top of page

Cyber security culture: using analytics to identify and mitigate risk

  • Writer: Christiane Wuillamie
    Christiane Wuillamie
  • Nov 15, 2024
  • 3 min read

Updated: Jan 30


Cyber security risk isn’t just a technology problem.

It’s shaped by the conditions people work in: leadership signals, policy design, tool friction, time pressure, peer norms, supervision, reporting climate and third-party practices.

This insight piece summarises a multi-client study and explains how a systems-based, analytics-led model can uncover hidden risk drivers and prioritise the right changes.

What our multi-client research revealed

The goal was to identify root causes, not just behaviours.

PYXIS Culture Technologies spent the past three years working with a range of clients to identify the root causes of cyber security. In this effort we developed a visual systems-modelling approach to identify the drivers of effective cyber security.

Why technology and training still fall short

Symptoms are visible, but the drivers often remain hidden.

Most organisations rely on a mix of security controls, awareness training, audits and phishing simulations. These are important, but they often measure outcomes rather than the conditions that create them. That’s why the same issues recur: workarounds form, reporting stays low, and secure practice does not consistently “stick”.

What we analysed and how we modelled it

Culture drivers can be mapped as an organisational ecosystem.

The study uses analytics and systems modelling to produce a visual map of drivers and their interactions. The map shows how organisational conditions reinforce each other, where hotspots are forming, and which drivers most strongly influence overall cyber security effectiveness.

This turns culture from a discussion topic into a decision tool: leaders can see what is driving risk, not just where it shows up.

What the research highlights

Many organisations have significant headroom in key drivers.

Across participating organisations, the combined picture indicates that many businesses lag in drivers that underpin effective cyber security. The value of this view is not ranking organisations, but exposing the common pattern: important drivers often sit outside the usual security dashboard.

When these drivers are made visible, leaders can target interventions that reduce human risk at source rather than repeatedly treating surface symptoms.

Making governance practical

Prioritisation is where boards and leaders can have real impact.

Once drivers and hotspots are visible, leaders can compare interventions and prioritise the ones most likely to reduce risk. This is where What-If analysis becomes useful in practice: you can test scenarios, focus effort on high-impact changes, and avoid spending time on actions that feel reassuring but do not move outcomes.

Learn more about improving cyber security culture or book a demo to see how the PYXIS Platform supports prioritised change.

What executives and boards should take from this

Cyber resilience improves when leaders govern the drivers.

A practical, evidence-led approach starts with a simple shift:

  • Treat culture as a system of drivers that can be measured.

  • Focus on root causes, not just awareness and compliance.

  • Prioritise change based on impact, not activity.

  • Track leading indicators to see improvement before incidents occur.

This same systems approach also applies to strengthening safety culture and conduct and compliance culture.

Key topics covered in this article

  • Multi-client research into cyber security root causes

  • Using analytics to identify drivers and hotspots

  • Visual systems modelling for cyber security culture

  • Why controls and training often miss underlying causes

  • Prioritising high-impact interventions using What-If analysis

  • Using leading indicators to track improvement over time

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between cyber strategy and everyday behaviour.

Our approach is effective:

  • We treat culture as a systemic business issue, not an HR initiative.

  • We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement.

  • We link your cybersecurity culture to business financial metrics, showing a clear ROI for strengthening your cybersecurity culture.

Learn more about PYXIS on our About us page.


Connecting the dots

For more information or to request a demo on how mapping culture drivers can improve business results, contact us here.



BACK TO RESOURCES

Let's connect the dots

See how PYXIS models What-If scenarios to prioritise the fixes that move your numbers.

BOOK A PLATFORM DEMO
bottom of page