Summary of the Article

Introduction
The article delves into the transformation of Security Education, Training, and
Awareness (SETA) programs in three large organizations, shifting their focus from
compliance to cultivating a robust cybersecurity culture. The central aim is to
identify and analyze five key initiatives that these organizations implemented to
enhance their cybersecurity practices, moving beyond mere regulatory
compliance to fostering genuine behavioral change among employees.
Key Initiatives for Building Cybersecurity Culture
3
. Identifying Key Cybersecurity Behaviors
The article highlights the importance of translating broad security
policies into specific, actionable cybersecurity behaviors. This initiative
involves breaking down complex security requirements into clear,
practical actions that employees can easily understand and follow. By
focusing on key behaviors—such as recognizing phishing attempts,
reporting incidents, and using strong passwords—organizations can
better align their SETA programs with real-world practices. This approach
not only simplifies policy language but also sets clear, measurable goals
for employees. The authors argue that this shift from generic awareness
to specific behaviors is crucial for effective security training (Fertig et al.,
2020).
. Establishing a Cybersecurity Champion Network
The creation of a cybersecurity champion network is presented as a
2
significant factor in enhancing cybersecurity culture. Cybersecurity
champions are individuals within various departments who take on the
role of advocating for and supporting cybersecurity practices. They act
as intermediaries between the cybersecurity team and the rest of the
organization, helping to disseminate information, answer questions, and
provide assistance with security-related issues. The article emphasizes
that these champions are instrumental in increasing engagement with
cybersecurity initiatives, as they have a better understanding of
departmental needs and can offer more targeted support. This initiative
aligns with the literature suggesting that involving employees in security
efforts through peer influence and support networks can significantly
improve security outcomes (Gabriel & Furnell, 2011).
. Building a Cybersecurity Hub
1
Another key initiative discussed is the development of a centralized
cybersecurity hub. This hub serves as a comprehensive resource center
where employees can access training materials, report security incidents,
and seek assistance with cybersecurity concerns. The hub is designed to
provide a one-stop-shop for all cybersecurity-related needs, making it
easier for employees to engage with security practices and obtain the
 necessary support. The article notes that the hub also supports
cybersecurity champions by equipping them with the tools and resources
needed to train and assist their colleagues. This initiative helps create an
integrated ecosystem that fosters better communication and support
within the organization (Simões, 2001).
. Developing a Brand for the Cybersecurity Team
Developing a distinct brand for the cybersecurity team is identified as a
strategic initiative that enhances visibility and recognition. The article
argues that a well-developed brand helps in creating a consistent and
3
recognizable identity for the cybersecurity team, making their activities
and messages more memorable. By prominently displaying the
cybersecurity team’s brand across various platforms—such as internal
communications, training materials, and incident alerts—organizations
can strengthen the connection between employees and cybersecurity
efforts. This branding helps in establishing a clear association between
the team and its activities, thereby improving engagement and response
to cybersecurity initiatives (Simões, 2001).
. Aligning Security Awareness with Internal and External Campaigns
Aligning cybersecurity awareness efforts with other internal training
programs and external campaigns is highlighted as a way to maximize
resources and reduce competition for employees' attention. The article
discusses how integrating cybersecurity training with other
organizational initiatives helps in streamlining training efforts and
ensuring that employees are not overwhelmed by competing demands.
This alignment also facilitates collaboration between the cybersecurity
team and other departments, as well as with external cybersecurity
experts. By leveraging existing resources and partnerships, organizations
can enhance the effectiveness of their security awareness programs and
improve overall engagement (Alshaikh et al., 2018; Puhakainen &
Siponen, 2010).
Discussion
The article evaluates the success of these initiatives in shifting organizations’
focus from compliance to building a cybersecurity culture. It emphasizes that
traditional measures of effectiveness, such as training completion rates, are
insufficient for assessing the impact of security programs. Instead, the authors
advocate for using metrics such as employee engagement, feedback, and incident
reporting to gauge the success of cybersecurity initiatives. The development of
cybersecurity champions, hubs, and branding, along with alignment with broader
campaigns, is presented as effective strategies for creating a more engaged and
responsive security culture.
Challenges and Recommendations
The article acknowledges several challenges associated with implementing these
initiatives, including limited resources, time constraints, and a shortage of
specialized expertise in cybersecurity awareness. It suggests that while large
organizations may have the capacity to implement these initiatives on a broad
scale, smaller organizations may need to adapt these strategies based on their
specific context and available resources. Utilizing resources from cybersecurity
authorities and tailoring initiatives to fit organizational needs are recommended as
ways for smaller organizations to enhance their security culture effectively.
Conclusion
In conclusion, the article provides valuable insights into transforming SETA
programs from compliance-focused activities to efforts that genuinely build a
cybersecurity culture. It identifies five key initiatives that have proven effective in
enhancing security practices and employee engagement. The study’s findings
offer practical guidance for organizations looking to improve their cybersecurity
culture, emphasizing the importance of shifting focus from compliance to creating
a supportive and engaging environment for cybersecurity practices. The article
calls for further research to explore the optimization and sustainability of these
initiatives, particularly for organizations with limited resources.

Moneer Alshaikh,
Developing cybersecurity culture to influence employee behavior: A practice
perspective,
Computers & Security,
Volume 98,
2020,
102003,
ISSN 0167-4048,
https://doi.org/10.1016/j.cose.2020.102003.
(https://www.sciencedirect.com/science/article/pii/S0167404820302765)
Abstract: This paper identifies and explains five key initiatives that three Australian
organizations have implemented to improve their respective cyber security
cultures. The five key initiatives are: identifying key cyber security behaviors,
establishing a 'cyber security champion' network, developing a brand for the
cyber team, building a cyber security hub, and aligning security awareness
activities with internal and external campaigns. These key initiatives have helped
organizations exceed minimal standards-compliance to create functional cyber
security cultures. This paper discusses why these initiatives have been effective
and provides practical guidance on their integration into organizational security
program
Keywords: Cybersecurity culture; Behavior change; Cyber security awareness;
Information security management; Cybersecurity initiatives; Cybersecurity
champion network; Cybersecurity hub