The Security Culture Playbook
Author: Perry Carpenter and Kai Roer
The bottom line
“The Security Culture Playbook” is an engaging and practical guide to addressing one of the most critical, and often neglected, elements of a holistic cybersecurity program: the human factor. Co-authors Perry Carpenter and Kai Roer draw from behavioral science, organizational psychology, and years of combined industry experience to provide readers with a framework for embedding secure thinking into daily business behaviors. Their goal is to shift internal business conversations from tools and compliance to people and culture, with a clear emphasis on strategic, measurable transformation.
At the heart of the book is their distinctive Security Culture Maturity Model, along with practical guidance for building a security culture program that is sustainable and aligned with organizational goals. Cybersecurity professionals at all levels would benefit from the knowledge shared in this book, especially those in leadership, awareness, training or human risk management roles. It provides the language, frameworks, metrics and executive alignment strategies necessary to drive meaningful culture and behavioral change. I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
Book Review by Crystal Kobe
In the constantly evolving landscape of cybersecurity, it’s important to recognize that technology alone is insufficient to protect an organization from internal and external threats. The most advanced tools in the world mean very little if users are negligent, unaware, disengaged or apathetic. In “The Security Culture Playbook,” Perry Carpenter and Kai Roer offer cybersecurity professionals a practical and actionable blueprint for addressing the human element as a core component of a security program framework, enriched by engaging and relatable real-world stories and examples.
As someone involved in human risk management and awareness training, I found the authors’ central thesis, that resilient cybersecurity begins with culture, resonates deeply. They challenge the outdated notion of users as “the weakest link” and reframe them as a powerful line of defense. Drawing on behavioral science, they show how consistent messaging, storytelling and social cues can shape secure behavior. Rather than seeing users as obstacles, they urge us to recognize them as people who need context, motivation and reinforcement in order to engage your organization’s “human layer defenses.”
The authors argue that “we cannot afford to ignore the human side of the cybersecurity equation,” with the intent to inform and help persuade those who may not see the incredible value in developing users’ skill sets to help defend an organization. While the book is filled with practical models and frameworks, it also makes the case for a mindset shift emphasizing that culture is not a one-time initiative but an ongoing strategic capability that is vastly undervalued.
Among the book’s valuable resources is the Security Culture Maturity Model, a framework that helps organizations assess, structure and evolve their security culture-building efforts. The book delves into how metrics, leadership alignment and storytelling can be used as levers to promote sustainable change across your organization, ultimately improving security posture. These aren’t abstract ideas; they’re repeatable, operational tools that security teams can apply in real-world environments. The advice provided surrounding the planning and maturing of your program is intentional and actionable, with a highlight being the recommendation of “Culture Carriers” and the difference having peers model ideal behaviors can make in your security program.
We modeled the Cybersecurity Canon after the Rock & Roll Hall of Fame, except for cybersecurity books. Our volunteer CISOs have reviewed over 200 books on different aspects of cybersecurity to offer a curated list of must-read, timeless books for all professionals involved in cybersecurity
The Cybersecurity Canon project is a non-profit organization. We invite everybody to join the community and contribute. You can nominate your favorite cybersecurity books and even join the team that writes reviews.