From Aviation Safety to Cyber Resilience

In cybersecurity, as in aviation, technology alone doesn’t keep us safe — people and culture do.

The National Cyber Security Centre and the National Protective Security Authority (NPSA) highlight a universal truth:

The strongest defense against cyber threats is not a firewall or a tool — it’s a culture of security embedded in every person, process, and decision. And when we look at how the aviation industry transformed itself into one of the safest in the world, we find a model worth following: a Safety Culture built on five pillars — Informed, Reporting, Just, Learning, and Flexible.

Photo: https://pl.freepik.com/

The Pillars of Cybersecurity Culture (Adapted from Aviation)

1️⃣ Informed Culture

People understand the technical and human factors that affect security.

They know how their actions — from clicking a link to managing access — contribute to the organization’s resilience.

➡️ NCSC: “Understanding your culture and workforce.”

2️⃣ Reporting Culture

Employees feel safe to report suspicious activity, phishing attempts, or even their own mistakes — without fear of blame.

This openness allows organizations to act early and learn quickly.

➡️ NCSC: “Encourage open dialogue; mistakes are learning opportunities, not failures.”

3️⃣ Just Culture

There is trust between employees and leadership.

Individuals are treated fairly — accountability exists, but so does empathy.

➡️ NCSC stresses the importance of balancing responsibility with fairness to foster trust.

4️⃣ Learning Culture

Every incident, audit, or near-miss becomes a lesson, not a secret.

Teams use findings to adapt and improve policies, awareness, and technology.

➡️ Aligned with “Continuous improvement and measurement” principles.

5️⃣ Flexible Culture

In crises, hierarchy gives way to collaboration.

Teams coordinate rapidly across departments, adapting processes to emerging threats.

➡️ This is the essence of resilience.

NPSA’s Security Culture Tool

The tool helps organizations measure, understand, and shape their culture through three key components:

1️⃣ Workforce Surveys.

2️⃣ Organisational Influences Assessment.

3️⃣ Cultural Style Workshop.

As I always emphasize during my lectures and training: A mature cybersecurity program is not built on tools or frameworks — it’s built on people with the right mindset and the right culture. When we look at the aviation model and the UK’s security culture initiatives, the message is clear:

➡️ Culture turns compliance into behavior.

➡️ Behavior builds trust.

➡️ Trust builds resilience.

I see culture as the foundation of every robust GRC program. Of course, no culture can eliminate all risk.But a strong one ensures that when incidents happen, people respond faster, recover smarter, and improve continuously.

Learn more

Author: Sebastian Burgemejster