4th September 2019

Security culture: what it is and how you can benefit from it

Cyber Security: Thumnail shows an eye with a kind of AR monocle.

To increase the security awareness of the employees in the long term and to build and maintain a cyber security culture, 5 steps should be considered:

  • What is a cyber security culture?
  • How to manage cyber security culture
  • How to measure the level and track changes
  • How to change the behavior of employees
  • What is the best change management strategy?

Our blog gives you an informal introduction to these steps and subsequent tips, including selected tactics that will lead to success.

When implementing a successful cyber security culture, we focus on three pillars: training, awareness & communication, and implementing a security culture.

What exactly is a security culture?

In addition to technical cybersecurity solutions, the correct behavior of employees plays a key role. This behavior is underpinned by an active security culture. To understand what a security culture is, we need to understand what the difference between a security culture and security awareness is:

  • Security Awareness: “Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization”. (http://en.wikipedia.org/wiki/Security_awareness)
  • Security culture: “Information Security Culture is the result of values, attitudes, know-how and patterns of behavior that determine the commitment to information security”. (Schlienger T. 2006)

Thus, a culture is more profound than awareness. The culture is internalized in action: people no longer think about it, they just do it.

However, a security culture cannot be created, built and maintained without a sense of security. Therefore, it is important that both topics be handled together.

Depending on whom you ask, the definition of a security culture can be somewhat different. KES has interviewed various security experts in one article on this very issue (KES 2019).

Security culture is part of the corporate culture and thus anchored in it. These are security -related values, behaviors and beliefs, which can each look different, even within a company. Security culture is a cycle: it defines the current state, the potential for improvement, the goals and the monitoring. This cycle is implemented and becomes part of daily life in the company through the cooperation of all persons, from the management level to the employee. Continuous communication is decisive for making this happen. What most experts agree on is the importance of a "climate of trust" so that security can be actively lived. Employees, for example, should not be afraid to report phishing e-mails, be it an incident or a guess. The messages, concerns and concerns of employees at all levels should be taken seriously and supported. One way to encourage this is by examples of appropriate behavior set by the management.

Security must be seen by everyone as a positive and important supplement to (everyday) work. A security culture that is put into practice practiced sensitizes employees to risks, which benefits the company. Therefore, the most central element of security culture is human behavior.

This is where security awareness comes into play, which deals with the training of human behavior.

How can a security culture be implemented

First, a security culture is actively controlled and supported by the company and its employees. You can always influence and control it when you realize that something is going in a different direction from the one you intended. To do that, you must define what needs to be done. This quality assessment can be achieved using the capability maturity model. You measure, plan and optimize the security culture and then implement everything accordingly.

Cyber security; security culture maturity model.
Capability maturity model (CMM) of security culture

The Capability Maturity Model makes this assessment based on five levels:

  1. Not available: A program to promote a security culture does not exist.
  2. Repeatable: The program is primarily designed to meet specific compliance or audit requirements. Investment and quality are subject to strong fluctuations.
  3. Defined: The goals of the security culture are defined and aimed at a behavioral change. A special organizational unit is responsible for the implementation. Investments are reasonably reliably assessable. The quality is still subject to fluctuations.
  4. Controlled: Necessary processes, resources, and leadership support for a long-term lifecycle of security culture are in place. Investment and quality are reliably controllable.
  5. Optimizing: security culture is measured to track progress and measure impact. This improves the security culture continuously and can demonstrate the return on investment.

The SANS Institute (SANSInstitute 2019) conducted a study last year to find out what level the companies are at. The result is scary: most companies do not get beyond level 3.

The implementation of a security culture is not only the task of the security team, but of all employees. This is achieved in collaboration with the management and all organizational units.That means that secure behavior is lived from top to bottom and that everyone is enabled to implement it. As the basis, the security department, in cooperation with the other organizational units, develops a security strategy. This includes awareness measures, which form the basis. They are supplemented by instructions and guidelines that need to be understandable, structured and workable to be used.

How does a living security culture happen?

Rapid technological development in IT has led to a change in traditional forms of work. Behaviors that were without consequence a few years ago (e.g., attaching files to e-mails) can do a lot of damage today.

The role of a security culture is to be able to accompany this change process securely, warding off potential dangers through knowledge. Employees know what threats there are, how they work, and how to counteract them. That is, the basic premises about current and potential future dangers in the process are identified, and, more importantly, integrated into the organizational culture. Only with this kind of integration of security culture can an organization prepare for the unpredictable, proactively avoid or at least reduce damage, and pursue forward-looking development.

The cooperation of all employees in making security culture part of their life makes the job of security officers easier and makes security technology more effective. This will increase the protection of the company and reduce the risk of attacks (read more in our blog article "Information Security Culture: The Socio-cultural Dimension of Information Security Management").

To counteract cybercrime, it is therefore important to adapt the culture of security in a company so that the employees internalize and live the correct behavior. It is important to note here that this culture should not grow in a context of fear, but one of confidence in which employees know they will be heard and supported. To achieve a security culture, awareness must be created. If the employees know how to behave securely, the company benefits, and it becomes more secure.

TreeSolution sensitizes and trains everyone in your company, so that security is anchored in the culture in a structured way – i.e. in the everyday thinking and actions of all employees, right up to the management level. In this way, you protect your information and thus your company from attackers and oversights, economic damage and loss of image.


  • Schlienger T. (2006): Informationssicherheitskultur inTheorie und Praxis: Analyse und Förderung sozio-kultureller Faktoren der Informationssicherheit in Organisationen (Information security culture in theory and practice: Analysis and promotion of socio-cultural factors of information security in organizations). Fribourg, iimt University Press.
  • KES (2019): Sicherheitskultur, das unbekannte Wesen? In Management und Wissen, Sicherheitskultur (Security culture, the unknown entity? Security culture, management and knowledge). KES 2/2019. Seiten 67-72.
  • SANS Institute (2019): 2018 SANS Security Awareness Report

Stay up to date with our newsletter and blog subscription:

Thank you for subscribing to the newsletter.
Something went wrong while submitting the form.