top of page
  • Writer's pictureNeil Faraday

Quantifying Cybersecurity Culture: New Study Links Employee Sentiment to Security Posture

New framework and data reveals significant variation in security culture across industries and departments, guidance on how to quantify security culture.

Madison, WI, July 01, 2021 --( Infosec, the leading cybersecurity education company, today released findings from its new research report, Cybersecurity Culture - Quantified. Designed to assess employee perceptions and sentiments towards cybersecurity best practices and policies, the study revealed a significant variation of security culture by industry, department and organization size.

A strong cybersecurity culture, an organization’s collective awareness, attitudes and behaviors toward security, is based on employees willingly embracing security best practices both professionally and personally. Accordingly, ISACA and CMMI Institute research has shown organizations with strong cybersecurity cultures experience increased visibility into potential threats, reduced cyber incidents and greater post-attack resilience among other measurable benefits.

However, cybersecurity culture has historically been seen as an abstract concept and difficult to quantify. To help overcome this challenge, Infosec developed a framework and survey to classify cybersecurity culture and systematically measure results, allowing organizations to turn this important security variable into a data-driven element in their cybersecurity strategy.

“Our goal with this study was to understand the current state of security culture and uncover employee sentiments impacting security behaviors. The results show employee beliefs toward cybersecurity vary widely, which can have a major impact on an organization's security posture,” said Jack Koziol, CEO and founder at Infosec. “If employees aren't engaged in security training and best practices, it limits the security team's ability to effectively mitigate security threats. Understanding where your security culture is today is an essential first step to build an effective cybersecurity strategy.”

Quantifying the Current State of Security Culture

To conduct the study, Infosec surveyed over 1,000 professionals across dozens of industries to measure employee attitudes and perceptions towards cybersecurity and the organization’s security practices among five cybersecurity culture domains (Confidence, Engagement, Outcomes, Responsibility, Trust).

Results revealed unique cultural strengths and weaknesses based on respondents’ organization size, department and industry. Large organizations with 50,000+ employees, IT and security departments, and law firms and legal services reported the strongest cybersecurity cultures, and small organizations with less than 100 employees, distribution departments and agriculture reported the weakest cybersecurity cultures.

Other key findings on employee attitudes and perceptions around cybersecurity include:

74% believe a cybersecurity issue would be taken very or extremely seriously if reported at their workplace

66% believe they would face very or extremely serious consequences if they caused a cybersecurity incident at their workplace

23% feel complying with their organization's cybersecurity policies and best practices interferes with their ability to do their job very often or extremely often

Organizations of all sizes can use the findings included in this report as a reference point for their own cybersecurity culture or to focus their efforts on specific departments or cybersecurity culture domains. The study follows Infosec’s recent launch of their Infosec IQ Cybersecurity Culture Survey that allows security awareness and training managers to analyze and measure employee attitudes and perceptions towards security practices, policies and training strategies.

About Infosec Infosec is the leading cybersecurity education company helping IT and security professionals advance their careers and empowering employees to be cyber-safe at work and home. Its mission is to equip individuals and organizations with the knowledge and skills to confidently outsmart cybercrime. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent and teams, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness and phishing training. Follow Infosec on LinkedIn, Twitter, Facebook, Instagram and Infosec’s Resources Blog for the latest news, or visit for more information.


InfoSec Kate Rodgers 708-689-0131



bottom of page