Perry Carpenter and Kai Roer pull no proverbial, nor ideological, punches with their new book – titled The Security Culture Playbook. Security Culture, as they are the first to admit, is somewhat amorphous in public discourse, and public intellectual consciousness. It’s something that can seem almost untenable as a concept, but as Carpenter and Roer repeatedly demonstrate – applying it in a straightforward, systematic manner is an antidote to any potential, perceived confusion.



“We’ve discussed why security culture is becoming a hot topic and why it is so important that it deserves board-level attention. But what about awareness? And what about all the other things generally associated with awareness, like simulated phishing tests? Where do they fit in?…The answer is both simple and complex,” the duo writes in aforementioned vein.

Hence, they introduce a pivotal concept to understanding said Security Culture practices, which they coin as ‘Transformational Security Awareness’. “(It) revolve(s) around a central thesis: that we cannot afford to ignore the human side of the cybersecurity equation; that technology alone will never be enough to create secure scenarios; and that everything we do or create needs to account for human nature.

‘Security awareness’ has gotten a bad rap not because it is ineffective but because many organizations running security awareness programs mistakenly believed that simply telling employees what’s expected of them or simply alerting employees to threats will lead to a more secure environment,” Carpenter and Roer explain. “…Giving people information is just that. We’ve transferred the information but have little control over what happens to the information after that. This understanding is encapsulated in what I refer to as the knowledge-intention-behavior gap.”

Essentially, as Carpenter and Roer make the case for time and again, Security Culture isn’t just a matter of implementing certain, distinctive strategy. It’s a mindset. It’s something to be actively engaged in, and to actively participate in the evolutionary processes of. “The ways in which the human condition plays out within an environment are rarely the product of any single individual; rather, they are the result of how society and technology evolve, which in turn is the result of cultures overlapping and colliding. The function of security lives in this complex exchange of ideas,” they state. “…Security culture as a concept can be viewed through several different lenses, each providing perspectives that may help in prioritizing what is needed. Using different lenses can be very valuable when focusing on specific areas or details.


The drawback, however, is that a specific focus also removes other elements that may be relevant to consider. When we talk about security culture, we consider the term broadly. It is used to discuss security awareness, behavior, and culture at a high level. This allows us to discuss the topic in general terms, thus providing broad usage. You may also come across more specific terms, like information security culture, IT security culture, or cybersecurity culture. These are all security culture but with a somewhat narrower focus. This narrowed focus is unlikely to provide any added value to the discussion of security culture from a business perspective.”

Garth Thomas