- Technology can compensate for human error but cannot prevent it. Over 80 percent of all security incidents have a human component: a click on a phishing link, a forwarded password, a forgotten update.
- Security culture means employees act security-consciously not out of fear of punishment but out of conviction and habit. This requires psychological safety: those who report a mistake are supported, not punished.
- Executive management and leadership are the most important culture carriers. If the CEO does not lock their screen and shares passwords via email, every awareness campaign is ineffective.
- Building a security culture is a long-term project that takes years. Short-term campaigns generate short-term attention but no lasting behavioral change.
- Measurable indicators for security culture include: reporting rate for suspicious emails, phishing click rate, time to incident reporting, participation in voluntary training, and feedback from employee surveys.
The Limits of Technology
Every organization that invests in cybersecurity buys technology first: firewalls, antivirus software, email filters, endpoint detection and response, SIEM systems. These investments are correct and necessary. But they create a false sense of security when they ignore the human factor.
An email filter can catch 99 percent of all phishing emails. But the one email that gets through is enough if the recipient clicks the link and enters their credentials. Endpoint detection can identify and block malware. But if an employee grants remote access to their computer to a caller posing as Microsoft support, the best software will not help.
The numbers confirm this with alarming clarity. The Verizon Data Breach Investigations Report has shown for years that over 80 percent of all data breaches have a human component. Analysis of ransomware incidents by the BSI shows that initial access in most cases occurs through phishing, compromised credentials, or social engineering. In all these scenarios, it is not the technology that fails but the human.
This does not mean employees are at fault. It means the organization has not adequately empowered its employees to recognize threats and respond appropriately. And it means that the conditions under which employees work are not designed so that secure behavior is the easiest and most obvious path.
What Is Security Culture?
Security culture is more than knowledge about threats. Knowledge alone does not change behavior. Everyone knows that smoking is unhealthy, and yet millions of people smoke. Every employee knows after the annual mandatory training that phishing emails are dangerous, and yet they click on links.
Security culture means that security-conscious behavior becomes a habit. It is the state where employees lock their screen when they leave their desk, not because a policy requires it but because it feels natural. Where suspicious emails are reported, not because there is a process for it but because it is self-evident. Where security questions are raised early in new projects, not because a security review is mandated but because everyone involved understands the relevance.
Edgar Schein, one of the most influential organizational psychologists, defines organizational culture across three levels: artifacts (visible structures and processes), espoused values (strategies, goals, philosophy), and basic assumptions (unconscious, taken-for-granted beliefs and perceptions). A true security culture manifests at all three levels.
At the artifact level, security culture is visible in clean desk policies, access controls, security signs on the walls, and a clearly visible incident reporting channel. At the espoused values level, it shows in the information security policy, leadership statements, and defined training programs. At the basic assumptions level, it shows in employees intuitively assuming that security is important, that mistakes should be reported, and that security measures are perceived not as obstacles but as protection.
Most organizations operate on the first two levels: they create policies and hang up posters. The third level — basic assumptions — is the hardest but also the most effective. That is where the culture emerges that works even when nobody is watching.
The Role of Leadership
No other factor has a greater influence on security culture than the behavior of leadership. Employees orient themselves less by what leadership says than by what leadership does.
If the CEO leaves their laptop unlocked on the conference table, employees learn that screen locking is not important. If the department head shares their password with their assistant so emails can be answered during their absence, employees learn that password sharing is acceptable. If the IT manager refers to security measures as a "necessary evil," employees learn that security is an obstacle.
Conversely, the mechanism works the same way. When executive management emphasizes at every opportunity that security is a priority — and demonstrates this through their own behavior — when executives handle credentials responsibly and take security questions seriously, employees orient themselves by this standard.
The practical implications for leadership are: participate in training, not just as silent observers but as active participants. Speak openly about security topics, even if that means admitting your own mistakes. Provide resources for security measures, even if they cost money in the short term and do not generate immediate revenue. And actively ask about security aspects in projects — not only after something has gone wrong.
Psychological Safety: The Fundamental Prerequisite
Psychological safety is a term from organizational psychology describing the confidence that one can take risks within a team without fearing negative consequences. In the context of information security, this means: employees must feel safe reporting mistakes and suspicious observations without fear of punishment or public embarrassment.
This sounds obvious, but it is not. In many organizations, a culture of blame prevails. Anyone who clicks on a phishing link is named in the departmental meeting. Anyone who finds a USB stick and plugs it in receives a written warning. Anyone who causes a security incident is portrayed as incompetent.
The consequence is predictable: employees stop reporting. Suspicious emails are deleted instead of reported because the report might lead to uncomfortable questions. Mistakes are concealed instead of communicated because the consequences of reporting seem worse than the consequences of the mistake. And security incidents are only discovered when the damage has already occurred because nobody passed on the early warning signs.
The right approach is a Just Culture — a culture that distinguishes between human errors, risky behavior, and deliberate misconduct. Human errors (e.g., clicking on a well-crafted phishing email) are not punished but used as learning opportunities. Risky behavior (e.g., deliberately circumventing a security measure out of convenience) is addressed but constructively, with the goal of understanding the cause and improving the conditions. Deliberate misconduct (e.g., intentionally sharing confidential data) is handled through disciplinary action.
The distinction is critical. If you treat everything the same — either punishing everything or tolerating everything — you destroy the security culture in both cases. In the first case through fear, in the second through indifference.
The Five Pillars of Security Culture
Building a security culture can be organized into five interconnected areas that work together and reinforce each other.
1. Create Awareness
The foundation is knowledge about threats, risks, and one's own role in the security framework. But awareness does not come from one-time mandatory training. It comes from continuous, varied, and relevant communication.
Instead of an annual 90-minute mandatory training that covers all topics and truly reaches no one, short, regular impulses are more effective: a five-minute video about current phishing campaigns in the monthly newsletter, a short security news segment in the team meeting, a poster in the elevator addressing a current threat, a short quiz on the intranet. The regularity and variety of formats ensure the topic remains present without becoming a burden.
The content must be relevant and specific. "Phishing is dangerous" is a truism that motivates no one to act. "This week, a phishing email is circulating that mimics a DHL delivery notification and asks you to confirm a delivery address. Here's how to recognize it:" is specific, current, and actionable.
2. Enable Behavior
Knowledge alone does not change behavior when the conditions work against it. If reporting a suspicious email requires five clicks and filling out a form, nobody will report suspicious emails. If using the password manager is more complicated than memorizing simple passwords, nobody will use the password manager. If the VPN drops on every other connection attempt, employees will find ways to bypass it.
Secure behavior must be the path of least resistance. This requires security tools that are intuitive and reliable, processes that are as simple as possible, and an IT department that responds to employee feedback and removes obstacles.
A phishing report button in the email client (e.g., via an Outlook add-in) reduces the reporting effort to a single click. A password manager that seamlessly integrates into the browser and auto-fills passwords makes strong passwords more convenient than weak ones. An SSO system that enables login to all applications with a single sign-in eliminates the temptation of password reuse.
3. Strengthen Motivation
People change their behavior when they understand the benefit and receive positive reinforcement. Motivation for security-conscious behavior can be intrinsic (I protect myself and my team) or extrinsic (I am rewarded or recognized).
Intrinsic motivation comes from understanding. When employees understand why a measure exists — not just that it exists — their willingness to comply increases. "Lock your screen" produces compliance. "An unlocked screen allows any visitor to read your emails, copy files, or install software. It takes 30 seconds and can put you and your colleagues in serious trouble" produces understanding.
Extrinsic motivation can be strengthened through recognition and gamification elements. Employees who report suspicious emails receive a brief thank-you message. Teams that perform well in phishing simulations are positively highlighted. Departments can compete in a friendly contest for the best reporting rate.
4. Establish Norms
Norms are unwritten rules that govern behavior in a group. If the norm in your organization is that "security is annoying but mandatory," security is perceived as a burden. If the norm is that "we look out for each other and report suspicious things," security is perceived as a shared responsibility.
Norms are established through repeated behavior, especially the behavior of influential people. Security Champions play a central role in establishing positive norms because as peers they have higher credibility than the IT department.
Storytelling is a powerful tool for norm building. Tell stories of employees who prevented an incident through attentive behavior. Share anonymized examples from your own organization or industry that show what difference individual behavior makes. Stories stay in memory; policy texts do not.
5. Provide Feedback
Security culture needs a feedback loop. Employees need to know whether their behavior makes a difference — whether the reported email was actually phishing, whether the security measure they find cumbersome can be adjusted.
When an employee reports a suspicious email, they should receive feedback within 24 hours: "Thank you for the report. The email was indeed a phishing attempt. We have blocked the sender and warned all employees." Or: "Thank you for the report. The email was legitimate in this case, but your suspicion was justified because the sender was unknown. Continue reporting everything that looks suspicious."
Without feedback, motivation withers. If reports go nowhere and no response ever comes, employees stop reporting. If improvement suggestions are ignored, they stop making suggestions. The feedback loop keeps the security culture alive.
Common Mistakes in Culture Building
Building a security culture is a long-term process, and there are typical mistakes that jeopardize success.
Security as police rather than partner: If IT security is primarily perceived as a control body that creates rules, punishes violations, and makes employees' lives difficult, resistance rather than cooperation develops. IT security must be positioned as a partner that supports and protects employees in their work, not as an adversary to defend against.
One-time campaigns instead of continuous work: An awareness week in October or an annual mandatory training produces a short-term effect that fades after a few weeks. Security culture requires continuous work, not isolated events. The awareness week can be one element, but not the only one.
Fear as motivator: Fear-based campaigns ("If you click the link, the company will be hacked and it's your fault") generate short-term attention but long-term resignation and avoidance behavior. Employees who are afraid do not report mistakes because they fear the consequences.
One size fits all: The same training for all employees ignores the different roles, risks, and knowledge levels. The accountant needs different content than the software developer, and executives have different risk profiles than production staff. Target-group-specific content is more effort but significantly more effective.
Technology without explanation: New security measures are introduced without explaining to employees why they are necessary and how they work. The result is frustration and attempts to circumvent the measure. Every new security measure needs accompanying communication that explains the benefit and answers questions.
Measuring Security Culture
What you cannot measure, you cannot improve. Measuring security culture is harder than measuring technical metrics, but not impossible.
Quantitative indicators: Phishing click rate in simulations (target: declining trend), reporting rate for suspicious emails (target: rising trend), time to security incident reporting (target: declining), participation rate in voluntary training (target: rising), number of security questions in project kickoffs (target: rising), number of clean desk violations in spot checks (target: declining).
Qualitative indicators: Feedback from employee surveys on the topic of security, quality of reports (are only obvious phishing emails reported or more subtle ones too?), feedback from new employees on the onboarding experience regarding security, observations from Security Champions in their teams.
The combination of quantitative and qualitative indicators provides a differentiated picture of the security culture. No single indicator is meaningful enough on its own, but the trend across multiple indicators shows whether the culture is developing in the right direction.
The Long Game
Security culture does not emerge overnight. Research on organizational culture shows that sustainable cultural changes take three to five years. This does not mean you have to wait three to five years for results. Initial improvements — declining phishing click rates, rising reporting rates — are often visible within a few months. But the deep basic assumptions that sustain real behavioral change take time.
The decisive success factor is consistency. Not the spectacular one-off action but the persistent, continuous work across all five pillars. A short impulse every month. A phishing simulation with feedback every quarter. An annual security culture survey. In ISMS Lite, awareness activities, training records, and culture indicators can be documented in one place and presented in the management review. A security question at every project kickoff. A response to every report.
When you take this path, you will find that the security culture has positive effects beyond information security. An organization where people speak openly about mistakes, where leaders practice what they expect, and where improvement is understood as a shared goal is more effective in every area. Security culture is not an isolated IT topic. It is a sign of organizational maturity.
Further Reading
- Building a Security Awareness Program: What Employees Really Need to Know
- Running a Phishing Simulation: Tools, Scenarios, and Evaluation
- Security Champions in the Enterprise: Multipliers Instead of Lone Fighters
- Security Awareness for Executives: Different Topics, Different Tone
- Information Security Onboarding: Getting New Employees Off to the Right Start
