You recently started working for a consultancy firm as the head of their cyber security team. The CEO is aware there is a prevailing culture of fear, uncertainty, and doubt regarding the firm's approach to cybersecurity, largely down to the legacy of your predecessor. As you settle into the role, you realise that management regularly use fear tactics to emphasise the consequences of security breaches. Each morning when logging on to your computer and at random times during the week, you and other employees are often subjected to alarming messages that highlight potential risks of using personal devices at work without offering any constructive guidance. The company has historically focused heavily on punitive measures to control the behaviour and practices of its staff. It also encourages staff to report on their peers if they see anything suspicious.

a.What risks does the current security culture pose to the consultancy firm?

b.What changes could you make to introduce a positive security culture?