All insights
5 min readREEF Editorial

Security culture vs. compliance theater

The same training program can produce a real security culture or a paperwork-compliant non-event. Here's what separates them — and why it matters for your next audit.

ProgramsCulture

Walk into any 500-person company on a random Wednesday and you can usually tell within ten minutes whether they have a real security culture or a compliant-on-paper one. The difference doesn't show up in the LMS report. It shows up in how people talk about security — at the helpdesk, in finance, in the reactions when something weird happens.

After a year and a half of speaking with security teams across organizations of every size, here are the patterns we see in programs that produce real culture vs. programs that produce theater.

Symptom: how people respond to a weird email

Theater: They forward it to a coworker and say "is this real?" When the coworker says "probably, just open it," they open it.

Culture: They use the "Report Phishing" button (or the equivalent process) without thinking. The message goes to a triage queue with an SLA. They get a response within minutes. They don't get blamed when something they reported turns out to be legitimate — they get thanked.

The culture version is a hundred small design decisions: an obvious report button in the email client, a fast triage response, a public norm of "we'd rather you over-report than under-report," and a learning loop that explains why each one was or wasn't a phish.

Symptom: what happens when someone clicks

Theater: The simulation platform shows a "GOTCHA" page. The user feels embarrassed. The completion log goes into a quarterly report. Nothing else happens.

Culture: The user is automatically enrolled in a brief, contextual training that explains what they missed in this specific scenario. The training is short — under five minutes — and isn't punitive. A follow-up test 30-60 days later checks whether the behavior actually changed. The learner sees that improvement reflected in their own dashboard.

The culture version requires an awareness platform with adaptive remediation built in, but more importantly, it requires a program that uses the click as a teaching moment, not a scoring event.

Symptom: who's accountable for the metrics

Theater: The security team owns the click rate. They report it quarterly to a steering committee. The number goes down each quarter for the first year, plateaus, and the report becomes background noise.

Culture: Department heads own their team's metrics. Finance has a click rate. Engineering has a click rate. The CFO sees their team's number on their KPI dashboard alongside other operational metrics. The security team provides the platform and the data, but the accountability sits inside the business.

The culture version is harder to set up because it requires getting middle management to accept that "their team's security awareness" is actually their responsibility. But it's the only model that produces durable improvement, because it puts the metrics in the hands of people who have authority over their team's behavior.

Symptom: what training looks like

Theater: Annual one-hour video module. Multiple choice quiz at the end. Auto-completes for people who put it on at 1.75x speed and walked away. The completion certificate goes in the audit folder.

Culture: Bite-sized, role-relevant content delivered when it matters. Finance team gets BEC and wire-fraud scenarios. Engineering gets credential-handling and supply-chain risk scenarios. Executives get whaling and pretexting scenarios. Sessions are short, frequent, and grounded in real recent attacks.

The culture version usually costs less per hour of content than the theater version, because short content scales better than long content. But it requires a content library that supports role-specific delivery and a platform that targets accordingly.

Symptom: how the program is measured

Theater: Click rate. That's it. Maybe also "% completed annual training."

Culture: Several metrics, with click rate as just one of them:

  • Report rate — leading indicator of cultural maturity
  • Time-to-first-report — how fast does the team escalate?
  • Repeat-clicker rate — small fraction of population doing most of the clicking
  • Coverage — including contractors and third-party users
  • Real-attack catches — phishing emails reported by users that turned out to be real attacks
  • Insurance and compliance posture — concrete dollar/risk impact

A dashboard with these metrics can have a stable click rate and still tell a story of improvement, because the culture metrics — report rate, time-to-report, real catches — keep moving even when the simulation metric plateaus.

Symptom: what happens after a near-miss

Theater: Nothing. The CFO almost wires money to a fake vendor. The wire is caught at the last moment because of a process check. The team moves on. No one writes it down.

Culture: Same near-miss, but afterward there's a 15-minute internal incident review. What was the pretext? How did the attacker know X? What would have caught it earlier? Findings get folded back into the awareness content library. The story becomes part of the next quarter's targeted training for the finance team.

The culture version treats near-misses as gold. They're free training data — a real attack pattern, a real human response, a real intervention point — and a serious program captures and learns from them.

How auditors see the difference

The audit version of this distinction is surprisingly explicit. SOC 2, ISO 27001, HIPAA, NYDFS 500.14 — all of them ask about awareness training, but the mature ones increasingly ask:

  • Is the program adaptive (different content for different roles)?
  • Do you measure outcomes, not just completion?
  • What's the remediation loop when someone fails?
  • Can you demonstrate behavior change over time?

Compliance theater fails these questions. Real culture answers them with screenshots from a working dashboard.

The cheap-and-easy bar

If you take nothing else away: the bar between "theater" and "culture" is not expensive to clear. Most organizations need:

  1. An awareness platform with adaptive remediation (existing budget item, mostly)
  2. A clear "report phishing" button in the email client (free, configuration only)
  3. A triage process with an SLA (modest workflow effort)
  4. A handful of metrics beyond click rate (data work, not platform work)
  5. Department-level ownership of metrics (organizational change, hardest of the five)

The first four are achievable in a quarter. The fifth is the long game — and it's the one that produces the cultural difference auditors, insurers, and the threat actors all eventually notice.

Sources: Verizon 2025 Data Breach Investigations Report — Executive Summary.

See REEF in action.

Modern security awareness testing built for the human element.

Watch the demo