How Cybersecurity strategies And policies Shape Organizational Culture And How Generative AI Influences This Relationship
How Security Awareness Training Creates The Human Firewall
Isaas Lozada
Old Dominion University
CYSE 425W
Dr.Mehr
11/28/25
Abstract
Cybersecurity is no longer a technical problem, it has become a human problem. This paper argues that a company’s security culture is the most important factor for its entire defense and that the culture is dependent on how well shaped their cybersecurity strategy is. After a complete analysis of multiple strategies, the most effective policy identified would be continuous Security Awareness Training to ensure a strong, secure culture. The primary reason is that the strategy targets the “human element” lapses directly, transforming employees with liabilities into a proactive “human firewall”. This paper will break down how the strategy will influence behavior in a positive manner and also improve the security posture of an organization. Furthermore, it will also explore the role of Generative AI (GenAI) and its effects on making training programs more realistic, personalized and effective. The final conclusion is that a current security awareness program paired with the power of GenAI, is the strongest tool available for building the adaptable company culture needed to face the strongest threats of today’s cyberworld.
How Security Awareness Training Creates The Human Firewall
Today’s world has made one thing clear about the cybersecurity landscape, technical defenses like firewall and antivirus programs are simply not enough. Hackers have found out that the easiest way to infiltrate a secure network is not by breaking down “digital” walls, but by misleading an employee on the inside into opening the door. Social engineering, Phishing, and human error are now the main culprit of successful cyberattacks (Spitzner, 2023). This is cemented proof that cybersecurity is no longer a technical problem, but now a human problem. This is where a company’s cyber culture becomes their most important weapon in their arsenal of defense (Whitman, 2003).
The strongest cybersecurity culture is one where every member of the organization, from the CEO down to the interns, understands their role and importance in defending the company’s assets (Enisa, 2017). It is a unified mindset where secure behavior is not only automatic but the top priority. However, this pristine culture is not just created overnight. It is the direct result of the practice of cybersecurity strategies and policies put in place by the organization. A policy that is hard to understand or solely focused on punishment will create a culture of fear and secrets, where employees will stash their mistakes (Karyda, 2007). However, a policy that is clear, supports employees, and prioritizes education can create a culture of empowerment, where employees are encouraged to report potential cyber threats. This paper will detail why a modern, continuous Security Awareness Training program is the “key” strategy for building a robust positive security culture. It will also explore the new role that Generative (GenAI) has in making this strategy even stronger than ever before.
The main focus of this paper is the strategy that is Security Awareness Training. What comes to mind when people most think of this term, is a boring PowerPoint presentation that is presented on a random day annually. Most people have no interest in the presentation and click through the slides as fast as possible in order to check a box for compliance. That is not the gold standard for an effective program.
Security Awareness Training
A strong and effective Security Awareness Training program is a continuous and adaptive fight to educate employees about new cyber threats that they must face and motivate them to defend against new attacks. The central goal is not just to instruct employees on information, but to rewire their defensive behavior. The main components of the program always include phishing simulations to audit employees, short and attractive training units on topics like data handling and password security, and simple reporting procedures for when suspicious activity is identified. A valid program is not a one time event, it is an ongoing mindset that is integrated into the daily life of a company.
Security Awareness Training is without a doubt the best strategy for bolstering a company’s cybersecurity culture. The reason behind this is that the strategy directly targets the “human firewall.” Other strategies like “Zero Trust” are crucial, but these technical policies operate on the back end. The only strategy that engages every single employee is Security Awareness Training, this strategy ensures that every employee is actively participating in defending the company.
Security Awareness Training completely changes the narrative from “blame” to a culture of ownership. A great training program does not fault employees for clicking on a malicious link during a simulation. Instead, the program uses that moment to build and teach upon, providing non-judgemental feedback that teaches the employee how to identify the signs of an attack. This will create a culture where employees who believe they have made a mistake will feel encouraged to report it, which is the perfect culture. A culture of fear, would promote negativity, causing employees to hide their mistakes, allowing a hacker to create more damage the longer they are inside the network.
Analysis
This strategy builds a duty of a shared responsibility across the company’s community. The training applies to every employee in the organization, it creates a clear motive that cybersecurity is not just the duty of the IT department. It is every employee’s job. When the CEO must endure the same training as an entry-level employee, it creates a powerful, bonded culture. Where security is viewed as a core value of the organization rather than just a rule to obey. That is why the strategy is more effective at strengthening a culture in comparison to any other policy.
Role Of GenAI
Generative AI (GenAI) has the power to revolutionize Security Awareness Training, making it even more beneficial and powerful. GenAI can supercharge this strategy with the creation of highly realistic phishing simulations. Phishing tests were simple in the past, they were built on the foundations of easy to spot templates. Currently, hackers are using GenAI to create intelligent, personalized phishing emails that could fool most employees (Collard et al., 2024). The only way to teach employees on how to identify these attacks is to use the same technology. GenAI could be used by security teams to craft thousands of unique, personal phishing emails that are customized to specific departments or even selected employees to provide an intense realistic training scenario.
GenAI also can provide a large contribution in creating personalized training modules. Instead of forcing all employees to watch the same basic videos, GenAI can generate training content immediately. If an employee from the finance department keeps failing phishing scenarios that use fake invoices, the GenAI system can create an interactive training test that focuses directly on that type of threat. Which makes the training even more refined and personalized for each employee.
Finally, GenAI can also provide the ability to create interactive chatbots that act as a “security helpdesk” readily available at all times. Employees who are not sure of a suspicious email can immediately refer to the chatbot for guidance, the chatbot will analyze the message and provide feedback on if the email is a malicious threat. This refines security with instant support, ensuring that security is even easier for employees.
Visualization
In order to gauge the strength of a Security Awareness Training program, I created an evaluation model known as a Cybersecurity Culture Maturity Model. The model will help a company understand where it currently ranks and where the areas of improvement are needed. The model below displays four levels of maturity.
| Level | Maturity | Culture Outlook | Behavior of Employee |
| 1 | Clueless | Security is strictly viewed as a responsibility of the IT Department. No training across departments. | Employees have no knowledge of threats, constant failure to phishing attacks, and do not report suspicious activity. |
| 2 | Compliant | Security known as a compliance issue. Training is an annual event conducted just to meet regulations. | Employees view security training as a boring task. Follow general rules but do not proactively defend. |
| 3 | Security Conscious | The majority of employees understand cyber vulnerabilities. The training program is regular and reports are encouraged. | The majority of employees can identify phishing attacks and are more likely to report mistakes or suspicious activity. |
| 4 | Security Resilient | Security is a top priority within the company. All employees understand the duty of defending the company. | Employees work with the security team often. Possess a proactive mindset against threats and report intelligent attacks. |
Data can be used to track the company’s progress through these levels. An organization can measure how many employees fail realistic phishing scenarios, the number of malicious emails reported by employees, and the duration of time for a report made after a malicious mistake.
Conclusion
Ultimately, a company’s security is only as powerful as its employees (Copas, 2015). Technical defenses will always be essential, but the most resilient security maturity is one that is built on a foundation powered by a proactive security culture. This paper has proven that the key to building this culture is through a continuous Security Awareness Training Program.
This strategy enforces every employee of the company, transforming the employees from liabilities into a “human firewall.” Unlike other policies, it crafts a culture that revolves around empowerment and a unified goal, which is much stronger than a culture that promotes fear. The strategy being “supercharged” with the assistance of Generative AI to generate customized training and realistic scenarios, only bolsters the defense of the company. The current cyber realm is growing with stronger evolving threats, creating a “human firewall” is not just a concept, it is the best investment a company can make for its security’s future.
References
Collard, A., Colbert, M., Gillet, J., Huisman, J. G., & Kron, E. (2024, November 1). 2024 phishing attack landscape and benchmarking the data you need to know. https://www.knowbe4.com/. https://www.knowbe4.com/hubfs/final_2024_phishing_benchmark_report.pdf?hsLang=en
Copas, D. (2015, May 11). Presented to the Interdisciplinary Studies Program:. https://scholarsbank.uoregon.edu/. https://scholarsbank.uoregon.edu/server/api/core/bitstreams/2dc00c24-bc64-4e31-8c83-1a40bd048f89/content
Enisa. (2017, November 4). Cyber security culture in organisations – ENISA. https://www.enisa.europa.eu/. https://www.enisa.europa.eu/sites/default/files/publications/WP2017 O-3-3-1 Cyber Security Cultures in Organizations.pdf
Karyda, M. (2007, September 18). Fostering Information Security Culture In Organizations: A Research Agenda. https://files.core.ac.uk/. https://core.ac.uk/download/pdf/301373754.pdf
Spitzner, L. (2023, July 25). Sans 2023 security awareness report: Managing human risk. SANS Institute. https://www.sans.org/blog/sans-2023-security-awareness-report-managing-human-risk
Whitman, M. E. (2003, August 16). Enemy at the Gate: Threats to Information Security. https://digitalcommons.kennesaw.edu/. https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=2421&context=facpubs