How to Build a Positive Security Culture That Actually Changes Behavior
By Sage Wohns, CEO of Jericho Security
In an age where AI-generated phishing and deepfake attacks are becoming the norm, your people, not just your technology, are your first line of defense. But here's the problem: most security awareness programs don't actually change behavior. They rely on fear, shame, and checkbox compliance.
According to Gartner® Research VP Analyst Richard Addiscott, “Ninety-three percent of users who demonstrated certain insecure behaviors were aware that their actions would increase risk to their organization.”*
To meet today's human-layer threats, organizations need a positive, proactive security culture, one that turns employees into engaged defenders, not accidental liabilities.
Why Positive Beats Punitive
Punitive training creates anxiety and avoidance. Employees become afraid to ask questions or report suspicious activity for fear of being reprimanded.
A positive security culture does the opposite:
- Encourages open communication
- Emphasizes learning from mistakes
- Celebrates proactive behavior
People don’t change when they’re afraid, they change when they’re empowered.
From Awareness to Empowerment
Traditional awareness programs tell people what not to do. Empowerment-based programs teach them how to think like attackers and how to respond.
Empowering employees to simulate real-world threats using AI-generated email, voice, and video so that employees experience what modern phishing looks and feels like.
This shift from “don’t click” to “recognize and respond” builds behavioral fluency, not just rote knowledge.
Make It Real, Make It Relatable
Employees tune out generic, templated and off the shelf training. To change behavior, training must:
- Reflect their day-to-day workflows
- Include their communication tools (Email, SMS, Voice)
- Simulate threats they actually face, like deepfakes or conversational phishing
When people see how attackers might target them, they engage more deeply.
Celebrate Secure Behavior
Publicly recognizing employees who report phishing attempts or follow protocol during simulations reinforces desired behaviors.
Recognition doesn’t have to be monetary, it can be as simple as a Slack shoutout or a leaderboard update.
Security becomes a point of pride, not paranoia.
Leadership Sets the Tone
Culture is top-down. If executives bypass protocols or fail to model secure behavior, employees will follow suit.
CISOs and business leaders must:
- Participate in training
- Follow security best practices themselves
- Speak publicly about the importance of human-layer security
When leadership walks the walk, everyone else steps up.
Measure What Matters
Click rates from phishing simulations are useful but they’re just one signal. To assess true culture change, also track:
- Simulation reporting rates
- Employee confidence levels (via pulse surveys)
- Engagement with training content
Over time, you’ll see behavior shift and with it, your risk profile.
The Bottom Line
Security culture isn’t built in a day or in a once-a-year training. It’s built through repetition, recognition, and realism.
By making training more immersive, more personalized, and more positive, organizations can create a culture where secure behavior is second nature - and human resilience is your strongest asset.
Ready to build a security culture that actually changes behavior?
Schedule a demo to see how Jericho's AI-powered simulations can empower your team and reduce human-layer risk - starting today.
*Gartner, Build a Security-Conscious Culture With the Gartner PIPE Framework, Richard Addiscott, 29 April 2025
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.