Issue link: https://insights.oneneck.com/i/1476862
21 The 7 dimensions of security culture Cognition The employees' understanding, knowledge and awareness of security issues and activities. It is argued that if a person is not aware of basic concepts of information security, he or she is more prone to information security threats than the others. Thus, knowledge is one of the key concepts in the research of human factor in information security, and it is a dominant component of information security awareness 37 . However, knowledge is a necessary but insufficient condition for employees to practice conscious careful behavior and to adhere to information security policies 38 . Empirical research shows practically non-existent correlations between knowledge and information security behavior 39 , suggesting that employees who know more about security issues do not necessarily perform more secure end-user behaviors. This does not mean that knowledge is irrelevant in keeping organization safe. We just need to be aware that relation between knowledge and behavior is not direct and linear. Knowledge gained by employees can provide reliable insight into which processes are important to monitor and improve in order to strive for a change in employee behavior 40 . Although the field of behavioral information security focuses on the concept of awareness, traditional security education, training, and awareness approaches are often ineffective in preventing violations 41 , so it is imperative that we explore other approaches to designing programs and how they communicate policies to better persuade employees to comply 42 . Knowledge Management Theory 43 defines knowledge as the contextual and high-value form of information and experience that positively affect decisions and actions 44 . Whereas, cognition pertains to the contextual information, awareness, and personal experience ready to be used for decisions and actions. It is this distinction that leads us to the conclusion that a focus on knowledge and awareness is not a comprehensive approach in understanding cognitive processes related to security. Instead we focus on the concept of cognition. The concept of cognition generally refers to a range of mental processes relating to the acquisition, storage, manipulation, and retrieval of knowledge 45 . Research by Farooq & Vitanen (2015) suggests that there are three cognitive skills necessary for effective learning experience: 1) knowledge of facts, processes and concepts, 2) ability to apply the knowledge, 3) ability to reason 46 . These cognitive skills are developed through thought, experiences and senses 47 . Measuring the organization's cognition of security tells us what employees verifiably know or believe, what they understand of security-related issues and practices, as well as how they apply their knowledge. Our concept of cognition is therefore a combination of information, awareness and experience. We understand the acquisition of knowledge and understanding as parts