Security Awareness Training: How to Build a Real Culture of Compliance (Not Just Checklists)

One helpful way to understand this is through Edgar Schein’s model of organizational culture, which looks at three layers:

1. Artifacts
These are the visible things you can see or touch:
- Security posters in the office
- Access badges and locked server rooms
- Documented security policies and acceptable use policies
- Multi-factor authentication prompts and security tools

They signal that security exists, but by themselves they don’t guarantee that people truly believe in it.

2. Espoused values
These are the values and principles the organization says it holds:
- "We take security seriously"
- "We value transparency and ethics"
- Mission statements and codes of conduct
- Leadership messages about compliance and integrity

These are important, but here’s the catch: espoused values can be out of sync with how things really work. For example, a company might say "speak up if you see something," but whistleblowers get sidelined quietly.

3. Basic underlying assumptions
This is the deepest level—the unconscious, taken-for-granted beliefs that actually drive behavior:
- "If I report an issue, it will hurt my career."
- "Hitting the deadline is more important than following the process."
- "Security is IT’s problem, not mine."

These assumptions are rarely written down, but they determine whether people follow security rules when no one is watching.

Strong security awareness training and compliance programs touch all three levels.

• Artifacts: clear security controls, visible policies, practical tools
• Espoused values: leadership messages that consistently support security
• Underlying assumptions: day-to-day experiences that prove the organization really means it

When those layers line up, employees tend to:
- Follow security policies even without direct supervision
- Report suspicious activity or policy gaps
- See compliance as part of “how we work,” not an extra chore

When they don’t line up, you get polite nods in training, then business-as-usual risky behavior afterwards.

Research has shown that organizations with strong ethical climates tend to:
- Experience fewer cybersecurity incidents
- Have higher adherence to information security policies
- Respond to threats more quickly and transparently

In other words, culture behaves like a security control—it can:
- Prevent risky behavior by making it socially unacceptable
- Enable fast responses when things go wrong

On the flip side, a weak compliance culture can:
- Normalize policy violations ("everyone does it")
- Encourage shortcuts to meet unrealistic goals
- Create silence around incidents and near-misses

In my experience, almost every breach or compliance incident has both a technical cause and a cultural one:
- The phishing email slipped through the filter and no one felt empowered to report it.
- The misconfiguration exposed data and the team saw security checks as a nuisance.

That’s why security awareness training can’t just be about knowledge. It has to influence attitudes, norms, and everyday behavior—which is exactly what culture is made of.

1. Tick-box (checkbox) culture
This is where compliance becomes mostly about documentation and optics:
- People complete training to get the "100% complete" metric
- Forms get filled in for audits, but no one reads them later
- Controls are implemented because a regulation demands it, not because they make sense

Employees quickly learn that the real goal is "pass the audit," not "protect the organization"—and they behave accordingly.

2. Decoupling policies from practice
This happens when what’s written in policy doesn’t match how work actually gets done:
- Leadership announces a "strict" password policy but shares passwords in practice
- A policy bans shadow IT, but teams use unsanctioned tools to get work done because official tools are clunky

Staff notice the gap between words and actions and, understandably, become cynical. Compliance then feels like theater.

3. Compliance fatigue
Even well-designed controls can fail if there are simply too many of them, or they change constantly without clear rationale:
- Endless policy updates and mandatory e-learnings
- Frequent audits with repetitive questions
- Pop-up warnings that people reflexively click through

Over time, this leads to:
- Mental exhaustion
- Apathy ("I’ll just click whatever gets this out of my way")
- Shortcuts and corner-cutting

Security awareness training that overwhelms people with content, or repeats the same generic material year after year, quietly teaches them to tune out.

4. Lack of leadership commitment
Culture follows leadership. If executives and managers:
- Ignore policies when they feel rushed
- Downplay incidents to avoid bad news
- Prioritize short-term revenue over long-term risk

…then no amount of training will fix that. Employees quickly learn what really matters: what leaders do, not what they say.

5. Overemphasis on punishment and fear
It’s tempting to "get tough" on non-compliance, but a fear-based environment usually backfires:
- People hide mistakes instead of reporting them
- Potentially serious issues surface late, if at all
- Staff see security as something to “survive,” not to support

Accountability is necessary, but if the first instinct is blame instead of learning, you’ll undermine psychological safety—and with it, early warning signals.

6. Cultural and communication barriers
In global or cross-functional organizations, compliance messages can land very differently:
- Terms like "acceptable use" or "data ownership" may be interpreted differently in different regions
- Translated policies lose nuance
- Strong hierarchies make staff afraid to speak up

On top of that, rigid top-down communication means:
- Concerns don’t reach decision-makers
- Frontline insights about how policies actually work are lost

All of this erodes trust and makes compliance feel imposed, not shared.

Psychological contract theory
Most employees have an unwritten deal in their heads about what the organization owes them:
- Fair treatment
- Reasonable workload
- Recognition and job security

When they feel this "psychological contract" is broken—for example, by surprise layoffs, broken promises, or chronic overwork—they may respond by withdrawing:
- Doing the bare minimum
- Ignoring non-critical rules, including security ones

Non-compliance, in this case, is less about malice and more about: "Why should I go the extra mile if they don’t hold up their side?"

Theory of planned behavior
People’s actions are driven by three things:
1. Their attitude ("Is this worth it?")
2. Social norms ("Do people around me do this?")
3. Perceived control ("Can I realistically do this?")

Applied to security:
- If staff think a control is annoying and useless, they’ll resist it
- If everyone else cuts corners, they’ll follow the crowd
- If they lack time or tools, they’ll feel they can’t comply, even if they want to

Cognitive load theory
Human attention is limited. When people are bombarded with information, tight deadlines, endless tools, and constant context switching, mistakes become inevitable.

Complicated, multi-step security procedures or jargon-heavy policies increase cognitive load and lead to:
- Unintentional non-compliance (missed steps, forgotten rules)
- People defaulting to the easiest path, which is often the least secure one

So, if security awareness training adds complexity instead of reducing it, it may actually worsen your risk profile.

Social learning theory
People learn what’s acceptable by watching coworkers and leaders:
- If they see others bypass controls without consequence, they’ll copy them
- If "heroes" in the company are those who break rules to get things done, that becomes the model

This is how non-compliance quietly becomes the norm.

Neutralization and moral disengagement
Many employees don’t want to see themselves as "bad" or unethical, so they rationalize non-compliance:
- "No one will really be hurt by this shortcut."
- "Management makes things impossible; I have no choice."
- "Everyone inflates numbers a bit—this is just creative reporting."

By changing how they frame the behavior, they avoid feeling guilty and it becomes easier to repeat.

Strain theory
When people face conflicting demands—say, "never bypass the change process" but also "deliver this project yesterday"—they experience strain.

Under enough pressure, they may:
- Work around controls to hit targets
- Treat compliance as optional when it conflicts with perceived "real" goals

Organizational justice theory
Perceived fairness really matters. If people see:
- Policies applied inconsistently
- Senior staff getting away with violations
- Unequal consequences for similar actions

…they’re more likely to disengage or retaliate by ignoring the rules.

Systems theory
Finally, not every compliance issue is an "employee problem." Sometimes the system is broken:
- Poorly designed workflows make compliant behavior the hardest option
- Security tools are unusable or constantly failing
- Training is generic and irrelevant

Non-compliance in these cases is often a signal that something in the system needs fixing, not that staff need yet another reminder email.

Taken together, these theories show why punishment-only responses are so limited. To change behavior, you have to address:
- People’s expectations and experiences
- The social norms around them
- The design of processes, tools, and training itself

A powerful starting point is to create psychologically safe feedback loops.

This means employees can:
- Ask questions about confusing policies
- Report incidents, near-misses, or suspicious behavior
- Flag flawed processes or tools

…without fear of being punished or ridiculed.

In practice, this might look like:
- Anonymous reporting channels for security and compliance concerns
- Regular "no-blame" incident reviews focused on learning
- Q&A sessions where staff can challenge policies constructively

This approach directly counters:
- Fear-driven cultures where mistakes are hidden
- Hierarchical structures where speaking up is risky

Over time, it shifts security from "top-down enforcement" to a shared responsibility where people feel part of the solution, not just the subject of rules.

Another critical move is to embed compliance into operational workflows using technology and smarter design.

Instead of relying on memory or yearly training, use:
- Contextual prompts (for example, a reminder about data classification when someone uploads files)
- Automated checks (for example, system-enforced password policies, least-privilege access)
- Role-specific notifications and micro-learnings tailored to what a given team actually does

This approach helps:
- Reduce compliance fatigue by cutting unnecessary steps
- Lower cognitive load by presenting the right information at the right time
- Translate policy into concrete, in-the-moment decisions

Guidance like NIST IR 8420A emphasizes role-relevant, streamlined awareness efforts—because generic training that tries to cover everything usually ends up connecting with almost no one.

To be honest, the more your systems can "nudge" people toward compliant behavior quietly in the background, the less you have to nag them with training emails.

Leadership as culture carriers
Leaders need to model the behavior they want to see:
- Following access control processes themselves
- Accepting delays when security reviews are legitimately needed
- Being transparent about incidents and lessons learned

When leaders do this consistently, it:
- Reduces resistance to change
- Repairs damaged trust after past "psychological contract" breaches
- Makes it much harder for employees to justify non-compliance with "that’s just how things are here"

Standards like NIST SP 800-53 Rev. 5 explicitly highlight leadership’s role in normalizing security and compliance as everyday expectations.

Participatory compliance program design
Instead of designing policies and training in a vacuum, involve:
- Frontline staff
- Representatives from different regions or departments
- Diverse roles (technical, non-technical, operations, support)

Co-creating:
- Policy language
- Training scenarios
- Reporting processes

…helps ensure they’re:
- Fair and context-aware (supporting organizational justice)
- Realistic enough to follow under pressure (reducing strain)
- Culturally aligned across locations and teams

People are much more likely to follow rules they helped shape.

Zero trust as a behavioral safeguard
Adopting a Zero Trust security model—aligned with guidance such as NIST SP 800-207—reframes access from "trust the network" to "never trust, always verify."

From a compliance perspective, this means:
- Access is continuously validated based on context (who, what, where, how)
- Behavioral baselines are used to detect anomalies
- Opportunities for policy circumvention are reduced

Zero trust doesn’t replace culture, but it provides a technical safety net when people make mistakes or when intentional non-compliance occurs.

Scenario-based, story-driven training
Instead of dry slide decks, use:
- Realistic scenarios based on actual incidents (anonymized)
- Short interactive simulations (for example, "you receive this email—what do you do?")
- Ethical dilemmas that require judgment, not just recall

This kind of training:
- Counters "tick-box" attitudes (because it feels relevant)
- Challenges neutralization (people see the real impact of shortcuts)
- Encourages employees to internalize values, not just memorize rules

Studies have found that people are more likely to behave securely when they see security as part of who they are at work, not just something they have to acknowledge once a year.

Nudging and micro-interventions
Borrowing from behavioral economics, nudges are small design tweaks that guide people toward better choices without taking away options. For example:
- Placing the secure option (encrypted email, approved tool) as the default
- Timely reminders near high-risk actions (downloading data, sharing links)
- Clear, plain-language warnings when someone is about to do something risky

These low-friction nudges:
- Reduce errors without lecturing people
- Support autonomy (people can still choose otherwise)
- Lighten cognitive load by making the right action obvious

Continuous, not one-and-done
Finally, a culture of compliance is never "finished." It requires:
- Regular measurement (surveys, behavior metrics, incident trends)
- Open feedback channels to refine policies and training
- Iterative improvement based on what’s actually happening, not just what’s written down

Instead of seeing non-compliance as purely a failure, treat it as diagnostic data:
- Where do people struggle to follow the process?
- Which tools or steps are routinely bypassed—and why?
- What does that say about workload, design, or communication?

Organizations that take this more humble, learning-oriented view tend to see far better outcomes over time.