Navigation:
The real question here is how mature organisations are in their security culture approach. Around 22% of security professionals chose to describe their culture as “we reinforce adoption through manager ownership, peer support, and feedback”. This indicates an end-to-end approach. About 21% place their faith in workflows, identifying with the statement that “secure behaviour holds in real workflows (verification, reporting, escalation)”.
Breaking it down further, we see that other companies mainly run awareness training and policy acknowledgement processes to combat cyber threats (20%). Others define role and task specific secure behaviours for key workflows (19%). A further 18% run their cybersecurity as a holistic system, using signals and continuous measurement for constant improvement. This shows that many security professionals have adopted behavioural defence mechanisms, using different combinations of machines and people to monitor and analyse security performance.
When asked about the biggest barriers to scaling security culture, security professionals identified three primary challenges:
The prominence of measurement credibility is particularly revealing. If organisations struggle to produce trusted proof of impact, it becomes harder to justify sustained investment, especially at board level. This creates a cycle in which behavioural defence is acknowledged as important but not consistently funded or expanded. Overcoming this barrier requires a shift in maturity, moving away from “awareness” toward a sophisticated performance model where human risk is tracked through credible intelligence, and treated as a measurable security outcome.
Manager reinforcement capacity highlights a different but equally structural issue. Behavioural change does not embed through awareness alone. If managers do not have the time, or the confidence, to reinforce secure behaviours, culture initiatives can fall behind and remain at the communication stage rather than become part of the working day.
Role relevance at scale shows how complex modern organisations are. Generic training may raise baseline awareness, but it rarely addresses the specific risks faced by different functions, geographies or risk profiles.
Further challenges are workforce coverage gaps (frontline, non-desk), localisation complexity (regions, languages and cultural norms), and maintaining consistency across entities (sites, business units, subsidiaries).
To reach a higher level of security maturity, organisations must move beyond generic content toward an adaptive model that uses continuous intervention loops to provide role-relevant encoding depth – ensuring the right people get the right reinforcement at the right time.
Move from tickbox-driven metrics to a data-driven intelligence model that aggregates behavioural signals across awareness, exposure, and response.
Turn long-form, “boring” policies into interactive, role-relevant learning experiences (5 minutes vs. 2 weeks) to solve the “Role Relevance” barrier and reduce cognitive load.
Used by 5.4M+ users
Implement enterprise-grade security awareness in just 2 days with only 20 minutes of management time required.
See how our gamified, micro-learning approach gets 70% active reporting in 6 months.
See how organisations like yours reduced phishing click rates from 20% to 3.5% in just 18 months.
Compliance & security
Use our online test environment to see how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure.
Security awareness training
Create safer habits through personalized, gamified, and story-based cybersecurity awareness training.
Smart phishing simulations
Improve your employees’ threat reporting skills and accelerate threat detection.
Always-on human security copilot
Transform your workforce into a proactive defence line with our AI-powered conversational chatbot Sofie.
Human risk management tool
Continuously monitor, measure, and mitigate human risk in real time with the Human Risk OS platform.
Discover our solutions
with our product tours
Start virtual tour
This page is not available in English yet.
Diese Seite ist noch nicht in Ihrer Sprache verfügbar. Sie können auf Englisch fortfahren oder zur deutschen Startseite zurückkehren.
Cette page n’est pas encore disponible dans votre langue. Vous pouvez continuer en anglais ou revenir à la page d’accueil en français.
Deze pagina is nog niet beschikbaar in uw taal. U kunt doorgaan in het Engels of terugkeren naar de Nederlandse startpagina.
Esta página aún no está disponible en español. Puedes continuar en inglés o volver a la página de inicio en español.
Questa pagina non è ancora disponibile nella tua lingua. Puoi continuare in inglese oppure tornare alla home page in italiano.
Reports 
Guides 
Blog 
Glossary 
Perks 
Customer stories 
Webinars 
Replays 
Podcast 
All events 
Human Firewall Conference 
Danger Lab 
Why SoSafe 
Careers 
Product news 
News & press 
Contact 