, rushed or new to the team.

What Security Culture Actually Is (and Is Not)

Security culture is often confused with security awareness training, but the two are not the same thing. Awareness training gives people knowledge: what phishing looks like, why seed phrases must never be shared, how a signing request should be verified. Culture determines whether that knowledge translates into behaviour when it is inconvenient to do so.

A team can have excellent training completion rates and still have poor security culture, if the unspoken norm is that meeting a deadline matters more than following a verification step, or if raising a concern about a colleague's behaviour is seen as disloyal. Culture lives in the gap between what the policy says and what people actually do when they think no one is checking.

No security policy survives contact with a team that does not believe in it. Culture is the reason people follow procedure when no one is watching, and it cannot be bought with a policy document.

Security culture is also not the same as compliance. A team can pass every audit checkpoint and tick every training box while harbouring a culture where security is viewed as an obstacle imposed by outsiders. Genuine culture is present when engineers, community managers and founders alike treat a colleague's security question as a normal, welcome part of daily work rather than an interruption or an accusation.

The Web3 Security Culture Challenge: Remote, Decentralised and Pseudonymous

Building culture is harder in Web3 than in almost any other sector, for structural reasons that most conventional security culture guidance does not address. Security4Web3 has previously covered the security culture foundations that apply broadly across the industry. This piece goes further into the specific structural conditions that make Web3 organisations distinct, and what leaders need to do differently as a result.

Remote-first, no shared physical space

Most Web3 teams are distributed across many countries and time zones, with limited or no in-person contact. Traditional culture-building relies heavily on physical presence: overheard conversations, visible leadership behaviour, informal correction of bad habits. None of this happens naturally in a fully remote team, so culture has to be built deliberately through structured communication rather than absorbed passively.

Pseudonymous and semi-anonymous contributors

Many crypto projects work with contributors who operate under pseudonyms, sometimes for good operational security reasons, sometimes purely by community convention. This creates a genuine tension: the same anonymity that protects an individual contributor from targeted attacks also makes it harder to build the interpersonal trust and accountability that underpin culture in a conventional workplace. Security leaders need to design culture-building practices that work even when they do not know a contributor's real identity, focusing on consistent behaviour and reputation within the pseudonymous identity rather than on personal relationships.

Flat or decentralised governance

Decentralised autonomous organisations and community-governed protocols often lack a conventional management hierarchy. There may be no line manager to model expected behaviour or correct a lapse. In this environment, culture has to be embedded in the protocol's norms, tooling defaults and community expectations, rather than delivered top-down through a manager, because in many cases there simply is no manager in the traditional sense.

High turnover and contractor-heavy teams

Web3 teams frequently rely on contractors, grant recipients and short-term contributors who rotate through a project quickly. This constant turnover means culture cannot depend on long tenure or slow-building trust. It has to be transmitted quickly through onboarding, visible norms and a low-friction way for new contributors to learn what "normal" looks like within days, not months.

The Security Champions Model for Web3 Teams

One of the most effective structural responses to the challenges above is the security champions model: designating individuals embedded within engineering, operations, treasury and community functions who act as a local point of contact for security questions, without needing to be full-time security specialists themselves.

Why champions work in decentralised teams

A centralised security team, however capable, cannot be present in every Discord channel, every deployment decision and every treasury discussion across a distributed organisation. Champions extend the reach of the security function into every part of the organisation, translating central guidance into locally relevant practice and, just as importantly, feeding local concerns back to the central team before they become incidents.

Selecting and supporting champions

Champions should be selected for credibility and communication ability within their own function, not necessarily technical depth in security. A well-regarded community manager who understands social engineering risk can be as effective a champion within their function as a senior engineer is within engineering. Champions need direct access to the core security team, a clear and lightweight escalation path, and periodic training that keeps their knowledge current without turning the role into an unpaid full-time job.

Avoiding the token champion trap

A common failure mode is appointing champions in name only, without giving them time, authority or visibility to actually do the role. If a champion's manager does not protect time for the role, or if leadership never acts on issues a champion raises, the position becomes symbolic and credibility collapses quickly. Champions must be visibly supported by leadership and their input must demonstrably influence decisions.

Psychological Safety: Why People Must Feel Safe to Report

The single strongest predictor of whether a security incident is caught early or allowed to escalate is whether the person who first notices something wrong feels safe raising it. This is true whether the person made the mistake themselves, such as clicking a phishing link, or is reporting a colleague's risky behaviour.

Blame culture guarantees silence

If a team member who reports their own mistake is publicly criticised, disciplined disproportionately, or quietly frozen out, every other team member learns the real lesson immediately: do not report anything. This dynamic is especially dangerous in crypto, where a delay of even a few minutes in reporting a compromised credential or an unusual signing request can be the difference between a contained incident and a catastrophic loss.

What psychological safety looks like in practice

Practically, psychological safety means leadership visibly and consistently thanking people for reporting concerns, even false alarms, treating genuine mistakes as learning opportunities rather than disciplinary events, and separating the question of "what happened" from the question of "who is to blame" during any post-incident review. It also means giving people an anonymous or low-friction reporting channel for situations where they are not comfortable raising an issue by name, particularly relevant in pseudonymous or contractor-heavy teams.

The pseudonymity paradox

In pseudonymous teams, psychological safety has an additional dimension: a contributor may fear that reporting a concern about another contributor's behaviour will expose their own identity or invite retaliation within a tightly connected community. Leaders need explicit, trusted mechanisms, such as a named ombudsperson or a genuinely anonymous reporting tool, to make reporting safe even under these conditions.

Leadership Behaviours That Drive Security Culture

Culture is set far more by what leaders visibly do than by what any policy document says. Employees and contributors calibrate their own behaviour against what they observe leadership actually doing under pressure, not against the handbook.

Leaders must follow the same rules

If a founder or executive bypasses multisig approval for convenience, or shares credentials over an insecure channel because they are in a hurry, that single visible act undermines months of security awareness training. Leadership exceptions to security procedure, even rare ones, are remembered and used to justify wider non-compliance.

Leaders must ask about security, not just fund it

A leadership team that reviews security metrics quarterly and asks informed questions signals that security is a genuine priority. A leadership team that approves a security budget once a year and never mentions it again signals the opposite, regardless of how large that budget is.

Leaders must respond visibly to reports

When someone raises a security concern, visible and timely leadership follow-through, even a simple acknowledgement and an update on what was done about it, reinforces that reporting matters. Silence after a report is one of the fastest ways to erode the psychological safety described above.

Incentives, Norms and the Danger of Perverse Incentives

Incentive structures shape behaviour whether or not they are designed to. Web3 organisations, with their heavy use of token incentives, grants and performance-based compensation, need to be particularly careful about the secondary effects of incentive design on security behaviour.

Speed incentives undermine caution

Compensation or recognition structures that reward shipping speed above all else create quiet pressure to skip verification steps, rush code review, or bypass change management under deadline pressure. If the fastest path to recognition is also the least secure path, most people will eventually take it, not out of carelessness but out of rational response to the incentives in front of them.

Punishing honesty backfires

Incentive systems that penalise a contributor for reporting their own error, whether through financial penalty, loss of a grant, or reputational damage within the community, teach people to conceal problems rather than surface them. This is the perverse incentive that undoes psychological safety even when the stated policy claims to welcome reports.

Positive incentives that work

Bug bounty programmes, recognition for identifying near misses, and public acknowledgement of contributors who raise legitimate concerns all reinforce the behaviour organisations actually want. The key design principle is that the incentive should reward the act of surfacing a problem, not just the absence of problems, because the absence of reported problems is often indistinguishable from a culture where problems are simply being hidden.

Norms reinforce or undercut incentives

Formal incentives only work alongside informal norms that point the same direction. If the written policy rewards reporting but the informal community consensus treats a person who raised a concern as a troublemaker, the informal norm usually wins. Leaders need to actively shape community-level norms, not just formal incentive structures, particularly in Web3 organisations where community sentiment carries significant social weight.

Measuring Security Culture: Leading Indicators That Work

Culture is often dismissed as unmeasurable, but this is not true. Organisations that treat security culture seriously track leading indicators that correlate strongly with future incident rates, rather than waiting to measure culture through the number of breaches that eventually occur.

Self-reporting volume and speed

A rising number of self-reported near misses and honest mistakes is usually a sign of improving culture, not declining security, because it indicates people feel safe enough to come forward. The speed between an event occurring and it being reported is an equally important signal: a shrinking gap indicates growing trust in the reporting process.

Participation in voluntary security activities

Attendance at optional security briefings, engagement with phishing simulation debriefs, and voluntary uptake of security champion roles all indicate genuine buy-in rather than compliance under duress. These signals should be tracked alongside the completion rates that come out of a formal security awareness programme, since completion alone does not tell you whether people actually internalised anything.

Anonymous culture surveys

Short, regular anonymous surveys asking whether people feel comfortable reporting a mistake, whether they believe leadership takes security seriously, and whether they have seen colleagues bypass procedure, provide a direct read on culture that is otherwise hard to observe. Trends over time matter more than any single result.

Time to remediate flagged issues

How quickly an organisation acts on a reported concern is itself a culture signal. Long delays between a report and visible action teach people that reporting does not lead anywhere, quietly discouraging future reports regardless of what the policy says.

These culture metrics work best when integrated into the same dashboard used for broader security metrics and KPIs, giving leadership a single view that connects human behaviour signals to technical and process outcomes rather than treating culture as a separate, softer concern.

Security culture cannot be delegated entirely to a training vendor or built through a single onboarding module. It has to be reinforced continuously through hiring decisions, which is why culture fit belongs alongside technical checks in employee security vetting, and sustained through ongoing, well-designed security awareness training that treats adults as capable of understanding why a control matters, not just what the control is. Organisations that get this right end up with something no audit or monitoring tool can replicate: a workforce that behaves securely because it wants to, not because it is being watched.

Frequently Asked Questions

What is security culture in a Web3 organisation?

Security culture is the set of shared beliefs and everyday behaviours that lead people to follow secure practices because they understand and accept why they matter, rather than because a policy document requires it. It shows up in whether people report mistakes, question unusual requests, and treat security as part of their job rather than someone else's.

Why is building security culture harder in Web3 than in traditional organisations?

Web3 teams are frequently remote-first, span many time zones, include pseudonymous or semi-anonymous contributors, and often operate under flat or decentralised governance with no clear management chain. These conditions weaken the normal channels, such as in-person onboarding and direct line management, that traditional organisations use to embed culture.

What is a security champion and does a small Web3 team need one?

A security champion is a team member embedded in engineering, operations or community functions who acts as a local point of contact for security questions and practices, without being a full-time security specialist. Even small teams benefit from designating one, because it distributes security ownership beyond a single centralised function.

How do you measure whether security culture is improving?

Track leading indicators such as the volume and speed of self-reported incidents and near misses, participation rates in voluntary security activities, time to patch or remediate flagged issues, and results from anonymous culture surveys, rather than relying solely on lagging indicators like the number of confirmed breaches.

Can financial incentives improve security behaviour in a crypto team?

Financial incentives can help, such as bug bounty rewards or recognition tied to secure delivery, but they must be designed carefully. Incentives that reward speed of shipping over caution, or that punish people for reporting their own mistakes, create perverse behaviour and actively undermine culture.

Build a Security Culture That Outlasts Any Single Policy

Book a Security Review