Issue link: https://insights.oneneck.com/i/1476862
14 The 7 dimensions of security culture particularly one that we had not expected that we would have, our thoughts and feelings toward that behavior are likely to change 17 . This pertains to the principle of attitude consistency and is coming from the process of self-perception, when we use our own behavior as a guide to help us determine our own thoughts and feelings 18 . Attitudes are the subject of controversy. As mentioned, psychology studies tend to explore how behavior influences attitudes. Conversely, behavioral security research tends to focus on how employee attitudes directly influence information security behaviors. This focus of research on the influence of attitudes on behavior is not surprising as it is one of the most commonly applied socio-psychological theories in this field; the Theory of Planned Behavior. The Theory of Planned Behavior (later upgraded into the Theory of Reasoned Action 19 ) exposes attitudes as an important antecedent of behavioral intent. For example, research 20 points out that employees are aware that a password breach can have serious consequences for them and for the organization, but their attitudes toward following security policy remained negative or indifferent, resulting in continued risky behavior. Such discrepancy between knowledge, attitudes and behaviors is well known in social psychology. Cognitive dissonance is a concept that describes a tension between individual beliefs and activities, e.g. "I shouldn't smoke, because it is bad for my health. I nevertheless smoke". People have tendency to resolve such tense state of mind by rather changing attitude ("My grandfather smoked and lived until he was 90 years old, so it's not so bad") than behavior (I stop smoking). Similar situations are noticed in the security field, when employees instead of practicing conscious risk-averse behavior (i.e. use stronger passwords), change attitudes toward security behavior ("Why would hackers attack me if I'm just an ordinary employee"). Behavioral security research shows that such attitudes are an important predictor of end-user behaviors and can at the same time be influenced by various mechanisms 21 . It has been empirically demonstrated that different training methods also change our attitude towards certain issues 22 . However, behavioral security research is not yet conclusive regarding the main predictors of attitudes and also about how exactly and with what strength attitudes impact security behaviors. Nevertheless, exploring employee attitudes towards cyber security provides an important metric to help target awareness in a more proactive way 23 . Hadlington (2018) observed that negative attitudes are manifested by employees who see reporting cyber incidents as a waste of time. Attitudes of employees toward organizational security policy, toward conscious use of IT devices and toward organizational security in general are an important part of security culture. Information security awareness of risks influences the attitude towards behavior in the users 24 . Ifinedo (2014) showed that attitude, subjective norms, and perceived behavioral control influence users' intention to comply with information security organization policies. Measuring attitudes of employees (on all levels of company) toward information security policy and security-related activities is immensely important for an organization to get an estimate of overall sentiment toward security issues in an organization.