Self-reflection — Concept of Cybersecurity Culture

How does policy inform culture?

I believe that policies will drive and force the culture in companies with regards to cybersecurity. Policies will force the company to address the needs for various cyber risk which will in turn lead to procedures that will drive the employee to understand the important.

Can culture be created by policy alone?

Personally I believe that Awareness programs need to be implemented and constantly reviewed and trained with every employee. Awareness testing adds the additional “force” that will bring the change in the culture.