Why security culture cannot be bought

The difference between "Awareness" and Culture

One of the most common pitfalls is confusing security awareness with security culture. Being aware of a risk simply means having knowledge about it. Culture, on the other hand, is about action.

We can train employees to recognize what a phishing email looks like, but if the culture punishes those who report mistakes, or if management constantly signals that delivery speed trumps everything else, awareness will not lead to increased security. We must go beyond merely following standards and regulations; instead, we need to work proactively with the social structures and the sense of safety among our employees.

Table 1: Awareness vs. Culture – A shift in methodology

Dimension

Goal

Method

Metrics

Focus

Sustainability

Security awareness

Knowledge dissemination and awareness.

E-learning, quizzes and posters.

Implementation rate and test results.

Individual’s knowledge level.

Often short-term (requires repetition).

Information security culture

Changed behaviors and norms.

Leadership support, psychological safety, and structural change.

Incentive compliance, reporting propensity, and qualitative observations.

The organization’s social DNA and collective choices.

Long-term and self-reinforcing.

Humans as an asset, not a vulnerability.

In traditional instructional design, humans have often been viewed as “the weakest link.” This perspective creates a pedagogical distance that undermines its own purpose. If instead we design training and strategies based on the idea that people are our most important asset, the entire approach changes.

A strong security culture is built on psychological safety. This means designing systems and routines that encourage people to raise risks early without fear of repercussions. It also involves creating an environment where reported mistakes are seen as opportunities for learning rather than grounds for punishment. This is one of the cornerstones of a strong information security culture: building resilience through openness and accountability.

Designing for reality: Why pre-packaged solutions often fail

Those who develop company-tailored training often face the choice of purchasing ready-made packages. The problem with these is that they rarely address the specific norms within your organization. Security culture is contextual. It is influenced by:

• Leadership’s actual behavior: Employees mirror the values that managers demonstrate in practice, not what is written on the intranet.

• Incentive structures: If bonuses are based solely on production speed, security will always be deprioritized in high-pressure situations.

• Operational complexity: If technical controls are too cumbersome, users will find creative ways to bypass them (shadow IT).

To succeed, information security must operate as an “intelligence partner” together with HR and other business functions. It is about identifying where cognitive and cultural vulnerabilities exist and designing interventions that meet employees within their actual workflows.

The new requirements: From checklists to governance

With the implementation of NIS2 and the new Swedish cybersecurity legislation in 2025 and 2026, the focus is intended to shift from merely “having a policy” to being able to demonstrate actual effectiveness. This means that systematic security work extends beyond critical systems to also include the organization and human behaviors.

This places higher demands on us. We can no longer be satisfied by pointing to a high completion rate for an annual training. We must be able to show how we work systematically with risk management in the supply chain, how we handle the human risk in the use of AI, and how we ensure that security is an integrated part of the design of all processes.

Table 2: Proposed key areas for future security training (2026)

Area

Cognitive residency

Incident culture

Human-Centric-Design

Ethical decision-making

AI-governance

Focus for the security organization

Training the ability to critically evaluate information and deepfakes

Lowering the threshold for reporting and practicing crisis management

Simplifying security procedures so that they support work instead of hindering it

Integrate moral considerations into technical training

Educating on the responsible use of generative tools

Challenge to address

Manipulation of decision-making through AI

Fear of making mistakes (blame culture)

“Security fatigue” and shortcuts in everyday work

Grey areas between convenience and security

Shadow AI and unintentional data leaks

Summary: Your role as a culture architect

Building an information security culture is a craft, not a purchase. For those working in information security, this means shifting focus from technical specifications to human interactions. You need tools that help you measure and analyze culture, systematic approaches to changing behaviors, and close collaboration with leadership to ensure they understand their responsibility.

Security culture cannot be bought because it is not owned by a vendor—it is owned by every employee who chooses to do the right thing when it is difficult. Your role is to give them the conditions, the trust, and the culture needed to make that choice.

Does your organization need help moving from awareness to a genuine security culture? Securebyme supports specialists and educators in building resilience by putting people and behavior at the center.