A security culture is the combined set of security-related behaviors exhibited by the people in an organization. A security culture always exists. It may be weak or strong. Peer pressure typically enforces the culture. For example, if everyone within an organization wears a badge, an individual not wearing a badge will feel compelled to put on the badge. An organization should strive to create a strong culture. This typically takes a concerted effort.

Security awareness programs must intend to promote the organization's security governance. We provide guidance for implementing an awareness program that intends to create an organization that encourages strong behaviors, as well as programs that target individuals ...