We think, each of us, that we're much more rational than we are. And we think that we make our decisions because we have good reasons to make them. Even when it's the other way around. We believe in the reasons, because we've already made the decision.

Daniel Kahneman

One of the biggest issues in the field of cybersecurity is that we tend to approach situations with blinders on. We assume that the problems we face are new and unique—and we are often wrong.

We've seen that sense of myopia at play when it comes to security culture as well. There is some good news, however: Security culture isn't as new and mysterious as some believe. Everything related to security culture ultimately comes down to some aspect of human nature, and scientists have been studying human nature for a long time.

In this chapter, we take a brief look at a couple foundational ideas from social science that we believe directly relate to security culture and behavior. This perspective will shed new light on employee behavior, and it will lay the groundwork needed to identify strategies and tactics to apply in your security culture program. It will also help you avoid outdated advice and practices that could otherwise trip you up.

What's the Real Goal—Awareness, Behavior, or Culture?

Over the past several years, our industry has been fixated on the idea that the silver bullet for dealing with the human side of cybersecurity is to find effective ways ...