It is a fact, universally acknowledged in the industry, that modern information security must turn its focus to the employees themselves to fully secure a business. Admittedly, some work has been done here – as of 2015, 72% of large organizations provided ongoing awareness training as did 63% (Information Security Breaches Survey 2015 – Executive Summary, 2015) of small businesses – certainly there is room for improvement but the area is gaining traction.

The problem however, is with the term awareness. The current focus on awareness training presumes one key fallacy; if staff are aware of the correct behaviour then they will follow it.

Picture the scene. Sarah in engineering receives a fairly obvious phishing email asking her to click a link to access some “crucial files”. She is aware she should report it but it’s late in the day and she has work she wants to polish off before heading home. In addition to this the reporting mechanism is a bit long winded, her manager has openly never bothered to follow this rule and at one point actively complained about the interference of “annoying” security policy. Snap decision. What does she do? She deletes it. The email continues to circulate around other employees and it is really only a matter of time before someone makes a mistake.

Being aware of a risk is really only the first step. It takes a little something extra to get you to act; more still to get you change the way you act. Crucially we need to move beyond a group of employees being simply aware of secure behaviour and arrive at the point at which when a security situation arises staff, as a course of habit, behave securely.

This boils down to looking at organisational culture, which is the set of shared assumptions that guide what happens in organizations by defining appropriate behaviour for various situations (Ravasi and Schultz, 2006).

Here, we can then see that it is the culture that bridges the gap between an employee’s awareness to the risk and their action that treats the risk appropriately.

Let’s go back to our previous situation and imagine that this time Sarah’s manager is now pro information security – actively pursuing procedure and advocating safe behaviour to those under him. Furthermore, the reporting system is easy to use, perhaps a few clicks, maybe just a swift forward to a particular company email account. This time Sarah follows procedure and the threat is dealt with, avoiding a costly phishing incident.

Note that the differences are not of a strict theme. One is a managerial difference in attitude, another is a swift reporting system or easy to follow protocol. The only overarching theme they show is that the company culture is aligned to secure behaviour which is demonstrated in its mechanisms, policy and people.

Staff should be a line of defence and not a liability. It is time to stop focusing on security awareness and start focusing on building a secure culture.


Information Security Breaches Survey 2015 – Executive Summary. (2015). [ebook] PWC. Available at: [Accessed 28 Aug. 2019].

Ravasi, D. and Schultz, M. (2006). Responding to Organizational Identity Threats: Exploring the Role of Organizational Culture. Academy of Management Journal, [online] 49(3), pp.433-458.