Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 25 July 2023
  • 5 min read

How do you assess cyber security culture?

How do you assess and improve your cyber security culture? A strong cyber security culture, ingrained in every employee, is the key to fortifying your defences and protecting valuable data.
FAQ how do you assess cyber security culture

A robust cyber security culture is not just a buzzword; it is a fundamental pillar of any resilient organisation and it takes work to achieve a truly effective one.

As a Chief Information Security Officer (CISO) or cyber security specialist, you understand that technology alone cannot safeguard your organisation from cyber threats and that your employees must take ownership of not only their own but also their organisation’s cyber security.

A strong cyber security culture, ingrained in every employee, is the key to fortifying your defences and protecting valuable data.

But how do you assess the effectiveness of your cyber security culture?

In this article, we will delve into practical strategies and key indicators that will help you gauge the strength of your cyber security culture and identify areas for improvement. By understanding the nuances of assessing cyber security culture, you can enhance your training and awareness initiatives and elevate your organisation's overall security posture – maximising return on investment and displaying to executives the effectiveness of your work.

1. Conduct comprehensive training programs

A robust cyber security culture begins with a well-informed and educated workforce. Develop comprehensive training programs that cover essential security practices, data protection, and emerging threats. Regularly update these programs to keep up with the ever-evolving cyber landscape. Only once you have built a durable foundation of cyber security awareness and knowledge will you be able to see the security gaps in your network and the chinks in your armour.

2. Evaluate employee engagement

Assessing the level of employee engagement is vital in understanding the adoption of cyber security practices. Engaged employees are more likely to follow security protocols and report potential security incidents promptly. Conduct surveys or focus groups to gauge how invested your workforce is in maintaining a secure environment. Evaluating employee engagement will also allow you to assess the best and worst communication channels when it comes to your workforce. For instance, whilst your framework and foundational knowledge may come from eLearning courses, you may find out that your employees prefer gamification and are prone to skipping past eLearning courses mindlessly. If you increase employee engagement, you fortify your cyber security culture and organisational buy-in in general.

3. Measure reporting levels

The number of reported security incidents and the number of actual incidents is quite different in pretty much every single industry. When you measure reporting levels, you gain valuable insights into your cyber security culture. You can spot if reporting levels vary from department to department if there are bad eggs in your organisation and when employees need refreshers. Encourage a culture of open communication by rewarding employees who report potential threats and incidents. Additionally, assess the efficiency and speed of your incident response team to identify areas for improvement. Often employees do not report cyber incidents because of a lack of access or a perceived feeling of being out of their depth – you need to change that through supportive training and a culture that values reportage.

4. Review policies regularly

Policies and procedures serve as the foundation of a cyber security culture. Regularly review the adherence to these policies and assess their effectiveness as well as the contents of said policies. If policies are frequently bypassed or ignored, it may indicate a weak cyber security culture that requires attention or a set of protocols that are out of date and need revisiting. If your employee-facing materials are out of date, you cannot blame your human line of defence for lax or weak security behaviours.

5. Monitor security awareness training completion rates

Keep track of the completion rates of your security awareness training programs. Low completion rates might indicate a lack of interest or the use of inadequate communication channels. When you keep an eye on completion rates and times, you also find out who can be your security advocates and who are your security pitfalls. You can then better tailor your awareness and training to take advantage of these individuals for a more effective campaign.

6. Evaluate root causes

When security incidents occur, analyse their root causes. Human error is often a contributing factor in cyber incidents, but they are often targeted by a root threat. Understanding the root causes will help you tailor your training programs to address specific weaknesses that may even be unique to a smaller department within your whole organisation.

7. Assess security culture at all levels – including board level

A strong cyber security culture should be evident at every level of the organisation. Assess the culture within different departments and levels of management to ensure consistency and uniformity in security practices. Your receptionist and your board members should have the same base level of cyber security understanding to show that cyber threats do not discriminate – they are simply looking for their most vulnerable point. Furthermore, when your employees see managers and board members taking cyber security seriously, whilst advocating for training and personal development, you instantly get employee buy-in; importance has been demonstrated at executive level and employees can see it is a priority for the executives that make impactful decisions.

8. Review employee feedback

Cyber security awareness and training is all about developing your employees for the betterment and safety of your organisation. As a result, you must respect and review employee feedback. It just would not make sense to ignore the people you are creating materials for when it comes to building follow-up campaigns. Encourage employees to provide feedback on cyber security policies and training. Their input can reveal valuable insights into the effectiveness and relevance of your current initiatives, whilst also highlighting cyber risks you may have overlooked.

9. Tried and tested cyber security partner for assessments

The best way to assess your organisation’s cyber security culture is through a comprehensive, tried, and tested security awareness and behavioural research survey. At TSC, for over 20 years, we have been deploying our SABR (Security Awareness and Behaviour Research) tool with global organisations of all sizes and industries to pinpoint lax security behaviours and areas of focus. Available as a massive pack of 80 questions or in a mini-SABR format for smaller organisations, SABR is extremely effective at quantifying your security issues, demystifying it for executives and providing advice and direction on how to address your cyber issues.


Assessing your cyber security culture is a critical step in building a resilient organisation. By conducting comprehensive training programs, evaluating employee engagement, analysing incident data, you can gain a holistic understanding of your cyber security culture's strengths and weaknesses.

Remember that a strong cyber security culture requires continuous effort and dedication. Regularly re-evaluate your training and awareness initiatives, adapting them to address emerging threats and organisational changes. With a proactive approach to assessing and improving your cyber security culture, you can empower your employees to become the first line of defence against cyber threats, safeguarding your organisation's valuable assets and reputation.

If you would like more informationabout how The Security Company can help you to create a cyber security training and awareness program or how we can run a behavioural survey to pinpoint lax behaviours and suggest ways to improve ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.

Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice