Measure your security culture

Your cybersecurity culture is one of the greatest reflections of your security practices and a top predictor of employee behaviors. We took the guesswork out of measuring your organization's culture with the Infosec IQ Cybersecurity Culture Survey.

4.5 (635 ratings)

Quantify your employees’ security perceptions

The Infosec IQ Cybersecurity Culture Survey makes it easy to measure your security culture by analyzing employee attitudes and perceptions towards cybersecurity and your security training efforts.

This allows security awareness managers to go beyond traditional success metrics like phishing click rate and add a new dimension to quantifying success, identifying weaknesses and building strategies for improvement.

How it works

Step 1

Select learners

Step 2

Launch three-minute survey

Step 3

Anonymize & record results

Step 4

Review improvement recommendations

Step 5

Repeat to track progress

Assess security culture by domain

Infosec IQ automatically aggregates survey results and scores your cybersecurity culture across five domains.


How employees classify their own ability to put their cybersecurity knowledge to practical use


How employees perceive their role in organizational security


How willingly employees participate in an organization’s security awareness and training program and apply available resources and support to improve security behaviors


How employees perceive the security posture and processes at their organization


How employees perceive the consequences of a security incident at their organization

Frequently asked questions

What is security culture?

Security culture is an organization’s collective awareness, attitudes and behaviors toward security. A strong cybersecurity culture is based on employees willingly embracing and proactively using cyber secure practices both professionally and personally.

What is your methodology for measuring cybersecurity culture?

Our in-house team of cybersecurity educators developed the Infosec IQ Cybersecurity Culture Survey with technical review provided by John Stevenson, Associate Director of the University of Wisconsin Survey Center, who served as a private consultant to the team.

Each survey question corresponds to one of five cybersecurity culture domains. Each answer has a numerical value based on the employee’s level of agreement with the provided statement. The numerical value for each answer is used to calculate the domain score for each learner. Scores are anonymized, aggregated and averaged to produce the organization's score for each domain.

What survey questions do you use to measure security culture?

Our 18-question survey measures cybersecurity culture across five domains. See one example question mapped to each domain below.


How confident are you that you can recognize cybersecurity threats at work?


How much impact do you think your daily actions have on helping protect the security of your organization?


How relevant is the cybersecurity training you receive at work to your life and activities outside of work?


How comfortable are you reaching out to your IT/security team for assistance?


How serious do you think the consequences would be to an employee if they caused a cybersecurity incident at your workplace?

What are the top strategies for creating a culture of cybersecurity at work?

A strong cybersecurity culture means employees take personal responsibility in cybersecurity and understand the role they play in keeping the organization secure.

The key to creating a culture of cybersecurity at work is engagement. By consistently engaging employees on topics of cybersecurity you can reinforce secure behaviors, keep cybersecurity top of mind and build security into the very culture of your organization.

Although there are many ways to effectively engage employees, resources like Choose Your Own Adventure® Security Awareness Games are designed to fundamentally change the way employees perceive security functions and learn how they personally contribute to organizational security. Get started with free security awareness resources here.

Build a culture of cybersecurity

All organizations are unique, which means there’s no one-size-fits-all approach to building a strong cybersecurity culture. However, there is a proven strategy organizations of all sizes can use to strengthen their security culture — security awareness training.

Your security awareness program provides a consistent line of security communication with every employee, giving you the opportunity to go above and beyond education and build a security culture that will keep your organization secure for years to come.

Solutions like Infosec IQ make it easy to not only measure your cybersecurity culture, but also run engaging and effective security awareness training designed to strengthen your culture and inspire lasting behavior change.