How many times have you caught yourself humming a song you heard years ago? Or woken up with a melody stuck in your head? I’m guessing the answer is “many.”
Now, how many times have you hummed something about cybersecurity?
Some songs are so deeply embedded in our collective consciousness that we can sing them word for word—even if we’ve never actively listened to them. Their melodies trigger emotions, their lyrics transport us to a time or place, and their messages become part of who we are. This is the power of music and this is culture at work. It weaves ideas into our DNA, making them instinctive and unforgettable.
Cybersecurity, however, lacks this cultural resonance. Unlike music, it doesn’t naturally integrate into our daily lives. There is no anthem of security awareness that people instinctively hum. No universally recognized phrases that instantly trigger a security-first mindset. Instead, cybersecurity remains an afterthought—important, yet not intuitive. It exists in policies, compliance checklists, and awareness training modules, but it is far from being part of our subconscious habits at home or at work.
The question we must ask is: How do we make cybersecurity instinctive and embed it into our culture so deeply that it becomes second nature, just like a song we never actively learned but always knew?
The Power of Words in Security Culture
Words have the power to shape beliefs, reinforce behaviors, and build culture. The cybersecurity industry often speaks in technical jargon, compliance mandates, and fear-driven messaging. But culture is not built on fear. Culture is built on stories, emotions, and repetition—on words that resonate, inspire, and empower.
Maya Angelou once said, “People will forget what you said, people will forget what you did, but people will never forget how you made them feel.” This insight is crucial for the security culture. If we want people to internalize security practices, we must make them feel personally connected to them. Too often, cybersecurity communication feels cold, rigid, and impersonal—like a set of rules imposed from above, rather than an integral part of everyday life.
Think about the difference between a dry security policy and a powerful story about someone who fell victim to identity theft or a ransomware attack. The policy might be informative, but the story evokes emotions—fear, empathy, urgency. People remember emotions: how vulnerable they felt when a friend lost money to a scam or how frustrated they were when their own account was hacked or their privacy compromised. These emotions drive action far more than a checklist ever could.
The language of cybersecurity should not focus solely on threats and penalties; it should empower people to take ownership of their security. Instead of saying, “You failed the phishing test,” say, “You caught a phishing attempt—great job!” This simple shift from blame to encouragement makes people feel confident rather than discouraged. And when people feel confident, they are more likely to engage in secure behaviors willingly.
“If I could find words…” sing The Christians in a favorite song of mine. Imagine if cybersecurity professionals could “find words” to speak to their audience with the same emotional resonance as great songwriters or storytellers, making security personal and relatable. Instead of dry statistics, they could share real-life experiences that touch people on a human level. Instead of compliance mandates, they could craft compelling narratives that inspire action.
Ultimately, security culture is not just about what we tell people—it’s about how we make them feel about cybersecurity. If we can make security feel like a natural, empowering, and shared responsibility, it will become a part of our collective consciousness, just like the songs we never forget.
From Compliance to Culture
Most cybersecurity awareness efforts focus on compliance—policies, training sessions, phishing simulations. But compliance is not culture. Compliance is a rulebook. Culture is a mindset. If security is to be embedded in our DNA, it must move beyond checklists and into the realm of storytelling, language, and daily habits.
The aviation industry is a prime example of security built into its DNA. Safety isn’t just a checklist; it’s a deeply ingrained cultural practice. Pilots at every level follow strict protocols, learn from past incidents, and openly share what went wrong and how to improve, creating one of the safest transportation modes in the world.
They conduct briefings, debriefings, and routine check-ins not out of compliance, but as a security mindset. Anomalies, mistakes, and near misses are reported without fear because transparency is seen as a duty, not a weakness, to ensure the entire community stays protected.
This is the lesson cybersecurity must learn.
In many organizations, cybersecurity incidents are hidden, mistakes are punished, and employees fear speaking up about security concerns. This approach is the opposite of building culture. If we truly want security to become second nature, we must embrace the aviation industry’s model of open, continuous learning.
1. Encourage Security Debriefs
Just as pilots review their flights, cybersecurity teams should conduct post-incident debriefs—not to assign blame, but to learn and improve. Transparency about security events should be encouraged, not feared.
2. Normalize Reporting Without Fear
In aviation, reporting a mistake is seen as responsible behavior. In cybersecurity, we must move away from punitive reactions and towards a culture where reporting security incidents, near misses, or even suspected risks is seen as a collective duty.
3. Share Lessons Beyond the Security Team
Security teams often contain knowledge within their circles, but true culture change happens when everyone is involved. Pilots don’t just learn from their own flights; they learn from global aviation case studies. Cybersecurity should adopt the same model—sharing real-world incidents with employees in a way that fosters awareness and engagement.
4. Emphasize That Security Is a Shared Responsibility
Just as aviation safety depends on the collaboration of pilots, engineers, ground crews, and air traffic controllers, cybersecurity cannot be the sole responsibility of a single department. Everyone in an organization must see themselves as an active participant in maintaining security.
By learning from aviation, cybersecurity can shift from being a compliance-driven function to becoming an ingrained culture. If we achieve this, security will no longer be seen as a burden or an IT problem—it will be second nature, instinctive, and embedded in everything we do.
What if we didn’t just train employees on security, but gave them a security soundtrack?
Making Security Second Nature
How do we get there?
1. Create a Language of Security
Security should not be spoken in fear-based narratives. Instead, it should be about empowerment and ownership. Words matter. Reinforce positive security behaviors with language that rewards, not punishes.
2. Tell Stories, Not Just Give Instructions
People remember stories, not policies. Share real-life cybersecurity incidents in a way that connects emotionally. Use analogies, personal anecdotes, and lessons learned. Make cybersecurity personal—because when people relate to security, they internalize it.
3. Make Security Language Unforgettable
Develop phrases that stick, like anthems for cybersecurity.:
- “Your data, your defense.”
- “Lock before you walk.” (For locking screens before stepping away)
- “Pause before you post.” (For social media oversharing)
- “Your password is your key—don’t leave the door open.”
These are not just instructions—they are cultural touchpoints.
4. Repeat, Reinforce, Reward
Culture is built through repetition. Security messages should be everywhere—not just in training sessions, but in conversations, internal communications, and leadership messaging. Celebrate security champions. Turn security habits into workplace rituals.
Security as a Shared Responsibility
The goal is not just awareness—it’s instinct, woven into everyday actions. Just as we don’t think twice before locking our doors at night, cybersecurity should be automatic. We must speak about it, sing about it, and embed it into our collective mindset until security becomes as natural as breathing.
Security culture doesn’t happen overnight. But with the right words, the right stories, and the right mindset, we can make cybersecurity not just a policy—but a part of who we are.
It’s time to write cybersecurity’s anthem. What will yours be?
Anastasios Arampatzis is a cybersecurity content strategist, writer, and consultant with expertise in cybersecurity, digital identity, and regulatory compliance. Tassos has a strong background in creating thought leadership content, marketing materials, and strategic communications tailored to CISOs, security professionals, and business leaders. He has contributed to various cybersecurity publications and collaborates with organizations to develop compelling, insightful content that addresses industry challenges. He is a privacy advocate and a member of the ISC2 Hellenic Chapter. Before joining Bora, Tassos was an Hellenic Air Force Officer with a solid background on IT and Infosec.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.