Secure by
⌘K
Home
Blog
aAbout
sSpeaking
bBook
cCourses
cContact
History
Back
Knowledge doesn’t equal action—culture does!
Risk Management·Sarah Aalborg·Mar 17, 2025· 3 minutes

Do you ever set your alarm early, fully intending to get up and start the day with purpose—only to snooze just once … and then maybe a few more times?

Ever walked into the supermarket, grabbed a basket, and then abandoned it the moment you saw the massive queue at the register?

Or promised yourself tonight is the night you’ll stick to healthy snacks—only to find yourself mysteriously holding a bag of chips an hour later?

Yeah. Me too. And let’s be honest—so has everyone else.

It’s not that we don’t know what’s best for us. We do. We know that skipping the gym won’t get us in shape. That climate change is real and that our choices impact the planet. That excessive sugar and processed food contribute to a global health crisis.

And yet… knowing isn’t enough. Awareness of the risk doesn’t magically translate into action.

Cybersecurity has the same problem

We’ve spent years trying to educate people about cybersecurity risks. We warn, we train, we send out dire messages about phishing, weak passwords, and insider threats. And yet, risky behavior persists. Why?

Because awareness isn’t the same as action.

If simply knowing a risk was enough to change behavior, no one would speed, no one would smoke, and everyone would eat their vegetables.

This is exactly why traditional security awareness campaigns—full of alarmist, pessimistic doomsday talk—fail to drive real change. They scare people, but they don’t alter behavior.

Security culture beats awareness every time

Imagine your IT security department disappeared overnight. Poof. Gone. No policies, no compliance checks, no phishing simulations, no mandatory training.

What would happen?

Would people still behave securely? Or would everything you’ve worked for collapse?

Security culture is what happens when no one’s watching. It’s what people do when security isn’t being enforced. And that’s what truly matters. Because if secure behavior only exists under the watchful eye of the security team, then you don’t have a culture—you have compliance theater.

Security culture isn’t about one-off training sessions. It’s about embedding security into how your organization operates—through processes, social norms, leadership, and, most importantly, behavioral reinforcement. It’s about making security easy, automatic, and natural—so that people don’t need constant reminders to do the right thing.

If you want real security, stop focusing on awareness and start building a culture. Because knowledge doesn’t equal action—culture does.



Check out my Masterclass in IT Security Culture If you want to learn how to create a strong risk and behavior-based cyber security culture.
-I'll be running both a Danish and an English version this spring.