I agree with the awareness vs. culture premise. Carpenter could have punned it as "don't just feed people, teach people to phish." But I'd back up further. Thinking of employees as "security professionals" and "non-security professionals" is part of the problem. 

In our efforts to become so security-focused, we've isolated the function rather than spread it throughout an organization. A lot of this turns to the fact that by the time a student becomes an adult employee somewhere, they have developed bad habits. They've had technology thrust at them since kindergarten and have lived through the awful confluence of adolescence and social media. They can have 15 years of technology experience before anyone starts sitting them down and getting them to think about vulnerabilities, threats, and good practices.

The organizations that do security well tend to have a lot of interdepartmental cooperation. The best partner I ever had in the job was the head of HR who did a great job taking my ideas and integrating them into on-boarding, training, and culture.

FTA: If an organization's security culture is strong, it includes shared responsibility. In turn, this helps to nurture a community.

My signature at work says, "If you're unsure about this email, call the Help Desk and ask for Eric."  That little strategy encourages people who are skeptical of an unexpected message to dial a trusted number.  And it has paid off nicely.

Lisa Plaggemier mentioned at the recent National Cybersecurity Summit that orgs should put useful, easy-to-understand tools in front of people.  With simple instruction and positive messaging ("this password manager will create a good password for you!", "The IT Team said they will answer questions about XXX tool!"), they will make good use of useful tools.

Forrest Valkai on YouTube teaches that positivity delivers a welcome message.  CISA/NCA have tuned its materials to do the same for this year's Cybersecurity Awareness Month.  Always think of more than just a carrot or stick when you see faulty user behavior.  Lean into shared values, because we're all in this boat.

Thanks for sharing! Really good reading! As saying goes "A chain is only as strong as its weakest link", we need invest in security education, to foster security culture but without it being additional burden for regular employees. 

I would love to learn more about gamifying technics for threat awareness training. If anyone can share resources - would greatly appreciate it.

Based on my experience Security Culture whether physical or cyber security must reflect a set of values, shared by everyone in an organisation. This help determine how people are expected to think about and approach security. All employees should understand the importance of a well-developed and sustainable security culture as an essential component of a holistic security regime.

A strong security culture will help mitigate against a range of threats that could cause physical, reputational or financial damage to an organization

The organization will see the benefits of an effective security culture that includes:

• A workforce that is more likely to be engaged with, and take responsibility for security related issues;
• Increased compliance with all security measures;
• Reduced risk of insider incidents;
• Awareness of the most relevant security threats; and
• staff are more likely to think and act in a security conscious manner.