Culture Isn’t a Mug: Cyber Security Culture as a System, Not a Slogan

“Culture” might be the most misunderstood word in cyber security.

We’ve seen it printed on mugs, posters, hoodies, and mouse mats from vendors selling tools, training, and even phishing simulation as 'culture'. (#sorrynotsorry).  We’ve heard it in town halls, training intros, and conference keynotes.

But here’s the hard truth:

If your “cyber security culture” exists only on a mug, it’s probably not doing anything.

The UK’s National Cyber Security Centre (NCSC) has been pushing the conversation forward by talking about cyber security culture as the shared understanding of what’s normal and valued around security – and how that plays out in behavior, trust, and decisions every day.

We’re completely aligned with that direction.

Where we take it further at Cybermaniacs is this:

• Culture is not a campaign.

• Culture is not a vibe.

• Culture is not “we did a training course and made a hoodie.”

Culture is a system.
If you don’t treat it like a system, it will keep defeating your controls, your awareness program, and occasionally your will to live.

In this article, we’ll unpack:

• What we mean by “culture as a system”

• How that connects to NCSC’s culture principles and the culture iceberg

• The three layers we always look at: HumanOS, the Cyber Safety & Digital Risk culture model, and your organizational dynamics model

• How to start designing system-level changes, not just new slogans

From Slogans to Systems: Why the Mug Isn’t Enough

Most “culture” efforts in cyber follow a familiar pattern: you launch a new slogan (“Security is everyone’s responsibility!”), run a themed campaign in October, roll out a fresh e-learning module, and maybe sprinkle in some phishing simulations and stickers. None of that is wrong; it’s just not enough. All of those activities live at the very tip of the iceberg – the visible layer of messages, content, and events.

Below the surface, where NCSC (and attackers) really care, a very different story is playing out. That’s where you find how people actually work under pressure, what they think will happen if they tell the truth, what leaders reward, ignore, or quietly punish, where processes make secure behavior easy or painfully hard, and what “people like us” really do when no one’s watching. If you only ever work on the visible tip, the submerged part of the system will quietly route around your controls, train people to game your phishing tests, and make the insecure way of working feel like the only realistic option.

That’s why we say culture isn’t a mug; it’s the invisible operating system your security program runs on. And that brings us to how we model that system.

Our System View: Three Interacting Layers

When we work with organizations on NCSC-aligned culture, we always look at three layers together:

1. HumanOS – the human operating system

2. Cyber Safety & Digital Risk culture model – how you do security

3. Organizational dynamics model – who you are as an organization

All three sit underneath NCSC’s culture principles and the iceberg concept. They’re just a bit more explicit and operational.

1. HumanOS – The Human Operating System

This is the messy, wonderful OS between people’s ears:

• attention and distraction

• memory and habits

• fear, stress, curiosity, boredom

• social wiring and desire to belong

• shortcuts we take when we’re tired or overloaded

Attackers absolutely design for HumanOS:

• urgency, fear, and authority in phishing

• curiosity and reward (“click for bonus / discount / file”)

• plausible storylines that fit people’s mental models

If you design security only for ideal, well-rested, fully-focused humans, your controls will break at the first encounter with reality.

Treating culture as a system means asking:

• What does our current environment do to HumanOS?

• Are people constantly overloaded, stressed, and rushing?

• Do we design processes and communications that work with human attention, not against it?

2. Cyber Safety & Digital Risk Culture Model – How You Do Security

This layer covers the way your organization actually does security in everyday work:

• How decisions get made in projects and change

• How incidents and mistakes are handled in practice

• How “secure ways of working” show up (or don’t) in real workflows

• What people learn from experience, not just training

In other words, this is the lived version of your NCSC cyber security culture:

• Is security involved early as an enabler, or late as a blocker?

• Do people see incident reporting as a path to help and learning, or to trouble?

• Are workarounds a rare exception, or the “real process” everyone uses?

In our model and assessments we look for:

• points where your stated expectations and lived reality diverge,

• places where processes quietly train people to ignore or circumvent controls,

• patterns where “what works” is consistently in conflict with “what’s secure.”

You can’t fix this with slogans, because it’s wired into the way you do work.

3. Organizational Dynamics Model – Who You Are as an Organization

Finally, there’s your organization's deep structure and personality. This is where the notion that “culture is never one-size-fits-all” really bites.

• A high-reliability hospital won’t and shouldn’t look like a hyper-growth fintech.

• A public-sector agency will have very different constraints and politics than a SaaS scale-up.

• The same NCSC principles will manifest differently depending on who you are.

Treating culture as a system means:

• Designing interventions that respect your organizational DNA, not fighting it blindly.

• Knowing which levers actually work in your environment (policy, narrative, peer influence, governance, incentives, etc.).

How This Connects to the NCSC Culture Principles

NCSC gives you six culture principles to describe what “good” looks like:

• security as an enabler

• trust and openness around reporting

• ability to adapt and learn from change and incidents

• supportive social norms

• leadership that owns its impact on culture

• clear, usable rules and guidance

Our view doesn’t replace that – it makes it operational:

• The principles tell you what the system should produce.

• The three layers (HumanOS, how you do security, organizational dynamics) are the system you actually have.

When we see a gap – for example:

• security seen as a blocker,

• people hiding mistakes,

• policies being ignored –

we don’t say “people are the problem.” We ask: what is the system teaching them?

What “Culture as a System” Looks Like in Practice

Usually it sounds like:

“We have great training, but incidents keep happening.”

“Everyone knows the policy, but nobody follows it.”

“People don’t tell us about problems until it’s too late.”

If any of that feels uncomfortably familiar, you’re not dealing with a messaging problem—you’re dealing with a system problem.

In those moments, it’s rarely “careless users.” It’s the way your HumanOS, how you actually do security, and your organizational dynamics are combining to make certain behaviors feel normal, inevitable, or even rewarded.

That’s the point where slogans and one-off campaigns stop working—and where you have to start treating culture like a system you can map, tune, and deliberately change.

And that’s exactly where our model comes in.

Designing Culture Change Like a System, Not a Campaign

So what does it actually mean to treat culture as a system day-to-day?

Here are some practical shifts.

1. Start with System Maps, Not Just Slogans

Before launching anything new, ask:

• What behaviors are we really trying to change?

• What does HumanOS look like in the moments those behaviors happen (e.g., stressed customer service, late-night coding, rushed approvals)?

• How do our processes, tools, metrics, and leadership messages currently shape those moments?

2. Align Changes Across All Three Layers

When you design an intervention, try to touch:

• HumanOS (how easy it is for a human to think/feel/act securely)

• Cyber Safety & Digital Risk (the actual process or workflow)

• Organizational dynamics (how leaders, metrics, and incentives support or undermine it)

3. Treat Culture Work as an Operating Cycle

This is where your other blogs (operationalizing NCSC, 12-month roadmap, measurement) come in.

System thinking = repeating loop:

1. Discover – baseline HumanOS, lived security, and org dynamics tied to NCSC principles.

2. Design – create interventions that change the system, not just the slogan.

3. Deliver – run them with proper change management and storytelling.

4. Measure – use NCSC-aligned metrics across perception, behavior, and operations.

5. Improve – learn and adjust; feed insights into the next cycle.

That’s what makes cyber culture understandable, manageable, explainable to boards and regulators.

How We Use “Culture as a System” with Clients

In practice, we usually show up when:

• The organization is investing in security awareness and Human Risk Management but not seeing behavior change.

• NCSC principles and other frameworks are recognized but not embedded.

• Incidents or audits have made it clear “culture” is now a serious board-level topic.

We bring the system lens into play by:

• Running an NCSC-aligned culture and human risk baseline using HumanOS, the Cyber Safety & Digital Risk culture model, and the organizational dynamics model.

• Mapping incidents, metrics, and experiences to system patterns (e.g., where the process is training risky behavior).

• Designing interventions that operate across layers – creative content and experiences, process redesign, leadership engagement, and measurement.

• Helping CISOs and leaders tell the story: not “our people are the problem,” but “this is the system we built, and here’s how we’re changing it.”

The end goal is always the same:

A living, breathing cyber culture that matches NCSC’s principles because the system makes it normal – not because we printed a new slogan.

Key Takeaways

If you want culture that actually reduces risk, not just decorates mugs:

• Stop treating culture as a campaign and start treating it as a system.

• Look at the three layers:

  • HumanOS™ – how humans really think, feel, and act under pressure,

  • Cyber Safety & Digital Risk culture – how you actually do security in workflows and incidents,

  • Organizational dynamics – who you are, what you reward, and how power works.

• Use the NCSC principles as your north star for what the system should produce, not just as nice words on a slide.

• Design interventions that change:

  • processes,

  • incentives,

  • leadership behavior,

  • and the everyday environment where decisions are made.

Because culture isn’t a mug. It’s the invisible operating system your entire cyber security program runs on.