Every organization says they take security seriously. Most of them are wrong — not because they lack policies or tools, but because they confuse compliance activity with security culture. A security culture is not something you build by purchasing an annual training platform and tracking completion rates. It is the set of shared beliefs, behaviors, and norms that determine how people actually make security decisions when no one is watching.
The gap between compliance and culture is where breaches live.
Consider two organizations with identical security policies. In Organization A, employees complete their annual security training, pass the quiz, and return to forwarding sensitive documents via personal email because it is faster. In Organization B, an employee receives an unusual request from a vendor and instinctively verifies it through a second channel before responding — not because a policy requires it, but because that is how things are done here. Same policies. Radically different security outcomes.
Building a security culture that sticks requires addressing three layers: knowledge, behavior, and identity.
Knowledge is the foundation — people need to understand the threats relevant to their role and the reasoning behind security practices. But knowledge alone changes nothing. Most smokers know smoking is harmful. Knowledge without behavioral integration is trivia.
Behavioral change requires making secure practices easier than insecure alternatives, providing consistent reinforcement through positive feedback rather than punishment, and creating social proof through visible leadership modeling. When the CEO visibly uses multi-factor authentication, when managers praise employees who report suspicious emails rather than treating reports as interruptions, when security behaviors are celebrated rather than merely mandated — behavior shifts.
Identity is the deepest and most durable layer. When security becomes part of how people see themselves — "I am the kind of person who protects our data" rather than "I follow security rules because I have to" — the culture becomes self-sustaining. Identity-level change happens through narrative, belonging, and purpose. People adopt the values of the groups they identify with.
Practically, this translates into several organizational practices. Security champions programs that give employees ownership and recognition. Incident response processes that treat human errors as learning opportunities rather than disciplinary events. Communication strategies that connect security practices to organizational mission rather than abstract risk. Regular, bite-sized engagement rather than annual training marathons that people endure and forget.
Measurement matters too, but you have to measure the right things. Completion rates tell you who sat through training. Phishing simulation click rates tell you something, but they are easily gamed and can create a culture of fear rather than awareness. Better indicators include: voluntary reporting rates for suspicious activity, time-to-report for actual incidents, employee sentiment about security practices, and qualitative feedback about whether people feel empowered to make security decisions.
At Merek, we approach security culture as a design problem, not a training problem. We assess your current cultural dynamics, identify the specific beliefs and behaviors that drive risk, and develop targeted interventions that work with your organizational context rather than applying generic solutions. Our cyberpsychology expertise ensures that every intervention is grounded in how people actually think and behave — not how we wish they would.
Culture is what people do when the policy manual is not in front of them. If you want security that sticks, that is where the work has to happen.
