Why security awareness and security culture are not the same thing

In a conversation related to my recent blogpost, How can we improve security culture, if security awareness training programs are not yielding results? [1], one of our customers asked me to clarify the difference between security awareness and security culture, remarking that the terms are often wrongly used interchangeably. Here’s my take on it.

Security awareness is the state of knowledge about risk, i.e. the knowledge that members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. 

Security culture is a wider concept than security awareness; encompassing not only knowledge of security risks but, a total of 7 key dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities. At CLTRe, we consider awareness and knowledge as a part of cognition.

In 2012, Geordie Stewart wrote in his blog that “our definitions of security awareness seem to be limiting our ability to influence people.” We need a better understanding of what we are talking about.

He discusses an ISF definition of security awareness that later refers to security culture, Geordie writes, “[this] is great because it implies group norms which can encourage secure behaviour. [Yet] its first suggestion on how to create security culture is ‘compulsory attendance at security awareness training’. Seriously, the human race is doomed.” [2]

A vast majority of security awareness training programs are utterly worthless [3] because they fail to address what drives behavior change.  A one-size-fits-all approach is ineffective. [4-8] 

We can learn from experts and scientists studying security behavior change. If organizations want to elicit change, e.g. by increasing the security level of the organization, greater focus should be placed on the main determinants of change, which are contextually specific and must be empirically verified. 

In a security culture context, these determinants are:

  • Attitudes: How employees feel about security.
  • Responsibilities: How accountable employees believe themselves to be for organizational security.
  • Compliance: Adherence of rules, regulations or policies designed to improve security.
  • Cognition: Employees’ understanding and self-efficacy of security knowledge.
  • Behaviors: How risk-averse employees are in their actions.
  • Norms: The extent that employee actions are subject to peer-influence. (The unwritten rules, if you like.)
  • Communication: The quality and availability of communication and support on security matters.

These 7 dimensions determine the strength of an organization’s security culture and the extent that employee’s security conduct is influenced.  Security culture is one of the most important aspects of organizational security and an efficient mechanism to influence employee behavior. Yet it is often overlooked.

If we are to improve, the focus should be placed on understanding and managing these 7 dimensions.

For help with measuring security culture in your organization, get in contact or book a demo.

What next?

Read the white paper To Measure Security Culture: A scientific approach for more detailed information on our scientific approach to measuring security culture. 

Go to white-paper


[1] Laycock, A. (2018, Nov 16). How can we improve security, if security awareness training programs are not yielding results? [blogpost, CLTRe]. Retrieved from https://get.clt.re/blog/how-can-we-improve-security-if-security-awareness-training-programs-are-not-yielding-results
[2] Stewart, G. (2012, Mar 12). Definition of Security Awareness [Blog post, IBM]. Retrieved from https://www.risk-intelligence.co.uk/definition-of-security-awareness/
[3] Opacki, J (2017, Sep). Building a Security Culture: Why Security Awareness Does Not Work and What to Do Instead. ISACA Journal, 2017(4).
[4] Euske, K. J. (2003). Public, private, not-for-profit: everybody is unique?. Measuring Business Excellence, 7(4), 5-11.
[5] Rahim; et al, (2015). A systematic review of approaches to assessing cybersecurity awareness. Kybernetes, 44(4), 606-622.
[6] Shenhar, A. J. (2001). One size does not fit all projects: Exploring classical contingency domains. Management science, 47(3), 394-414.
[7] Prochaska; et al. (2001). A trans-theoretical approach to changing organizations. Administration and Policy in Mental Health and Mental Health Services Research, 28(4), 247-261.
[8] vom Brocke, J; et al (2016). On the role of context in business process management. International Journal of Information Management, 36(3), 486-495.
[9] Roer, K. (2014, Apr 09). Definition of Security Culture [Blog post, SCF]. Retrieved from https://securitycultureframework.net/definition-of-security-culture/

Related Posts