From Awareness to Culture: Adopting Strategies for Effective Security Behavior & Culture Programs (SBCPs)
Explore how organizations are transitioning from basic awareness training to Security Behavior & Culture Programs (SBCPs). Learn what drives this shift, key adoption challenges, and how to build effective, tech-enabled security cultures in 2025.
2025-04-21
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Gartner (2023) indicates that approximately 20% of breaches from 2013 to 2021 were linked to social engineering, showing no notable decrease over this period, despite years of security awareness training.
Traditional annual "click-through" security awareness training is insufficient in today’s evolving threat landscape. Attackers now utilize sophisticated tactics like deepfakes, MFA fatigue, quishing and targeted social engineering, which exploit everyday behaviors rather than gaps in knowledge. Therefore, organizations are shifting towards comprehensive Security Behavior & Culture Programs (SBCPs) to embed security deeply into organizational culture.
This article discusses the transition that organizations are making from security awareness to security culture. It also explores the challenges and accelerators associated with this shift.
Where the SBCP Market Stands in 2025
According to Gartner’s 2025 survey, currently, only 13% of firms have fully operational SBCPs. Approximately 56% are in the implementation stage, while 31% are actively designing their programs.
This indicates that many organizations are "in flight," making shared insights and best practices especially valuable at this critical juncture.
Read our article to learn about Security Behavior & Culture Programs and their benefits.
Essential Building-Blocks of a Modern SBCP
Organizations are shifting from traditional security awareness training to comprehensive Security Behavior & Culture Programs to counter sophisticated cyber threats. This shift is driven by the need to embed security into organizational culture and address modern attack methods that exploit human behavior.
Motivation & Rewards: Nearly half (48%) of organizations reward incident reporting, and 39% publicly recognize secure behaviors. Such positive reinforcement significantly strengthens habitual secure actions.
Knowledge Hub: Providing a centralized hub with policy libraries and checklists is essential, with 46% of organizations already offering these resources. This reduces friction and enables just-in-time learning, improving security adoption across teams.
Feedback & Measurement: Internal dashboards reporting impact metrics are crucial, adopted by 47% of firms to sustain stakeholder engagement and ensure continuous program funding and support.
Communication & Engagement Tactics That Stick
Successful SBCPs rely heavily on personalized communication (57%) and omnichannel workflow integration (50%) according to Gartner. These approaches outperform traditional methods like flyers or one-time workshops.
Effective communication combines storytelling, humor, and visually appealing content, enhanced by credible leadership voices. Organizations should segment audiences based on roles and risk profiles, embedding micro-nudges into commonly used tools such as Slack, Teams, or support ticketing systems.
Technology Accelerators for SBCPs
Technology is important in enhancing SBCP effectiveness:
- Threat Simulations (56%): Realistic threat scenarios to train and test user responses.
- Automation (50%): Streamlines the execution and scalability of programs.
- Data Analytics (47%): Provides actionable insights for targeted interventions.
Adopting these technologies strategically throughout the SBCP lifecycle—from design and rollout to sustainment and measurement—is recommended over investing in tech simply for its novelty.
Mobilizing Beyond the Security Team
Successful SBCPs are cross-functional efforts. Gartner's survey shows that 56% of organizations rely on functional leaders to coach staff, and 53% involve them in policy design and performance tracking.
Essential roles to include are HR, Communications, IT Operations, Legal, and frontline People Leaders, each bringing unique insights and support critical for a robust security culture.
Overcoming Adoption Barriers
Organizations face notable challenges:
- Executive Buy-in (68%): Align SBCP KPIs with business risks and customer trust to secure leadership support. Read our blog to learn more about why CISOs fail to engage executives on cybersecurity.
- Tech Proficiency Variations (55%): Develop clear, persona-based content tailored to specific employee needs.
- Skills Gaps (45%): Upskill internal champions and leverage managed services where needed.
- Undefined Culture Goals (36%): Conduct baseline culture surveys to establish clear security behavior objectives.
- Vendor/Budget Constraints (33%/26%): Phase the rollout and demonstrate ROI through initial successes.
Five-Step Roadmap to Effective SBCP Launch or Improvement
Organizations can follow this five-step roadmap to launch an effective Security Behavior & Culture Program or to improve an existing one:
- Align & Sponsor: Identify and engage C-suite advocates, defining clear success metrics.
- Design With Personas: Map security behaviors to employee roles, highlighting risk-prone moments.
- Activate & Integrate: Deploy gamified simulations, embed nudges, and introduce recognition programs.
- Automate & Analyze: Utilize telemetry data for dashboards and timely interventions.
- Iterate & Celebrate: Regularly communicate successes, refine tactics, and refresh incentives quarterly.
Metrics That Drive Results
Meaningful SBCP metrics should span three dimensions:
- Behavioral: Incident-reporting rates, phishing-resilience scores, password manager usage.
- Cultural: Security confidence levels, frequency of peer coaching, trends in policy exceptions.
- Business: Reduction in avoidable incidents, audit findings, and mean time-to-detect security breaches.
Keepnet Extended Human Risk Management For Your SBCP
Enhance your organization's security posture by implementing a robust SBCP. This strategic initiative fosters a culture of security awareness and significantly reduces risk, cultivating trust amongst stakeholders.
Leverage the Keepnet Human Risk Management Platform, including Security Awareness Training and Phishing Simulators, to seamlessly integrate security best practices into your organization's culture and bridge the gap between knowledge and secure behavior.
SHARE ON