Why Organizations Should Aim for a Risk-Adverse Culture, Not Just Compliance

For many organizations, security training boils down to a checkbox exercise: prove that every employee completed the mandatory awareness course. However, according to John Curran, principal consultant at FTR Solutions and co-founder of Intrinsic Aware, this approach misses the mark entirely. Instead, companies should focus on cultivating a risk-adverse culture — one where security is embedded in everyday behavior, not just a one-time lesson.

Curran argues that a risk-adverse culture goes beyond policies and procedures. It requires shifting away from a blame-oriented mindset, where employees fear reporting mistakes, toward an environment that encourages open dialogue about security incidents. “Unfortunately, many organizations have created a blame culture, and an environment where people don’t think of the information security function as good people to talk to when something bad happens,” Curran explained during a recent presentation.

The Pitfalls of a Blame Culture in Cybersecurity

When employees are afraid to speak up, the entire security posture suffers. A blame culture discourages incident reporting, leaving vulnerabilities unaddressed. Statistics show that nearly half of all security breaches stem from human error — including phishing attacks and lost USB drives. Yet, despite this reality, organizations invest only 3-5% of their security budgets in awareness and training. This underinvestment, Curran says, is a critical oversight.

Building on this, he emphasizes that having policies in place is not the same as engaging staff. “All too often, organizations make the mistake of thinking that simply having policies and procedures in place for user awareness is sufficient. This is not the same thing as engaging your staff and ensuring they understand the company’s security needs.”

How to Foster a Risk-Adverse Culture Through Training

Creating a risk-adverse culture requires more than just annual training sessions. Curran outlines several goals for effective security awareness programs:

• Employees should clearly understand what is expected of them.
• They must learn appropriate skills and behaviors for different situations.
• Ultimately, staff should feel willing and able to discuss or report suspected incidents. “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core,” Curran notes.

To achieve these goals, organizations need to move beyond passive learning. Curran advises using interactive methods such as testing, immediate feedback, and personalized learning pathways. For example, creating security learning pathways tailored to different roles can help employees retain information better. Additionally, providing rationale at the end of training modules reinforces why security matters.

Practical Tips for Engaging Security Training

Curran offers several actionable strategies for designing awareness courses that stick:

• Be careful with branding when creating training materials — keep them professional yet relatable.
• Create learning security pathways that guide employees through progressive topics.
• Offer immediate feedback during the test process to reinforce correct answers.
• Provide rationale at the end of each module to explain the “why” behind security rules.
• Trace performance, progress, and levels of engagement to identify areas for improvement.

He also references the Chimp Paradox Theory to explain why changing behavior is difficult. “Our goal in the awareness process is to keep the monkey quiet while we are talking to the human and push as much of that into the computer as possible,” Curran said. In other words, training should aim to automate good security habits so they become second nature.

The Role of Incident Reporting in a Risk-Adverse Culture

One of the most critical components of a risk-adverse culture is encouraging incident reporting. When employees feel safe admitting mistakes, organizations can respond faster and prevent larger breaches. Curran stresses that a blame-free environment is essential for stakeholder engagement. “People shouldn’t be afraid of reporting incidents,” he says. “It’s not conducive to stakeholder engagement.”

To build this trust, companies should celebrate reporting rather than punishing errors. For more insights on creating a positive security culture, check out our guide on building a security-first workplace.

Conclusion: Moving Beyond Compliance

In summary, organizations must shift their focus from mere compliance to cultivating a risk-adverse culture. This means investing in ongoing, engaging training that empowers employees to act as the first line of defense. By addressing the root causes of human error and fostering open communication, companies can significantly reduce their risk exposure. As Curran aptly puts it, “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core.”

Ready to transform your security awareness program? Explore our best practices for security awareness training to get started.