Security culture and security awareness should be two different things.

For security geeks, I’ve started reading The Security Culture Playbook. At this point I really like the book, but it begs a question.

Perry Carpenter and Kai Roer lay out some key reasons why employees are so vulnerable to cyber attacks.

Importantly, they have also defined “security culture” as meaning: “Security is embedded into the organization”.

I agree that this should be true.

But I think there is an opportunity here to make a distinction between “security culture” and “security awareness”, in practical risk management terms.

Just as we often see “threats” defined as the product of “likelihood” and “capability”, it can be helpful to define an employee’s “intent” and “ability” as components representing their effectiveness (inversely proportional to vulnerability) in responding to a threat.

Security awareness paradox

Photo by Randy Fath on Unsplash

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for phishing, social engineering and working from home.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Here are a few ways I believe these terms might be related:

1) Security Culture (intent) x Security Awareness (ability) -> ? (vulnerability)

2) Security Culture (intent) x ? (ability) -> Security Awareness (vulnerability)

or… (I’m not a fan of this one)

3) ? (intent) x ? (ability) -> Security Awareness = Security Culture (vulnerability)

So, without having finished the book yet, the question I would ask is, “Should security culture be a component of security awareness”, or do you view them differently? And why?

I think there’s an answer that makes the distinction more useful. 

Maybe that’s covered later; or maybe it’s in another book, which I’d love to contribute to.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.