- ✓Research consistently demonstrates that human error and insider threat are among the most significant contributors to cyber security incidents, making the development of a security-aware culture a strategic priority.
- ✓A security-first culture is one in which security is understood and valued by everyone in the organisation, not just the IT team: this requires leadership by example, clear communication and ongoing education.
- ✓Security awareness training is most effective when it is regular, realistic and relevant to the specific roles and responsibilities of the people receiving it, rather than a generic annual compliance exercise.
- ✓Policies and procedures are necessary but not sufficient: they must be accompanied by a culture in which people feel empowered to raise security concerns without fear of blame or ridicule.
- ✓Organisations that treat security as a shared responsibility and build it into their identity and values rather than treating it as an IT department function consistently demonstrate better security outcomes over time.
Listen to the full episode inside the course. Enrol to access all 80 episodes, plus assignments, tutor support and Student Finance funding.
Start learning →Alex: Hello and welcome back to the podcast. Today Sam and I are wrapping up Unit 3 on cyber security with a look at culture. Because as Sam has been saying throughout this unit, the human element is often the most significant vulnerability. So how do you actually change that? Sam, where do you start?
Sam: You start by recognising that security culture isn't something you can mandate or install: it has to be grown over time through sustained attention to the right things. And the right things include leadership behaviour, policy, training and perhaps most importantly, the way the organisation responds when things go wrong.
Alex: Let's talk about leadership first.
Sam: Leaders set the tone for everything in an organisation, and security is no exception. If senior leaders visibly take security seriously, if they follow the same policies as everyone else, if they ask about security in project reviews and risk discussions, that sends a powerful signal that security matters. Conversely, if leaders regularly bypass security controls for convenience, that sends an equally powerful message that security is for other people.
Alex: What about policies? Because organisations often have lots of security policies that nobody reads.
Sam: Policies that sit in a document repository and never influence actual behaviour are worse than useless, because they create a false sense of security and sometimes legal liability if they're not followed in practice. Effective security policies are concise, clear, accessible and integrated into real workflows. And they need to be accompanied by the enforcement that gives them teeth: policies that are regularly violated without consequence quickly lose all influence.
Alex: How do you design training that actually changes behaviour rather than just creating a paper record of completion?
Sam: The biggest shift is from knowledge transfer to behaviour change. Generic annual training that covers the same topics in the same way year after year tends to produce very limited real-world change. More effective approaches include simulated phishing campaigns that let people practise recognising attacks in a safe environment, role-specific training that addresses the specific threats and responsibilities of particular jobs, just-in-time interventions that remind people of secure practices at the point where they're most relevant, and storytelling using real incidents to make the stakes concrete and relatable.
Alex: And the question of how organisations respond when mistakes happen is really important, isn't it?
Sam: Absolutely critical. If the response to a security mistake, like clicking a phishing link or losing a device, is blame and punishment, then people learn to hide security incidents rather than report them. And hidden incidents are far more damaging than reported ones. Organisations with mature security cultures treat most security mistakes as learning opportunities and invest in understanding how the mistake happened and how to prevent it, rather than just identifying who to blame.
Alex: Any final thoughts on this unit, Sam?
Sam: I'd say that cyber security is ultimately about people as much as technology. The most sophisticated technical defences can be bypassed by a well-targeted social engineering attack. And conversely, a well-informed, security-conscious workforce can defend against many attacks even when the technical controls are imperfect. Building that culture is a long-term project, but it's one of the highest-value investments any organisation can make.
Alex: Perfectly said to close out Unit 3. We'll move into Unit 4 on programming in our next lesson. Thanks, Sam.