Before we can define Security Culture, we must define culture. According to The Oxford Dictionary, culture is:
the ideas, customs, and social behaviour of a particular people or society
Using this definition, we may define security culture as culture that impact security in our organization, both in a positive and a negative way.
From sociology, we know that culture is flexible and adaptive. This means that using the right tools and measures, we can impact, change and foster a security culture the way we want it to be. It may take some time to change, depending on your gap between your current situation – as-is and your target situation to-be.
The Security Culture Framework combines social sciences like sociology, social psycology, personal psycology, with organizational theory and change management, add instructional design and training expertice, and mix it all with security knoledge to create a complete overview of how to construct and leverage a security culture program.