Creating a Company Culture for Security: What Actually Works (According to 3M+ Hoxhunt Users)

‍

Research by Verizon estimates that 60% of data breach incidents are caused by employee mistakes.

This human factor can make or break your organization's security posture...

But they're generally considered to be where most organization's security gaps lie.

A strong cybersecurity culture means meeting compliance regulations, training your employees and encouraging good habits - which can take serious time and resources.

Below, we'll break down exactly how security teams can lay the groundwork for a sustainable security culture that results in real, tangible behavior change.

‍

Importance of security culture: why does it matter?

The threat landscape is always evolving...

Building a strong security culture is essential for mitigating cyber risks, complying with regulations and preserving your organization's reputation.

Prioritizing security culture as a core value and strategic priority will build resilience, trust, and help you keep up with the ever-changing landscape of security threats.

Culture eats strategy for breakfast...

In any business context, if you really want to succeed with your strategy, you always need the right culture in place to support that. And that is as true for cybersecurity as it is for all other areas of business.

The Cybersecurity Culture Report found that 90% of respondents believe that a strong cybersecurity culture is essential for successful cybersecurity outcomes.

Cybersecurity isn’t just about tools or policies... it’s about people.

"If people don’t feel safe reporting, they avoid it - or worse, hide it. That’s when things spiral.” - Dr. Jessica Barker (Cybersecurity Expert & Behavioural Science Specialist)

A strong security culture helps reduce cybersecurity risk by embedding secure behaviors and shared responsibility into daily operations.

When every employee sees themselves as part of the security team, rather than separate from it, organizations can truly scale human risk management.

When teams that aren’t in security recognize that there are security elements they can influence, that’s when the culture shifts.

Benefits of a strong security culture

Reduce potential risk: A solid security culture framework will help promote awareness initiatives and accountability so that your organization can identify and mitigate security risks before they escalate into major incidents. Research from Gartner indicates that organizations with a strong security culture experience 30% fewer security incidents than those without one.

Stay compliant: Does your industry have regulations and data protection laws? A security-focused culture ensures that your employees understand their obligations and take appropriate measures to protect sensitive data and maintain compliance with legal requirements.

Keep up with the latest cyber threats: A security-focused culture will keep your organization innovating and continuously improving its security posture. Phishing attacks are constantly changing - so keeping on top of the latest tactics is absolutely essential.

Build resilience: Even if your organization does fall victim to cyber incidents, building resilience into your culture will minimize their impact and help keep business operation functioning as usual. It’s not always going to be safe, but you will be protected as you navigate.

‍

Security awareness isn’t enough - behavior is the new benchmark

Your typical awareness programs have a limited impact.

It just doesn’t work enough on its own.

Traditional employee training methods like eLearning and one-off compliance sessions aren’t producing measurable changes in behavior.

It’s not because you know about something that you’re going to change your habits.

You know broccoli is good for you... but do you eat it every day?

The real challenge? Turning knowledge into instinct.

That’s where behavior change programs come in.

As Dr. Jessica Barker pointed out in our webinar on security culture: "If we go heavy on the threat but we don’t tell people what they can do about it, this could actually people go into denial. They go into avoidance. They’ll do anything they can to put their head in the sand and think, ‘This doesn’t apply to me.'”

Instead, she recommends empowering people through self-efficacy - the belief that they can positively influence outcomes. "This is far more powerful than trying to scare people with the threat."

‍

The four pillars of a measurable security culture

To build a truly impactful culture of security, there are four types of metrics every program should include:

1. Awareness (Knowledge): Do employees know what to do? Quiz responses and module completion rates are useful here - but not the end goal.
2. Behavior: Are employees doing the right things? Metrics like phishing simulation reporting and password hygiene tell this story.
3. Attitudes: Do people believe security is a shared responsibility? Surveys and cultural signals (like peer accountability) reveal this.
4. Engagement: Are people participating willingly? Event attendance, feedback, and leaderboard participation are good indicators.

You need to go beyond engagement and knowledge.

Can you measure behavior and attitudes? That’s where the transformation happens.

‍

How to create a security culture in your organization

Step 1: Make sure leadership is commited to security

Company leaders will play a critical role in establishing and promoting a security culture within your organization...

They set the tone for the entire organization by demonstrating a commitment to security and making it a priority.

You'll need to ensure your company's leadership team are bought in so that they can allocate budget, develop security policies and procedures and promote the importance of security awareness across your organization.

Transparency is one of the fastest ways to gauge cultural health.

If a company is not transparent enough, people will lose trust.

They’ll believe nothing bad happens, and they’ll think there’s no reason to change their behavior.

Leadership plays a major role in modeling transparency and showing that security is a shared goal.

If leadership doesn't prioritize security, neither will the employees. It's about setting the tone from the top.

Step 2: Develop your security policies and procedures  

Begin by conducting a risk assessment to identify potential threats, vulnerabilities, and risks (the type of data you handle, your industry regulations, and your organization's specific security requirements).

You'll then need to determine what you aim to achieve with your security measures - it could be protecting sensitive data, ensuring compliance with regulations, or mitigating specific risks.

When it comes to choosing a security framework, this will obviously depend on your organization's needs.

Common frameworks include ISO 27001, NIST Cybersecurity Framework, and CIS Controls.

When the values of the security team and the organization aren’t aligned, you’ll hit resistance. You’ve got to sync the two if you want cultural buy-in.

Once you've got your framework down, you can then begin drafting your security policies and procedures (ideally based on your risk assessment and objectives).

• Policies: should outline high-level principles and expectations.
• Procedures: should provide detailed instructions for implementing policies.

Note: you'll want to check that your policies and procedures are compliant with requirements, such as GDPR, HIPAA and PCI DSS.

Once implemented, you'll need to be able to monitor compliance (this is why we built Hoxhunt, to create real behaviour change you can track and measure).

Step 3: Build awareness and invest in education

To turn your policies into tangible change, you'll need make sure employees are properly trained.

Consider how you can make a splash by releasing something completely different like a new tone or new format. Think of it as a symbolic reset to show that you've listened to employees.

People can spot empty corporate speak a mile away.

So make your message genuine. Meet people where they are

Here are a few ways to raise awareness...

Regular security training programs: Frequent training is essential for keeping employees up to date with the latest security threats and best practices for mitigating them. These programs should cover a range of topics, including phishing awareness, password hygiene, data protection, social engineering tactics, and incident response procedures.

Including cybersecurity in onboarding: Integrating cybersecurity training into the employee onboarding process ensures that new hires are familiar with your security policies and practices from day one. During orientation sessions, employees should receive training on topics such as acceptable use policies, data handling procedures, secure communication practices, and reporting protocols for security incidents.

Promoting a wider culture of security: Fostering a culture of security will help instil a shared responsibility for security. Leaders and managers should lead by example by demonstrating a commitment to security, cyber threat reporting should be encouraged and employees should be rewarded for identifying phishing emails or following security protocols diligently.

Step 4: Encourage strong security habits

If you want to establish a strong security culture, you'll need to encourage strong security habits and make them stick.

Here's why passwords matter

Strong passwords are the first line of defense against potential security threats.

Encourage employees to create strong, unique passwords and avoid common passwords, such as "password" or "123456".

Employees should also be updating their passwords regularly to reduce the risk of password compromise and external threats.

Use a password manager to ditch weak passwords

A password manager will help securely store and manage passwords.

Set up your employees with a reputable password manager to generate and store complex passwords securely.

Implement multi-Factor authentication

Multi-factor authentication (MFA) should be used wherever possible, particularly for accessing sensitive systems or applications.

Be sure to provide clear instructions on how to set up and use MFA for different accounts and platforms.

Step 5: Ask yourself if you need to introduce new tools and systems

When building a company culture of cybersecurity, you might be missing some software and systems that will support security practices.

Here are some key tools you might want to consider:

• Endpoint security solutions: Endpoint security software protects devices such as laptops, desktops, and mobile devices from malware, ransomware, and other cyber threats (solutions typically include antivirus, anti-malware, firewall, and intrusion detection capabilities).

• Identity and access management (IAM) solutions: These IAM solutions manage user identities, access rights, and permissions within your organization's network and systems - so you get centralized control over user authentication, authorization, and account provisioning.,
• Security awareness training platforms: No matter what your organization;s headcount is, you'll need security awareness training to educate employees about cybersecurity best practices and raise awareness of potential threats. Beware though, not all training platform are created equal and some will be far more effective at changing behavior than others.
• Encryption tools: These will help protect data from unauthorized access, interception, and tampering, particularly when stored on mobile devices, removable media, or cloud storage platforms.

Step 6: Monitor and audit your organization's culture of security awareness

Whether you know it or not, you have a security culture.

It might be good or bad, but the first step is to measure it.

This can be done through surveys, focus groups, or anecdotal conversations.

One effective way to cultivate a robust security culture is by recognizing and rewarding positive behaviors.

Implement a system for celebrating security-conscious behavior

Recognizing and rewarding security-conscious behavior starts with establishing clear criteria for what constitutes positive security actions.

This may include following security policies and procedures, reporting suspicious activity, participating in security training, or implementing security best practices in day-to-day tasks.

You can create formal recognition programs or initiatives to acknowledge employees who demonstrate exemplary security awareness and adherence to security protocols.

This could involve issuing certificates, badges, or other tangible rewards, as well as public recognition through internal communications channels.

Create a positive feedback loop

As well as recognition programs, you may also want to think about establishing a positive feedback loop to reinforce desired security behaviors.

This might involve providing constructive feedback to employees who demonstrate positive security actions, as well as offering guidance and support to those who may need additional assistance.

Proving ROI

When it comes to demonstrating ROI, start by evaluating culture through alignment.

Do organizational values align with security messaging?

If not, you’ll hit friction.

You could also look at crafting clear cost-benefit stories...

How long does it take to respond to incidents?

How much time and money are wasted because people didn’t act securely?

Behavior change = risk reduction.

That’s the core value.

If you can show fewer risky actions and more secure ones, then your program is working.

‍

Outcomes you can expect from a strong cyber security culture

• According to the Cybersecurity Culture Study, organizations with a strong cybersecurity culture are x5.5 more likely to have well-defined security policies and procedures in place.
• Research from the Aberdeen Group reveals that companies with a strong security culture experience 50% higher employee awareness of security risks compared to those with a weak culture.
• A study by the Institute of Information Security Professionals (IISP) found that organizations with a strong cybersecurity culture are 70% more likely to meet compliance requirements for data protection regulations.
• Data from the Cybersecurity Culture Assessment Survey conducted by SecurityScorecard shows that companies with a strong cybersecurity culture are 3 times more likely to have executive support for cybersecurity initiatives.
• When training is based on changing behavior, you can build a strong security culture that actually reduces risk. Employees can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing incidents per organization by 86%.

‍

The BJ Fogg behavior model in action

At Hoxhunt, our training approach is rooted in behavioral science.

One of the core frameworks used is the BJ Fogg Behavior Model, which states that behavior occurs when three things converge: Motivation, Ability, and a Prompt.

• Motivation: Hoxhunt uses gamification (stars, badges, leaderboards) to make security training rewarding.
• Ability: Personalized difficulty levels and a one-click reporting button ensure actions are easy to complete.
• Prompt: Realistic phishing simulations serve as timely reminders to act.

Every user gets simulations tailored to their skill level.

At Hoxhunt, we train people in their ‘zone of proximal development’ so they’re always challenged but never overwhelmed.

‍

From behavior change to culture change

Culture isn’t built by security teams alone.

It’s shaped by how people perceive those teams.

Security used to be the department of "No".

And we’ve worked hard to flip that.

Lighthearted team rituals work...

At Hoxhunt, for example, we when someone leaves their laptop unlocked at the office anyone walking by can leave a message to the team saying "hacked".

This isn't to punish people, but as a fun learning moment.

These micro-moments shape broader cultural buy-in.

People need to see security as approachable and helpful, not punitive.

That shift creates a bridge between employees and the SOC - and that’s when reporting skyrockets.

We’ve traditionally pushed what we, as security leaders care about onto people... but it's far more powerful if we understand what they care about and meet them there.

“The best thing is when individuals have a personal investment in maintaining the actual security culture - even if it’s not their job title.” - Doninick Frazier (Security Behavior & Thought Leader)

‍

Staying ahead of emerging threats

In a dynamic threat landscape, static training doesn’t cut it.

That's why we push new simulations every two weeks based on emerging patterns from its vast user network.

When QR code phishing spiked, we launched a 500,000-user simulation campaign that mirrored real-world cyber attacks.

Another emerging threat: deepfakes attacks.

These threats aren’t theoretical - they’re being used today.

So Hoxhunt incorporates current intelligence directly into training.

If you’re not adapting your content based on actual threats, you’re preparing for yesterday’s problems.

Right now AI is raising the bar - and the stakes - for cybersecurity education.

AI reached its Skynet Moment for social engineering in March, 2025.  

AI agents developed by the team here at Hoxhunt created more effective simulated phishing campaigns against millions of global users than our elite human red teams could.

• In 2023, AI was 31% less effective than humans
• In Nov. 2024, AI was 10% less effective than humans
• But in March 2025, AI was 24% more effective than humans

When it comes to defending against these attacks, old-school advice won’t cut it.

We need to move on from tactics like checking grammar.

We should help people recognize how messages make them feel.

If it’s urgent, emotional, unexpected - and asking for action - then verify.

AI may be used to enhance cyber attacks... but it can also be used to prevent them.

How do you meet people where they’re at - at scale?

AI allows us to personalize training and communication across thousands of employees with the right context.

‍

Branding security culture internally

Want people to engage with your security program?

Make it fun, memorable - and a little bit weird.

Personal story: Whilst working at a major retailer before joining Hoxhunt, I actually created a brand mascot: a pug in a unicorn costume. People loved it. We turned it into plushies and handed them out as rewards for strong security behaviors. That’s when you know your program has cultural traction. Branded characters became symbolic of specific risks (e.g. a raccoon for data privacy, a mole for internal surveys). Employees used the characters on internal social media, and participation soared.

It’s about making security something people want to be associated with.

‍

🔑 Key takeaways

• Establish leadership commitment to security.
• Develop comprehensive security policies and procedures based on risk assessment.
• Implement regular security training programs and include cybersecurity in employee onboarding.
• Foster a culture of security by promoting shared responsibility and rewarding positive behavior.
• Encourage strong security habits such as using strong passwords and multi-factor authentication.
• Consider introducing new tools and systems like endpoint security solutions and IAM platforms.
• Monitor and audit your organization's security awareness culture, recognizing and rewarding security-conscious behavior.
• A strong cybersecurity culture leads to fewer security incidents, higher compliance rates, and increased executive support for cybersecurity initiatives.

‍

Change risky behaviors and strengthen security culture with Hoxhunt

Hoxhunt is the all in one human risk management platform for phishing and security awareness training that was designed to coach away risky behavior.

Traditional security awareness training doesn't work.

So, we built Hoxhunt to maximize training outcomes by serving every user a personalized learning path that measurably changes behavior.

Many enterprise organizations with legacy SAT models often have stagnant Success rates of about 10%, with limited visibility into real threat reporting and dwell time.

These metrics all drastically improve once onboarded with Hoxhunt and steadily improve over time, demonstrating sustainable engagement and resilience.

Overall organizations training employees using Hoxhunt tend to see:

• 20x lower failure rates
• 90%+ engagement rates
• 75%+ detect rates

How do we achieve these outcomes?

Personalized simulations at scale

We deliver phishing simulations across email, Slack, or Teams using AI to mimic the latest, real-world attacks.

Simulations are personalized to each employee based on department, location, and more, while instant micro-trainings solidify understanding and drive lasting safe behaviors.

Ensure compliance and maximize engagement with gamified training

Trigger interactive, bite-sized security awareness trainings that boost completion rates and coach away risky behaviors.

Select from a library of customizable training packages, or generate your own with AI to meet the needs of your business.

Build a measurable security culture

Motivate employee participation with positive, reward-based incentives and instantly trigger relevant training when an employee takes a risky action, like sharing sensitive company data or using a USB stick.

Get real-time behavioral data reveals insights into risky employee behaviors to help you identify where to focus your training efforts whilst minimizing employee disruption.

‍

Creating a company culture for security FAQ

What is organizational security culture?

Organizational security culture refers to the collective beliefs, values, attitudes, and behaviors within an organization that prioritize and promote security awareness, compliance, and best practices to mitigate cyber risks and protect sensitive information.

Why is creating a company culture for security important?

A strong security culture helps mitigate cyber risks, comply with regulations, and preserve organizational reputation.

How do you create a security culture in an organization?

Conduct a risk assessment, choose a security framework, draft policies and procedures, and ensure compliance with regulations.

What are some key security habits employees should adopt?

A successful security culture is when individuals have a personal investment in maintaining the culture.

Key habits include:

• Reporting suspicious emails
• Using strong passwords/password managers
• Enabling multi-factor authentication
• Staying updated on evolving threats like phishing and deepfakes

‍

_Sources

^{Seven Reasons Why Your Company's Security Training Isn't Working – Forbes Tech Council
‍Research from Aberdeen Group and Wombat Security – Yahoo Finance
‍ISC² 2021 Cybersecurity Workforce Study – IAPP
‍Gartner Unveils Top Eight Cybersecurity Predictions for 2024 – Gartner
‍State of Cybersecurity 2021 Infographic – ISACA
‍The Role of Human Error in Successful Cybersecurity Breaches – Keepnet Labs}