Why Global Security Culture is Stagnant Despite Increased Cyberattacks: Expert Analysis

Why Trust Techopedia

With studies showing that eight out of ten cyber attacks start with phishing attacks and human error, and with incidents accelerating in rate and impact, security cultures have never been more important.

However, a new report by Knowbe4 reveals that the global security culture scores have stagnated at low to moderate levels.

While organizations recognize that employees are a key defense against cyberattacks, prime target sectors like government, manufacturing, and education are struggling to uphold adequate standards.

Techopedia sat with Knowbe4 — the world’s largest security awareness training and simulated phishing platform and company — and canvassed opinions from other experts in the field to explore the global state of security culture.

Key Takeaways

  • Global security culture is weak despite rising cyberattacks, with human error a major factor in breaches.
  • Traditional security solutions and awareness training are ineffective. Building a strong security culture requires ongoing education, clear communication, and leadership support.
  • The future of cyberattacks involves AI, requiring organizations to leverage AI for defense while strengthening core security practices.
  • Organizations need to move beyond passwords and implement multi-factor authentication for better protection.

Key Findings: The 2024 State of Security Culture

The 2024 Security Culture report released by Knowbe4 found that Europe, North America, and Asia lead in security culture with a score of 73 out of 100, while Africa, Oceania, and South America follow behind closely.

Knowbe4 defines “security culture” as the ideas, customs, and social behaviors that influence an organization’s security and reduce human risk. Under this definition, smaller organizations perform better in their overall security culture compared to larger counterparts, mostly due to the complexities that exist in big-sized operations.


Analyzing attitudes, behavior, cognition, communication, compliance, norms, and responsibilities, the report found that the top-performing industries include insurance, financial services, and banking — sectors that have been on the receiving end of cyberattacks for decades.

In contrast, government, manufacturing, and education sectors are struggling with their security cultures despite being increasingly targeted by cybercriminals.

Tech-Centric Approaches Fails to Build Strong Security Cultures

Joanna Huisman, SVP of Strategic Insights & Research at KnowBe4, told Techopedia that approaching security culture as a technology strategy is not the right path forward.

“Technology-centric strategies have proven inadequate on their own as cybercriminals adeptly circumvent traditional defenses, shifting their focus to exploiting human vulnerabilities, often the path of least resistance.

“Many organizations fail to fully integrate security as a universal responsibility, leaving employee behaviors misaligned with best security practices,” Huisman said.

“While advocating for a robust security culture is straightforward, the commitment and effort required to foster and maintain this environment takes focus.

“Traditional training methods fall short, as annual programs centered solely on compliance rather than holistic security awareness leave organizations vulnerable. Effective training requires a continuous, comprehensive approach to truly fortify an organization’s human defense layer.”

The Benefits of a More Open and Inclusive Security Culture

Phil George, CEO of Mentorcliq — a cloud and mobile-based employee mentoring software developer — told Techopedia that security cultures are shifting towards more open and aware concepts.

“From my experience working with so many different businesses and digging into their unique culture, there has been a noticeable shift in awareness and best practices around cybersecurity,” George said.

“This more inclusive and aware culture shift to cybersecurity is welcomed. For a business to be safe, every member must understand their role in maintaining cybersecurity.”

George explained that since the inception of the Internet, businesses typically relied on Chief Information Officers (CIOs) and IT teams to design and maintain cybersecurity.

“The consensus has changed and expanded to everyone inside organizations. A more open and aware culture is exactly what businesses need to survive and thrive past the modern-day cybersecurity threats.”

Factors Driving Security Cultures: Awareness, Attacks, Budgets and AI

As Fred Kwong, Chief Information Security Officer at DeVry University, told Techopedia, the state of global cybersecurity culture is influenced by a wide range of factors.

“The current landscape of cybersecurity is hyper-focused on awareness, risk factors, the increasing frequency of attacks, economic instabilities, and what’s possible next for threat actors with the rise of near-limitless artificial intelligence platforms like ChatGPT.”

The Knowbe4 report concluded that of all new technologies, AI will probably have some of the most profound cybersecurity impacts on organizations and individuals.

Kwong highlighted that 95% of breaches are financially motivated, according to the 2023 Verizon Data Breach Investigations report.

“Yet, despite increased accountability and investments toward mitigating attacks, many leaders within organizations do not feel confident that their current systems and processes are effective in protecting individual employees, data, and operations.”

Kwong added that while the CISCO Security Outcomes Report Volume 3 found that 96% of executives believe security resilience is highly important to their businesses, two-thirds of respondents reported suffering major security incidents that jeopardized business operations.

“As the report also points out, there’s a bridge between risk and resilience. According to CISCO’s report, organizations that foster ‘a culture of security ‘ see a 46% increase in resilience.”

Why Companies Fail Despite Investments

The IBM X-Force Threat Intelligence Index 2024 revealed a shift in cybercriminal tactics. File-less attacks (stolen credentials, no malware) are on the rise by 71%, while infostealers increased by 266%.

Still, the question remains. Why do companies that invest heavily in security awareness campaigns fail to stop these attacks? What additional tech can be used to enhance awareness and security culture?

Huisman of Knowbe4 told Techopedia that organizations need to implement a clear structure to enhance the clarity and impact of cultural transformation.

“There are seven fundamental stages in the continuous enhancement cycle, which you should follow to start your security culture transformation.”

The seven fundamentals of Knowbe4 include:

  1. Choose 2-3 behaviors that you would like to change.
  2. Design a plan to influence behaviors on an organizational scale.
  3. Get leadership buy-in.
  4. Communicate.
  5. Execute the plan.
  6. Measure results.
  7. Determine the move-forward strategy.

Regarding technology, Huisman spoke about the importance of security awareness and simulated phishing platforms designed to enhance ongoing education and fortify human vigilance against cyber threats.

These platforms should include a comprehensive suite of awareness and compliance training, real-time user coaching, AI-powered simulated social engineering, and crowdsourced anti-phishing defense.

Evaluation and AI in Security Culture

George of Mentorcliq added that evaluations are also vital to building and maintaining security cultures.

“The leading concept I’ve seen businesses implement to build a strong cybersecurity culture is including cybersecurity best practices into evaluations,” George said. “I think this is a genius idea as it motivates employees to be cyber aware and maintain their role in the business’s cybersecurity.

“AI is excellent at automating and enhancing more repetitive and nominal aspects of cybersecurity. However, an area AI will, and already is excelling in is threat detection. I fully expect AI to take over this part of cybersecurity in the near future.”

Huisman from Knowbe4 also spoke about AI and how it will change security cultures.

“AI-driven attacks can automate the discovery of loopholes and weak points in security systems, including finding networks that are vulnerable to penetration,” Huisman said.

“The use of AI can expedite the attack process, scaling up the number of targets and increasing the probability of successful breaches.

“It’s not just about the quantity of the attacks but also their quality; AI can enable more complex, stealthy, and persistent cyber threats. As AI-powered cyber-attacks grow in sophistication, it becomes imperative that security awareness programs also evolve.”

Organizations should remain vigilant, stay informed about these emerging threats, and continuously adapt their cybersecurity strategies to mitigate the risks posed by this powerful technology.

6 Strategies to Build a Security Culture that Considers AI

Kwong from DeVry University said there are six strategies that organizations who want to build effective cybersecurity cultures have to consider. They are as follows:

  • Start from the Top: The most important aspect of security culture is for C-suite executives to set the tone for the rest of the organization. Employees need to understand that they all have a role in mitigating risks and maintaining their organization’s security resilience.
  • Embed Security Throughout the Organization: When security is the foundation of all processes, checks, and balances are put in place to ensure that security is top of mind for everyone involved throughout a project’s lifecycle. Furthermore, managers and employees are more likely to view security protocols as an important step in what they do, which aids an effective cybersecurity culture across an organization.
  • Practice Security Hygiene: A strong security culture requires everyone in the organization to consistently follow best practices. Regularly reporting phishing attempts is a good indicator of how well employees are implementing security measures.
  • Run Tabletop Exercises: Tabletop exercises act like practice drills for cyberattacks, helping organizations find vulnerabilities in their response plans and employee knowledge. By simulating real-world scenarios, these exercises improve communication, identify knowledge gaps, and train employees on how to handle a cyber incident.
  • Change Up Security Communication Tactics: Effective communication is key to building a lasting security culture. However, simply repeating the same messages is unproductive.  The best approach is to deliver cybersecurity awareness through a variety of engaging channels across the organization.
  • Reward Employees’ Good Behaviour: Recognizing employees who report phishing attempts and offering them additional training after falling for one helps build a positive security culture. This reinforces the importance of individual responsibility and continuous learning.

“Artificial intelligence is poised to fundamentally transform cybersecurity in the coming years,” Kwong said. “However, AI won’t just be used for defense — it will also be leveraged by hackers and cybercriminals to launch increasingly sophisticated attacks.

“According to Gartner’s 4 Ways Generative AI Will Impact CISOs and Their Teams, through 2025, attacks leveraging generative AI will force security-conscious organizations to lower thresholds for detecting suspicious activity, generating more false alerts, and thus requiring more – not less – human response,” Kwong added.

3 Key Areas to Focus to Prepare for AI

Kwong said that to prepare for AI, organizations should focus on three key areas. First, implement AI and machine learning in your security stack. Solutions like user behavior analytics, automated incident response, and AI-based malware detection will become essential.

Second, get the fundamentals right. “Require multi-factor authentication (MFA), provide regular cybersecurity training, encrypt data, and patch promptly. Strong fundamentals will help prevent many attacks from succeeding,” Kwong said.

Finally, plan to eventually move beyond passwords. As hacking tools become more sophisticated, passwords alone will not suffice.

The Bottom Line

Despite a rise in cyberattacks, the global security culture remains stagnant. Studies show human error is a key factor in breaches, yet organizations are failing to effectively train and empower employees.

Traditional security measures and awareness training are insufficient. A strong security culture requires a multi-pronged approach with leadership buy-in, ongoing education, and clear communication.

The future of cybersecurity will involve AI on both sides of the attack landscape. Organizations need to adapt their strategies to these evolving threats by leveraging AI for defense while prioritizing strong foundational security practices.


Related Reading

Related Terms

Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.