This ‘personal research’ hobby of mine had taken me into the ‘From Security Awareness all the way to Behavioural Change’ alley(s).
Where it got stuck. Among others, through the realisation that ‘culture’ as such doesn’t exist, certainy not within larger organisations. Local cultures, yes. Overall cultures … maybe as the most degenerate common denominator; the more numbers you throw in a basket, asymptotically but very fast the common denominator will come crashing down to 1.
In infosecland, it’s worse. To actually adress and change the oft unconscious parts of personal culture (behaviour), one has to move away from organisation-wide awareness training ouch if you call it that, all are lost – into the realms of individual coaching, for each and every employee.
But then the stochastic cooling of particle physics rears its head, as a phrase that is. Can we somehow differentiate the to-be-learned from one-size-fits-all into separate sets of behaviours to be rote trained (in practical use; experienced) so the sets become unconscious behaviour(s), and then overlay these transparent sets [Remember, the ‘sheets’ you could stack on an overhead projector? You don’t – even know from a museum what an overhead projector is… Oh. ed.] over the organisation populace, according / in relation to the expectance to need such behaviour ..?