Security Culture as Digital Literacy
Shared norms that protect the people around you
Security culture is the shared practices and norms communities adopt to reduce unnecessary risk to one another when using digital tools.
Why This Belongs in Digital Literacy
We already teach people to evaluate sources, manage passwords, and choose better tools. But we rarely talk about the social layer — how groups communicate, what they share, where they share it, and how those habits affect everyone in the room.
Security culture fills that gap. It's digital literacy applied to community care.
A teacher who uses Signal but forwards sensitive conversations to a group chat with 200 people has good tools and weak culture. A school that stores student data in encrypted systems but never discusses who has access has strong architecture and no shared norms. The tools matter, but the habits around the tools matter just as much.
How This Differs from Other Groves
This grove sits alongside three related ones. Here's how they're distinct:
| Grove | Focus |
|---|---|
| Privacy by Design | How tools are built — encryption, zero-knowledge, defaults |
| Digital Sovereignty | Who owns and controls the infrastructure |
| Digital Resilience | How individuals and groups sustain capacity over time |
| Security Culture | How people behave together — shared norms, communication discipline, collective care |
Privacy by Design asks: Does this tool protect us?
Security Culture asks: Are we protecting each other?
The distinction matters because even the best tools fail when people use them carelessly. And even imperfect tools can work well when a group has strong shared habits.
Core Principles
1. Need-to-know as kindness
Not everyone needs every piece of information. Sharing selectively isn't about secrecy — it's about reducing the burden on others. If someone doesn't need to carry a piece of sensitive information, don't hand it to them.
2. Communication discipline as care
Choosing the right channel, the right audience, and the right level of detail isn't paranoia. It's thoughtfulness. It's the difference between shouting across a crowded room and walking over to have a quiet conversation.
3. Consent and context
Information shared in one context shouldn't automatically flow to another. A question asked in a small group isn't an invitation to broadcast the answer. Respecting context is a literacy skill.
4. Collective responsibility
Individual habits shape collective consequences. When one person in a group is careless with information, everyone connected to that person absorbs the risk. Security culture distributes that responsibility so no single person carries it alone.
What This Looks Like in Practice
For a school team: Before sharing student data in a chat thread, pause and ask — does everyone in this thread need this information? Is this the right channel?
For a community organization: When onboarding new members into digital spaces, take time to explain what gets shared where, how decisions are communicated, and what stays private.
For a family: Talk about what's okay to post about each other online. Establish norms before the first school photo goes on social media.
The Notes in This Grove
This grove contains four notes, each exploring a different dimension of security culture:
- Group Architecture & Trust — How group size, structure, and shared norms shape the safety of digital spaces
- Ephemeral Communication & Information Half-Life — Why not everything should be archived, and how letting information decay can be an act of care
- Alert Fatigue & Information Hygiene — How to maintain clear thinking when everything feels urgent
- Threat Modeling for Communities — Simple reflective questions that help educators, families, and organizations think about what they're actually protecting
Foundational Concepts
- Privacy Security Encryption Defined — The three layers of protection
- Privacy is Power Not Secrecy — Why privacy is about agency, not hiding
- Threat Modeling for Regular People — The individual version of community threat modeling
Related
- Digital Self-determination — The parent framework
- Privacy by Design — Tools that protect you by default
- Digital Resilience — Sustaining capacity over time
- Digital Sovereignty — Owning your infrastructure
Security culture isn't about suspicion. It's about paying attention to the people around you and making choices that reduce harm.