You don't have to be a genius or a visionary or even a college graduate to be successful. You just need a framework and a dream.

Michael Dell

The Security Culture Framework was developed by Kai Roer, this book's coauthor, in 2010–2011. Kai had been providing security consulting services for nearly two decades; for several years he noticed that a critical area was being neglected: the human layer. At that time, the only nod to the importance of human factors was (with few exceptions) very boring security awareness training. These early training programs tended to focus on giving people tons of information while also making them feel bad or scared because they can be the cause of so many problems.

The missing piece of the puzzle was the understanding that humans, our coworkers, can be an asset to our cybersecurity programs—an asset that should be equipped and mobilized.

But there was a challenge. No structured approach existed, and little scientific evidence of which types of approaches produce meaningful results was available.

During that time, Kai was consulting with several organizations from all around the world, ranging from large retail organizations in the Nordics to defense sectors in Western countries, to some of the largest telecom providers ...