homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Top Books on Security Culture
370x370_Lance-Spitzner.jpg
Lance Spitzner

Top Books on Security Culture

For the past five years I’ve been researching how to take human security beyond just security awareness and into the world of security culture.

March 30, 2020

For the past five years I’ve been researching how to take human security beyond just security awareness and into the world of security culture. Concepts such as what is a security culture, what does a strong culture look like, how can organizations build and measure one, and, ultimately, what value does it have?

Far too often we feel that since the technologies we use in cybersecurity are new, so, too, must be our problems. But that is not always the case. Finding answers to these questions led me outside the world of cybersecurity and explore fields such as organizational change, behavioral economics, human psychology and behavior modeling. All of this research has culminated in the new two-day course: SANS MGT521: Driving Cybersecurity Change - Establishing a Culture of Protect, Detect and Respond.

Since the class has been released one of the most common questions I’ve been asked is what books did I read and is there a suggested order in which to read them. While I feel strongly that you start with the first book on the list, the order is less important for the rest. I suggested the following order because these books tend to jump from individual focus to organizational focus, back to individual, back to organizational, and reading in this sequence helps keep things mixed up while also reinforcing how everything relates together.

Please note: In no way is this list comprehensive. The field of organizational change and culture is rich with research, science and amazing authors and leaders. I’m merely sharing with you the research that influenced me the most. One thing that struck me as I read these books is how they often reinforce the same concepts but in different ways. That is the essence of the new SANS MGT521 course: it synthesizes and simplifies all of this research and applies it to the world of cybersecurity.

With no further ado, my recommended reading list.

  1. switch bookSwitch: Start with this book by the brothers Chip and Dan Heath. I love this book, as it’s one of the simplest to read and understand while laying the foundation for changing human behavior and organizational culture. You will find the concepts covered here time and time again in the following - books.

  2. start with why bookStart with Why: Written by Simon Sinek, this book explains the concept of the Golden Circle. Far too many organizations and leaders start communicating with the WHAT and the HOW of a product or initiative. However, the most effective companies and inspiring leaders start any communications or initiatives with the WHY — why is what engages and motivates people. It’s also what I consider the number one thing missing in almost any security initiative.
  3. leading changeLeading Change: This is considered by many the founding bible of organizational change. Published over 20 years ago by John Kotter, this book details the eight steps many organizations go through for organization-wide change. Based on hundreds of case studies, it was one of the first attempts to codify the process. John Kotter has published numerous books since then. While I feel his process is a bit too prescriptive and “heavy” for many security initiatives, it’s a fantastic introduction to the world of organizational change.
  4. influence bookInfluence: Authored by the well-known researcher Dr. Richard Cialdini, the book covers the six core fundamentals that influence human behavior. What is amazing is how you can influence change without people realizing that they are being manipulated. A favorite book for sales people.

  5. nudge bookNudge: Published by two scholars from University of Chicago, Thaler and Sunstein, this book dives into the science and research of architecting environments, in which it’s much easier for people to make the choices you want them to make as you are “nudging” them into the direction you want.

  6. made to stick bookMade to Stick: Once again we return to our friends Dan and Chip Heath. This book covers not so much how to communicate, but how to communicate ideas that stick, somewhat similar to Influence, but less of a scientific approach and more of a marketing approach. Key takeaway for me from this book: emotion sticks.

  7. blink bookBlink: Published by the famous author Malcom Gladwell, this book covers the idea of how intuition and gut feeling can beat out and be more accurate than the most detailed, rational analysis (what Kahneman calls System 1 and System 2).

  8. never eat alone bookNever Eat Alone: This book is not about human behavior; it’s all about networking. A fantastic book if you are an entrepreneur wanting to build up your network. And how well you partner with others is key to organizational change. You can follow all the steps in all the books covered here, but if you don’t build relationships with people throughout your organization, your efforts will most likely fail.
  9. thinking fast and slow bookThinking Fast and Slow: Okay, this is the grand kahuna of behavioral economics books. In fact, Daniel Kahneman won a Nobel prize for this book. It is long and information dense. It is also one of the most fascinating and enlightening books I’ve ever read. Every page seems to explore a whole new topic drawing on research and published articles from numerous scholars from around the world. The reason I recommend reading it last is because it is such a heavy lift. Also, I found the book references and reinforces everything else you have already read. If you like a challenge, by all means feel free to jump in and read this first. For slower minds like me, I found this worked best as one of the last books I read.

Please keep in mind that books are not the only sources of information. There are two models I highly recommend you research and learn about, as they contribute significantly to this field: The B.J. Fogg Behavior model and the Procsi ADKAR Organizational Change model. Also, I found the Harvard Business Review a rich resource on organizational change and culture, starting with the 2018 study on The Culture Factor.

Finally, a couple of suggestions for reading. First: use your eyes, not your ears. I tried using audiobooks at first and failed. Many of these books are information dense, and I found I had trouble both comprehending and remembering the information from them. I had to resort to old-fashion reading with my eyes. Second: pace yourself and avoid burn-out. Many people challenge themselves to read a book a week or several books a month. Once again, I failed there. At best I could only read a book a month. For Kahneman’s Thinking Fast and Slow, that book alone took me two months!

Happy reading! And if you have any suggested books, resources or research, I would love to hear from you.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Security Awareness

Related Content

Blog
Security Awareness, Security Management, Legal, and Audit
December 13, 2022
SANS MGT433 Managing Human Risk – Now Expanded to Three Days
This expansion reflects just how much the field of security awareness / managing human risk has matured.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Top_10_Summit_Talks_2022.png
Cybersecurity Insights, Digital Forensics and Incident Response, Cyber Defense, Cloud Security, Open-Source Intelligence (OSINT), Security Management, Legal, and Audit, Security Awareness
December 5, 2022
Top 10 SANS Summits Talks of 2022
This year, SANS hosted 13 Summits with 246 talks. Here were the top-rated talks of the year.
370x370-person-placeholder.png
Alison Kim
read more
Blog
SSA_-_CAM_-_Blog_Thumb_-_What_is_Phishing_Resistant_MFA_-_.jpg
Security Awareness, Security Management, Legal, and Audit
October 6, 2022
What is Phishing Resistant MFA?
What exactly is phishing resistant MFA, what are the benefits, and what does it mean to you and your organization?
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn