Ask most organisations how their security awareness programme is performing and they will reach for the same handful of numbers: click rates from phishing simulations, completion rates for mandatory e-learning, and perhaps the number of tickets raised to the security team in a given month. These are not meaningless figures. But they are a long way from a complete picture of security culture.
Security culture is not a metric. It is a set of shared beliefs, habits and norms that shape how people in an organisation think about security day to day. It is what people do when no one is watching, when the training module has been ticked off and the simulated phishing campaign has wrapped up for the quarter. And it is the single most important factor in determining whether an organisation can withstand a real incident when one arrives.
So what does good security culture actually look like? And how do you know if you have it?
The limits of what KPIs can tell you
Phishing simulation click rates have become the default proxy for security culture because they are easy to generate, easy to compare over time, and easy to present in a board report. A downward trend in click rates looks like progress. In isolation, it might well be.
But a low click rate does not tell you why people are not clicking. It could mean they have genuinely learned to recognise and avoid suspicious emails. It could also mean they have learned that clicking leads to embarrassment or consequences, and they are now more careful about the simulations specifically, without any broader shift in how they think about security. These two outcomes produce the same metric. They do not produce the same resilience.
Similarly, high e-learning completion rates tell you that people finished the module. They do not tell you whether anyone retained anything useful from it, whether the content was appropriate for the audience, or whether it changed any actual behaviour. A tick in a compliance box is not the same as a change in how someone approaches their inbox on a Monday morning.
None of this means these metrics should be abandoned. It means they should be understood for what they are: narrow snapshots, not portraits. The fuller picture requires different questions.
What good security culture looks like in practice
Good security culture does not announce itself. It shows up in small, everyday moments: in the person who pauses before clicking an unexpected attachment, in the team that knows who to call when something looks wrong, in the manager who treats a reported mistake as a learning opportunity rather than a performance issue.
Some of the most reliable indicators are:
People report things without being prompted. This is perhaps the clearest sign of a healthy culture. When employees report suspicious emails, flag unusual activity, or tell the security team that they may have made a mistake, it means they trust the organisation enough to be honest. As we explored in our earlier piece on reporting culture, the speed and quality of incident response depends almost entirely on whether people speak up. High reporting rates are not a sign that more threats are getting through. They are a sign that people are paying attention and feel safe enough to say so.
Security feels relevant to people’s actual jobs. In organisations with weak security culture, security awareness training is something that happens to people rather than something they see any connection to. In organisations with strong culture, people understand why security matters in the context of their specific role. A finance team understands why invoice fraud is a credible threat. A customer service team understands why social engineering works. Relevance drives engagement, and engagement drives behaviour.
Managers model the behaviour they expect. Culture flows downwards from leadership. If senior managers skip mandatory training, share passwords for convenience, or respond to security incidents with blame rather than curiosity, their teams will take note. When leaders take security seriously and demonstrate that openly, it gives everyone else permission to do the same.
Security conversations happen outside formal training. In a genuinely engaged organisation, security does not live only in awareness campaigns and annual e-learning. It comes up in team meetings. People share news stories about recent incidents. Someone asks the security team a question because they are curious, not because they have to. These informal signals are harder to measure but highly meaningful.
Mistakes are treated as learning opportunities. In organisations that have moved away from fear-based and blame-based approaches, incidents and near-misses are examined with curiosity rather than judgement. The question is not “who is at fault?” but “what does this tell us about where people need more support?” This shift, simple in theory, takes real commitment to sustain in practice. But it is one of the most powerful things an organisation can do to build genuine resilience.
Measuring culture: beyond click rates
Measuring culture is harder than measuring compliance, but it is not impossible. The key is to build a measurement framework that captures both behaviour and attitude, and to track trends over time rather than looking for a single definitive score.
Behavioural indicators
Reporting rates from phishing simulations and real suspicious emails are the most valuable behavioural metric most organisations are not tracking. How many people reported the simulation before the campaign window closed? How does that number compare to how many people clicked? How quickly did reports come in? These numbers, tracked consistently over time, tell a much richer story than click rates alone.
Time to report in real incidents is another powerful signal. Organisations with strong reporting culture tend to have shorter gaps between an incident occurring and the security team being notified. Tracking this over time, even informally, can reveal whether the culture is moving in the right direction.
Voluntary engagement with security content, such as opening optional newsletters, attending non-mandatory briefings, or responding to security team communications, gives a sense of how far security has become part of the fabric of working life rather than an obligation to be discharged.
Attitudinal indicators
A baseline security culture assessment, carried out through a short survey at the start of a programme, is one of the most useful tools available. Done well, it captures how people feel about security: whether they find it relevant, whether they feel confident in their ability to make safe decisions, whether they trust the security team, and whether they would feel comfortable reporting a mistake. Repeating the assessment at regular intervals shows whether attitudes are shifting.
Qualitative feedback, gathered through team conversations, manager check-ins or focus groups, adds depth that survey scores cannot capture. What is it that makes people hesitate before reporting? What do they find most useful about the training they have received? What would make security feel less like an imposition and more like something that genuinely helps them do their jobs safely? These conversations are invaluable.
Leading and lagging indicators
It helps to think of culture metrics in two categories. Lagging indicators reflect outcomes that have already happened: click rates, incident volumes, mean time to detect and respond. They tell you where you have been. Leading indicators, such as reporting rates, training engagement and attitude scores, point towards where you are heading. A mature measurement framework uses both.
The role of programme design
Culture cannot be trained into existence. It has to be built through a combination of consistent leadership behaviour, programme design that respects the people it is aimed at, and an organisational environment in which people feel genuinely supported rather than surveilled.
Programme design matters more than most organisations realise. Training that treats employees as potential threats rather than people who want to do the right thing creates the very fear and disengagement that good security culture requires us to move away from. Training that is inaccessible to neurodivergent employees, or that assumes a level of digital confidence that not everyone has, will fail a significant portion of the workforce before it has even started.
Genuinely effective programmes are built on a few consistent principles. They speak to people in their own context rather than using generic content. They explain the why behind the what. They make it easy to ask questions and to report concerns. They celebrate vigilance and reporting visibly and consistently. And they treat security as something the organisation does together, rather than something the security team does to everyone else.
A more useful question
Next time you sit down to review your security awareness metrics, try swapping the usual question. Instead of asking “what is our click rate this quarter?”, ask this: if a real incident happened tomorrow, would people know what to do? Would they feel safe telling us about it? Would they trust us to respond without blame?
If the honest answer to any of those questions is no, or not sure, that is where the work is. Not in optimising the phishing simulation template. Not in adding another mandatory module to the learning management system. In the human stuff: the trust, the communication, the day-to-day signals that tell people whether security is something worth caring about.
That is what good security culture looks like. And it turns out it is measurable, if you know what to look for.
At Unity Group Solutions, we help organisations build lasting security culture through empowerment-led, neuroinclusive awareness programmes that go well beyond tick-box training. If you would like to talk about where your organisation is on the culture journey, get in touch at hello@unitysolutions.org.uk.
