Recommended Reading


Research Article:

For What Technology Can’t Fix:
Building a Model of Organizational Cybersecurity Culture

Huang and Pearlson, 2019

Link (external .pdf)


Research Study:

Building a Model of Organizational
Cybersecurity Culture: Identifying Factors Contributing to a Cyber-secure Workplace

Huang and Pearlson, 2019

Link (external .pdf)



Building a Security Propaganda Machine: The Cybersecurity Culture of Verizon Media

Pearlson et al., 2021

Link (external .pdf)

The Power of Habit

by Charles Duhigg (2014)

A great starting point for understanding habit formation and behavioral change dynamics.  It also addresses the role of habits within a business setting – and how those habits become a corporate culture.

Buy from Amazon

Atomic Habits

by James Clear (2018)

This book continues on with the themes of habit formation and behavioral change.  It adds additional supporting evidence drawing from biology, psychology, and neuroscience to paint a clearer picture of what it really takes to facilitate behavioral shifts.

Buy from Amazon

Tiny Habits

by BJ Fogg (2021)

This book continues on with the themes of habit formation and behavioral change.  It brings a dimension of simplicity to the domain of behaviorism that fosters a greater level of likelihood in making lasting changes that continue to evolve over time – one bite of the elephant at a time. 

Buy from Amazon

…More Journal Articles (May Require Subscription Access)

Jeong, J. J., Oliver, G., Kang, E., Creese, S., & Thomas, P. (2021). The current state of research on people, culture and cybersecurity. Personal & Ubiquitous Computing, 25(5), 809–812.

Jeong, J. J., Grobler, M., Chamikara, M. A. P., & Rudolph, C. (2019). Fuzzy Logic Application to Link National Culture and Cybersecurity Maturity. 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), Collaboration and Internet Computing (CIC), 2019 IEEE 5th International Conference On, 330–337.


Malyuk, A., & Miloslavskaya, N. (2016). Cybersecurity culture as an element of IT professional training. 2016 Third International Conference on Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC), Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC), 2016 Third International Conference On, 205–210.

Da Veiga, A. (2016). A cybersecurity culture research philosophy and approach to develop a valid and reliable measuring instrument. 2016 SAI Computing Conference (SAI), SAI Computing Conference (SAI), 2016, 1006–1015.

Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98.

PĂTRAȘCU, P. (2019). Promoting Cybersecurity Culture through Education. ELearning & Software for Education, 2, 273–279.

Macedo, C. A., & Menting, J. (2019). Building a Cybersecurity Culture in the Industrial Control System Environment. International Journal of Information Security & Cybercrime, 8(1), 39–44.

Ioannou, M., Stavrou, E., & Bada, M. (2019). Cybersecurity Culture in Computer Security Incident Response Teams: Investigating difficulties in communication and coordination. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Cyber Security and Protection of Digital Services (Cyber Security), 2019 International Conference On, 1–4.

The Levity Effect

by Adrian Gostick and Scott Christopher (2008)

For many years I’ve argued that we tend to develop our policies, processes, and practices around compliance requirements – an approach that does absolutely nothing for the individual or the organization and is completely counterproductive.  The Levity Effect is one way to start seeing things through a lighter lens – one that may allow us to do a better job of connecting with the actual human beings whose behaviors we’re trying to influence. 

Buy from Amazon

Humor, Seriously

by Jennifer Aaker and Naomi Bagdonas (2021)

This book builds on the Levity Effect by continuing to explore how we can bring elements of humor and lightness to the various business activities that we engage in – especially those relating to cybersecurity.  This one even offers some lessons and insights into the process of ‘being funny’, and shows anyone how to bring their irreverence forward in a fun and mirthful way. 

Buy from Amazon


by David Bradford and Carole Robin (2021)

Taking a step back from the organization and embracing the personal, this book is based on the Stanford Graduate School of Business course ‘Interpersonal Dynamics’ and is rich with information that can help reframe the way that we engage people in the workplace at an individual level.  Its concepts can be mined for gold and transformed into a powerful undercurrent that informs cybersecurity messaging. 

Buy from Amazon

…More Journal Articles (May Require Subscription Access)

Olsen, C., & Schalkle, B. L. (2020, July 1). Safely Climbing the Smarter Cities Mountain: Creating a Cybersecurity-first Culture for a Zero-trust Smarter City. Public Management, 102(7), 40. 

Leenen, L., & van Vuuren, J. C. J. (2019). Framework for the Cultivation of a Military Cybersecurity Culture. Proceedings of the International Conference on Cyber Warfare & Security, 212–216.

Ghernouti-Helie, S. (2010). A National Strategy for an Effective Cybersecurity Approach and Culture. 2010 International Conference on Availability, Reliability and Security, Availability, Reliability, and Security, 2010. ARES ’10 International Conference On, 370–373.

Shires, J. (2020). Cyber-noir: Cybersecurity and popular culture. Contemporary Security Policy, 41(1), 82–107.

Pearlson, K., Sposito, S., Arbisman, M., & Schwartz, J. A. (2021). How Yahoo Built a Culture of Cybersecurity. Harvard Business Review Digital Articles, 1–7.

Fisher, R., Porod, C., & Peterson, S. (2021). Motivating Employees and Organizations to Adopt a Cybersecurity-Focused Culture. Journal of Organizational Psychology, 27(1), 114–131.