The ultimate goal of security awareness training (SAT) is to change the culture of organizations so that they are less likely to be compromised due to employee decisions and actions. Chapter 17 will cover how to improve and maintain a security culture.

What Is a Security Culture?

There isn't a definitive definition of security culture. It means different things to different people and organizations. But I like to think of security culture as how someone will naturally respond to a computer security scenario and how the involved parent organization, in aggregate, will do the same. Culture includes the collective values, norms, and responses from a group sharing one or more attributes. It's the behaviors often taught over time that become deeply embedded in everything within a group, so that the emotional responses of individuals are the same, without anyone thinking too hard about their individual reactions.

For example, in the Philippines (and most Asian countries), everyone removes their shoes before entering a home. In the US, almost no one does it unless asked. In Japan, no one places chopsticks pointing to the bottom of a bowl or dish (it would be insulting to the cook). ...