A Paper On The Social Implications Of Security Awareness Training
The Social Implications Of Security Awareness Training
Isaas Lozada
Old Dominion University
CYSE 425W
Dr.Mehr
12/1/25
The Social Implications Of Security Awareness Training
Current society’s cybersecurity has transformed from what was once considered a “technical” problem into a social vulnerability. The core factor behind the development of strategies like Security Awareness Training is that hackers target employees, not just the technology. The best way to break into an established network is by taking advantage of human trust through phishing attacks and social engineering (Spitzner, 2023). This is solid evidence that lapses in the human element is the core source as to why security breaches required a shift in policy, transitioning away from a strictly technical defense and towards methods that directly address human behavior. However, the success of this strategy is entirely dependent on the social culture and behaviour demonstrated within a company.
Implementing a Security Awareness Training policy can also come with extreme social consequences. The results will rely on the execution of the policy, either generating a positive culture of encouragement or a negative culture based on fear. If a company’s mindset is one that focuses directly on punishment, the policy will have detrimental social consequences. Realistic phishing scenarios will be viewed as shameful exercises, and employees that fail will be made to feel embarrassed. This will certainly develop a culture that is based on terror and secrecy, which will cause employees to stash their mistakes to avoid fault, allowing hackers to remain inside the network for a longer duration than necessary (Karyda, 2007). In contrast, if the policy is intended as a tool for support and education, it generates a positive and influential social culture of encouragement, turning employees from vulnerabilities into a driven “human firewall.”
The assessment of this policy’s societal impact is based on my Cybersecurity Culture Maturity Model, which evaluates how a company’s security culture molds the policy’s effectiveness. The model’s levels are Clueless, Compliant, Security-Aware, and Security Resilient. Each level represents where a company’s culture should be categorized. A company that falls under the “Compliant” level is one where the policy has little importance and is viewed as a “chore” for compliance. On the other hand, a company that values the policy to establish a sense of a unified duty to defend, will have its culture leap to the “security-aware” level with the goal of becoming “Security Resilient,” where security is a shared priority across the company, not just a chore to complete (Collard et al., 2024).
| Level | Maturity | Culture Outlook | Behavior of Employee |
| 1 | Clueless | Security is strictly viewed as a responsibility of the IT Department. No training across departments. | Employees have no knowledge of threats, constant failure to phishing attacks, and do not report suspicious activity. |
| 2 | Compliant | Security known as a compliance issue. Training is an annual event conducted just to meet regulations. | Employees view security training as a boring task. Follow general rules but do not proactively defend. |
| 3 | Security Conscious | The majority of employees understand cyber vulnerabilities. The training program is regular and reports are encouraged. | The majority of employees can identify phishing attacks and are more likely to report mistakes or suspicious activity. |
| 4 | Security Resilient | Security is a top priority within the company. All employees understand the duty of defending the company. | Employees work with the security team often. Possess a proactive mindset against threats and report intelligent attacks. |
At its core, the main ethical and social implication is that these realistic phishing scenarios require a company to intentionally deceive their own employees. The assessment must strictly be used as an instrument for positively educating instead of chastising. The metrics utilized by management must not create an environment based on terror, the strategy will be completely useless. The Security Awareness Training policy’s success will not be gauged by a technical calculation but by a social quantification. The policy will be an unfiltered representation of support, honesty, and a unified purpose of defending the company.
References
Collard, A., Colbert, M., Gillet, J., Huisman, J. G., & Kron, E. (2024, November 1). 2024 phishing attack landscape and benchmarking the data you need to know. https://www.knowbe4.com/. https://www.knowbe4.com/hubfs/final_2024_phishing_benchmark_report.pdf?hsLang=en
Karyda, M. (2007, September 18). Fostering Information Security Culture In Organizations: A Research Agenda. https://files.core.ac.uk/. https://core.ac.uk/download/pdf/301373754.pdf
Spitzner, L. (2023, July 25). Sans 2023 security awareness report: Managing human risk. SANS Institute. https://www.sans.org/blog/sans-2023-security-awareness-report-managing-human-risk