Security culture and security awareness should be two different things.

For security geeks, I’ve started reading The Security Culture Playbook. At this point I really like the book, but it begs a question.

Perry Carpenter and Kai Roer lay out some key reasons why employees are so vulnerable to cyber attacks.

Importantly, they have also defined “security culture” as meaning: “Security is embedded into the organization”.

I agree that this should be true.

But I think there is an opportunity here to make a distinction between “security culture” and “security awareness”, in practical risk management terms.

Just as we often see “threats” defined as the product of “likelihood” and “capability”, it can be helpful to define an employee’s “intent” and “ability” as components representing their effectiveness (inversely proportional to vulnerability) in responding to a threat.

Security awareness paradox

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for phishing, social engineering and working from home.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Here are a few ways I believe these terms might be related:

1) Security Culture (intent) x Security Awareness (ability) -> ? (vulnerability)

2) Security Culture (intent) x ? (ability) -> Security Awareness (vulnerability)

or… (I’m not a fan of this one)

3) ? (intent) x ? (ability) -> Security Awareness = Security Culture (vulnerability)

So, without having finished the book yet, the question I would ask is, “Should security culture be a component of security awareness”, or do you view them differently? And why?

I think there’s an answer that makes the distinction more useful. 

Maybe that’s covered later; or maybe it’s in another book, which I’d love to contribute to.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.

Cyber Security

Phishing Defense

Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.

Social Engineering Defense

Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.

Cyber Security Awareness for Remote Workers

Home-based workers are vulnerable to cyber attacks. Build team immunity today.

Privacy and Compliance

PCI Compliance Awareness

When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.

Gamified HIPAA Compliance Awareness

If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).

Gamified Learning Platform

Active Awareness Platform

Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.