The blind spot bias works against you by making it very hard for you to accept and realize other possible solutions, and the further away the solution is from your "known environment", the harder the blind spot bias will oppose such solutions.
Another interesting bias is the confirmation bias: the need to find evidence that confirms our theories and beliefs, which makes us disregard information that contradicts them. If we use Dave Aitel as an example (sorry, Dave), the confirmation bias made him see only the faults of and problems with user awareness trainings. The more proof he found that he was right, the less likely he was to look for contradictory evidence.
By theorizing that you have no knowledge about culture and social sciences, I'm making the same mistake right now. Instead of doing serious research, I just look at the CSOs I know to confirm my theory. Then I apply another bias to my somewhat limited sample of evidence - I generalize. By generalizing, I take whatever information I have, and scale it up to make it applicable to what I have set out to prove.
As a writer, I'm allowed to make such errors to make a point. As a scientist, doing the same should be and is a deadly sin. As a human, I'm always going to make these errors. It is, according to science, hardwired in our brains. My responsibility is to exercise strong self-control, and to be humbled for and by the errors I make.
"What does this have to do with security culture?," you may ask. Let us define culture. According to the Oxford dictionary, culture is "the ideas, customs and social behaviors of a particular people or society". By this definition, we see that culture is about the things we all do in a group of people. Security culture may then be the "ideas, customs and behaviors that impact security, both positive and negative, in a particular group of people".
In that definition, security is only a part of the whole, just like security is in most organizations around the world. It is your part, that is right. As I demonstrated above, you are likely the expert on security, but not on human behavior. Setting out to create and maintain security culture in your organization is not a job you should be doing alone.
Consider this instead: If you know security, who knows culture in your organization? And this: why don't you work to build your security culture with those who know culture and human behavior?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.