Security awareness training never occurs in a cultural vacuum. So it’s advisable that an organization’s risk management department evaluate the organizational culture and adjust the messaging appropriately.
For example, an authoritarian corporate environment in which employees are expected to simply follow instructions without questioning how a task fits into a broader context is likely to require more effort to modify an employee’s behavior or default responses to things like phishing emails than a culture that promotes cooperation and critical thinking and recognizes the value of getting managerial and staff buy-in for new initiatives.
