15.12.2025

True cyber resilience is created by an organizational culture in which staff understand their roles, recognize risks, and act correctly even when there is no oversight. Security culture is reflected in how information is handled, how deviations are reported, how suspicious situations are approached, and how mistakes are learned from.

Organizations’ cybersecurity is increasingly built not on individual technical solutions, but on people’s skills, attitudes, and behaviors. However, simply increasing knowledge does not automatically lead to security, as knowledge does not automatically become competence, competence does not always lead to understanding, and understanding alone is not enough to change behavior.

This creates a gap that separates formal information security from true resilience. Resilience refers to an organization’s ability to anticipate disruptions, withstand their effects, adapt to changing conditions, maintain operational capability during exceptional situations and recover from disruptions back to normal operations.

Artificial intelligence, automation and advanced ransomware are expanding the attack surface, especially for SMEs.

In today’s environment, the majority of successful cyberattacks are linked to human error. Phishing, misuse of credentials and exploiting mistakes made out of carelessness or haste remain key attack vectors.

At the same time, cybercrime is evolving rapidly. Artificial intelligence, automation and advanced ransomware are expanding the attack surface, especially for SMEs, which often operate as part of larger supply chains. In this context, security awareness is no longer a support function but an essential part of risk management, preparedness and ensuring business continuity.

Why Does not Security Awareness Develop Automatically?

Many organizations have a wealth of information related to security. There are more guidelines and training opportunities than ever before, yet practical secure behavior does not always develop as desired.

This is because secure behavior is not based solely on knowledge, but also on competence, the possibilities provided by the everyday work environment, and individual motivation. If the work environment does not support secure practices or security is not perceived as a personal responsibility, even the best guidelines can remain disconnected from daily operations.

Security awareness is also not a one-time state, nor does a single training day or campaign build a security culture. It is a continuous process in which attitudes, skills, and practices develop as part of the organization’s everyday life.

People in different roles also need tailored learning paths so that role-specific competence can develop alongside growing requirements. Here, continuous self-development, training, and strategic organizational guidance play a key role.

Combining Understanding of Structures and Behavior

Effective security work requires both clear strategic structures and an understanding of individual behavior. Without structures, security work easily becomes fragmented and without understanding behavior, security measures may remain superficial.

A strategic approach integrates security awareness into the organization as a whole, where objectives, metrics, responsibilities and continuous development make activities systematic and long-term. Focusing on behavior, in turn, helps identify why people act in certain ways and where the real obstacles to secure behavior arise. Challenges may relate to lack of competence, inadequate tools, or the feeling that secure behavior is not meaningful or possible in the midst of busy work.

 

 

When these two perspectives are combined, the organization can both measure the development of security and target actions where they have real impact. Continuous competence development, training solutions based on small learning modules, and responding quickly to changing needs have also become central themes at the European Union level.

Security Culture at the Core of Resilience

When security is integrated into everyday life and does not appear as a separate obligation, the organization’s ability not only to prevent threats but also to recover from disruptions is strengthened. The core of resilience is the ability to survive, learn, and continue operations even in exceptional situations.

Information security and cybersecurity are thus matters of people and leadership. Technology enables, but people decide. Moving from awareness to resilience requires long-term work in which security is integrated into strategy, daily operations, and organizational identity. The continuity of the digital transition also requires ongoing planning, the development of new measures, and training to support the operational culture.

This development has also been supported by the European Commission-funded EAGLE “Digital Skills Training” project, which has focused on the training needs for new digital skills. The European Union’s digital transition reform programme is designed to support national actors in meeting the challenges related to learning, competence development, and increasing awareness.

Training Activities as Part of Practical Development

In the EAGLE project, Turku University of Applied Sciences implemented a series of four separate training sessions, in which experts from companies representing different sectors were trained. The core content of the training included the SANS Security Awareness Maturity Model, the COM-B model and the CYSSME maturity model designed for SMEs, all of which were used to examine both organizational development and individual behavioral change.

Sustainable resilience arises from the combination of awareness, behavior, and structures, which develops only through long-term and purposeful work.

The trainings were evaluated as very necessary and successful based on feedback from nearly one hundred participants. The results support the need for similar training activities in the future, both in Finland and more broadly at the European Union level.

At the heart of cybersecurity are no longer just technical solutions, but people, competence and organizational culture. Sustainable resilience arises from the combination of awareness, behavior, and structures, which develops only through long-term and purposeful work. Turku University of Applied Sciences is strongly involved in this development. We increase organizational awareness, strengthen competence and support the building of a security culture both in domestic organizations and more broadly in the European context.

 

 

Photos: Adobe Stock