In defense of private companies: Creating a cyber risk-aware culture