Cybersecurity isn’t just about technology, it’s about people.
When attackers strike, firewalls and detection systems play a critical role, but often the deciding factor comes down to individual choices: does an employee click on a suspicious link? Does someone report a phishing attempt quickly, or does it slip by unnoticed?
That’s why cybersecurity culture i.e. the shared values, attitudes, and behaviors that shape how people respond to risks is emerging as one of the most important defenses an organization can build. Tools set the rules; culture decides if they work in practice.
And in today’s environment, where artificial intelligence (AI) is accelerating the speed and sophistication of phishing, ransomware, and social engineering, embedding security into daily habits has never been more important.
What do we mean by cybersecurity culture?
At its core, cybersecurity culture is about what people do when no one is watching. It’s the instinct to challenge a suspicious request, the confidence to speak up when something feels wrong, and the collective understanding that security is everyone’s responsibility.
Academic research defines cybersecurity culture as “the values, attitudes, and beliefs that drive employee behaviors to protect and defend the organization from cyber-attacks”. In practice, it exists at three levels:
Leadership level: where priorities, investment, and tone are set
Group level: where teams establish norms and help one another embed secure practices
Individual level: where personal awareness, self-belief, and everyday choices reinforce or undermine resilience
This isn’t abstract. Verizon’s 2024 Data Breach Investigations Report found that 68% of breaches involve a non-malicious human element - things like mistakes, misconfigurations, or falling for social engineering. No matter how advanced the security stack, culture gaps create openings for attackers.
In many ways, cybersecurity culture mirrors the well-established idea of safety culture. Just as safety became embedded into industrial operations through shared responsibility and leadership accountability, cybersecurity must become part of the organizational DNA.
Leadership sets the tone
Strong cybersecurity culture starts at the top. When leadership visibly prioritizes security (not just in words but in actions), it cascades through the organization. Conversely, if leaders bypass controls for convenience, or treat security as an IT-only issue, employees quickly take the cue.
KPMG’s research with MIT CAMS highlights the importance of “walking the walk” i.e leaders must demonstrate secure behaviors themselves, champion cybersecurity initiatives, and ensure resources and accountability are in place. This includes:
Board-level involvement: Cyber risk should be a standing agenda item, with regular reporting and clear ownership
Cross-functional leadership: Beyond the CISO, roles like CEO, CTO, and Chief Risk Officer should be visibly engaged
Aligning policy with reality: Policies must reflect how people actually work. If rules conflict with business processes, employees will find workarounds
Leaders who show genuine commitment by asking questions, allocating budget, and celebrating good security behaviors send a clear message that cybersecurity isn’t a box to check; it’s a core part of resilience.
Embedding security into daily work
Awareness programs and one-off training modules aren’t enough. To embed culture, security has to be part of the daily workflow.
That means tailoring training to different roles, responsibilities, and risk profiles. A developer needs to understand secure coding practices; a finance manager must know how to spot invoice fraud; frontline staff should practice verifying customer data requests. Training should be continuous, engaging, and reinforced through multiple channels.
Phishing simulations are a proven tactic. Sending mock phishing emails helps employees test their instincts in a safe environment. Over time, reporting rates rise, and confidence grows. AI tools can now personalize these simulations, adapting difficulty levels and content for different teams, which makes learning more relevant and impactful.
Equally important is creating a culture where reporting is safe and encouraged. Employees should never fear blame for flagging a mistake or near miss. Instead, they should feel empowered to be part of the solution.
Finally, embedding culture means fostering peer-to-peer accountability. When colleagues look out for each other by sharing tips, double-checking unusual requests, and normalizing security conversations, awareness moves from an obligation to a shared value.
The human factor and emerging tech
Building culture isn’t easy. Resistance to change is one of the top challenges organizations face. Security fatigue - the sense that rules slow things down or create friction, can lead employees to cut corners. And hybrid working introduces new variables, from home networks to personal devices.
At the same time, AI is reshaping the landscape. On the one hand, it introduces new risks like prompt injection, deepfake scams, and automated phishing campaigns. On the other, it offers powerful tools to strengthen culture.
For example, AI can:
Deliver personalized micro-learning to employees based on their role, past behavior, or learning style
Provide real-time nudges when risky behaviors occur — such as trying to send sensitive data outside the organization
Gamify security scenarios, turning simulations into engaging learning opportunities
Used responsibly, AI can scale security culture initiatives across diverse teams and geographies, meeting people where they are and reinforcing secure behaviors without overwhelming them.
Measuring and maturing cybersecurity culture
You can’t improve what you don’t measure. Yet fewer than half of organizations track meaningful cybersecurity culture metrics.
Too often, measurement stops at training completion rates. While useful, these don’t reflect whether behavior is truly changing. More meaningful indicators include:
Phishing reporting rates: not just who clicks, but who reports
Patch timeliness: how quickly critical updates are applied
Password hygiene: use of MFA, password strength, and reuse patterns
Incident reporting activity: frequency and quality of reports
Maturity models provide a helpful framework, ranging from ad hoc (basic awareness, little ownership) to dynamic (culture is deeply embedded and adapts continuously to the threat landscape).
AI is beginning to play a role here too, analyzing vast datasets to generate human risk scores, highlight trends, and pinpoint areas for targeted intervention. By quantifying culture, leaders can make data-driven decisions and demonstrate progress to boards and regulators.
Building a culture that lasts
Cybersecurity culture is not built overnight. It requires persistence, reinforcement, and a commitment to both technology and people. Organizations that succeed do so by:
Embedding security into leadership accountability
Aligning policies with practical workflows
Training continuously and tailoring content by role
Empowering employees to speak up without fear
Leveraging AI to personalize, scale, and measure impact
When these elements come together, culture becomes the foundation of resilience. Employees don’t just follow rules, they internalize them. They don’t just spot threats, they act on them. And collectively, they form the first line of defense.
Culture as the new perimeter
Technology alone can’t secure an organization. Attackers know the fastest way in is often through a human click, a misstep, or a moment of fatigue. That’s why culture matters: it transforms people from vulnerabilities into defenders.
As IT and security leaders, the challenge is clear - not just to deploy tools, but to nurture values, attitudes, and behaviors that keep organizations safe in a constantly evolving landscape.
Explore More Resources
Cybersecurity culture is an ongoing journey, not a destination. To dive deeper into strategies, research, and practical steps for embedding security into your organization, visit our Cybersecurity Culture resource hub.
