Cyber security behavior change: How to get started

Improving security behaviours
CultureAI Team
June 16, 2023
Security Awareness Pros

Contributed by:

⚡ TL;DR ⚡
  • Behavioural change is key to improving cyber security in organisations
  • Understanding human behaviour is critical to promoting change
  • Factors such as appropriate resources, motivation, and habits drive behaviour change
  • To change security behaviour, we need to focus on nudging employees towards system 2 thinking
  • Organisations can use tools like education, gamification, and nudges to promote change
  • Successful behavioural change initiatives can reduce the risk of cyber attacks and enhance overall security posture.


As more and more aspects of our lives move online, the importance of cyber security has become increasingly clear. From social media accounts to banking information, personal and sensitive data is at risk of being compromised if proper measures are not taken.

But what exactly is cyber security behaviour? In simple terms, it refers to the actions and habits that individuals and organisations take to protect themselves and their sensitive information online. This can include everything from using strong passwords to avoiding suspicious emails and links.

While many organisations conduct security awareness training for their employees, this is often not enough to truly change behaviour. Learning about potential threats and how to avoid them is certainly important, but it is equally important to practice these behaviours on a regular basis. Without consistent practice, employees may not know what to do when they encounter an actual attack.

To truly mitigate the risks related to the human factor of cyber security, organisations must focus on cyber security behaviour change. This means providing training that results in employees knowing what to do when they see a threat and then consistently reinforcing those behaviours through regular practice and feedback. It's not just about security knowledge; it's about making security habits second nature.In the end, cyber security behaviour is all about developing good habits and making them a part of our everyday routine. By doing so, we can protect ourselves and our sensitive information from potential threats and mitigate the risks posed by the ever-evolving world of cyber security.


When it comes to changing cyber behaviour, there are various theories that explain why certain practices are more effective than others in reducing security risks within organisations. One such theory is the behaviour change theory.

Behaviour change theory research suggests that to change behaviour we need to address the underlying psychological factors that influence it. This means that simply providing employees with knowledge about cyber security risks is not enough. We need to go beyond awareness training and address the automatic, unconscious responses that lead to risky behaviours.

As we discussed earlier, these automatic responses are controlled by what behavioural scientists call system 1 behaviour. This is where our brains quickly and unconsciously process information and make decisions based on past experiences and biases. On the other hand, system 2 behaviour is where our brains engage in slow, analytical thinking, requiring more effort and attention.

So, to change security behaviour, we need to focus on nudging employees towards system 2 thinking. This means creating interventions that make engaging in safe security behaviours easier for employees.

Behaviour change theory

For example, implementing two-factor authentication or using password managers can nudge employees towards more secure behaviours, as they require more conscious effort and attention.

Understanding behaviour change theory is essential for creating effective cyber security awareness programmes. By targeting the psychological factors that influence behaviour, organisations can create long-term behaviour change that will help mitigate the risks posed by cyber threats.


Cyber security threats are constantly evolving, and the consequences of a security breach can be devastating for businesses. Despite this, many organisations continue to rely solely on security awareness training to mitigate the risks posed by cyber threats. This approach is flawed for several reasons.

Firstly, security awareness behaviour training is often seen as a compliance tick-box exercise, with employees not taking the training material seriously or just ignoring it altogether. Additionally, employees may take risky shortcuts to get things done quickly, leading to the sharing of sensitive information on public channels or the use of weak passwords.

Another issue is the workload of security professionals. These teams are often responsible for monitoring, responding to, and reducing cyber security risks manually, which can be a daunting task. This can lead to a lack of visibility on where the issues are coming from, making it difficult to take effective action to reduce risks.

Moreover, human error when it comes to cyber security can be broadly categorised as skill-based errors and decision-based errors. Skill-based errors occur during routine activities when an individual's attention is diverted from the task at hand. Decision-based errors occur when an employee makes the wrong judgement due to a lack of knowledge or an incorrect understanding of the rules.

To address these issues, organisations need to adopt a more proactive and practical approach to cyber security training. This means providing employees with regular and ongoing training that focuses on practical skills and behaviours, rather than just theoretical knowledge. By doing so, organisations can reduce the risks posed by cyber threats and minimise the occurrence of errors.


When it comes to cyber security, two terms that are often used interchangeably are "security awareness" and "security behaviour." But while they are related, they couldn’t be more different.

The security awareness behaviour model is like being told to wear a seatbelt. You know it's important, and you may even understand why, but some people still choose to ignore it, despite the risks. Security awareness is about educating people on the risks and threats that exist in the digital world. It's about making people aware of the potential harm that can be caused by cyber attacks and how to avoid them. Think of it like a safety briefing before a flight: you listen to it, but you hope you never need to use the information.

Security behaviour, on the other hand, is like actually wearing the seatbelt. It's about taking action to protect yourself and your organisation from cyber threats. It's about making security a habit and a part of your daily routine. You do it automatically because you know it's the right thing to do due to the behaviours installed in you while learning.

The difference between security awareness and security behaviour is similar to the difference between knowing something and doing something. Security awareness is about knowing what to do, while security behaviour is actually doing it. It's one thing to understand that phishing emails can be dangerous, but it's another thing entirely to recognise and avoid them when they land in your inbox.

So while security awareness is important, it's only the first step in creating a truly secure organisation. To truly protect against cyber threats, it's essential to turn that awareness into action and develop strong security behaviours. Read more on how to improve cyber security awareness.

Find out how CultureAI can measure 40+ different security behaviours
Click here


Taking cyber security behaviour to the next level can lead to a strong cyber security culture within an organisation. A cyber security culture is a set of shared values, beliefs, and practices that influence the way people think about and act on cyber security.

To achieve this, it's important to move beyond just individual behaviour and create an environment where security is integrated into every aspect of the organisation's operations. A strong security culture requires a commitment from leadership, ongoing education and training, and a sense of shared responsibility among employees.

Positive reinforcement is crucial for building a strong security culture. Instead of punishing employees for making mistakes or failing to follow protocols, organisations should focus on rewarding positive behaviour and encouraging transparency. When employees feel safe to come forward and report security incidents, the organisation can respond quickly and effectively.

Organisations should also provide engaging and interactive training experiences that help employees, over time, understand the importance of cyber security and how they can contribute to the overall security culture. This can include gamification, simulations, and real-life scenarios to help employees practice their cyber security skills.

Security Culture

Ultimately, a strong cyber security culture is about creating a sense of community and shared responsibility around protecting the organisation's assets. When everyone in the organisation is committed to cyber security, it becomes a natural part of the way things are done, making it much harder for cybercriminals to find vulnerabilities and exploit them.


As we’ve learnt so far, changing employee behaviour and creating a security culture within an organisation is not an easy task. There are a lot of factors to consider when changing the behaviour of a whole organisation.

It requires a multifaceted approach that includes ongoing training, effective communication, positive reinforcement, and leadership support.


Cybercriminals have become extremely sophisticated in their approach to phishing, which is why it’s important for employees to be aware of these tactics and how to avoid falling victim to them. Phishing attacks rely on using human psychology to persuade people to take actions that benefit the attackers, like downloading malware or if two or more people share passwords. The use of fear, trust, greed, curiosity, and urgency can be very effective in persuading people to take actions that they may not otherwise do.

The first step in preventing such attacks is to educate employees about the different types of threats they may encounter online. It is essential that they understand the techniques used by hackers and how to recognise and avoid them. Cybersecurity training should use positive emotions such as humour, expertise, repetition, intensity, and scientific evidence to influence employees. Fear should be avoided as a primary influencing technique, as it is a negative emotion and can create resistance.

Through effective training, employees can develop the knowledge and skills necessary to identify and avoid potential threats. By creating a security-aware culture within the company, employees will be more confident in their ability to protect the company’s assets from cyberattacks. This will not only safeguard the business but also help to build trust and confidence with customers, suppliers, and other stakeholders. A well-informed and prepared workforce is the first line of defence against cyber threats. Businesses should prioritise their cybersecurity education and training to ensure their employees can identify and respond to threats effectively.


Providing training and skills on proper security behaviour is a crucial step towards changing employees' behaviour towards cybersecurity. Simply telling employees to be more vigilant or to avoid suspicious emails is not enough. Instead, organisations need to invest in effective training programs that provide employees with practical skills and knowledge they can apply to protect themselves and their organisations from cyber threats.

Effective cybersecurity training programs should be tailored to the organisation's specific needs and should cover topics such as password management, phishing prevention, and safe browsing. The training should be delivered in a way that is engaging and interactive, allowing employees to practice the skills they learn in a safe environment. Additionally, training should be ongoing and reinforced regularly to ensure that employees retain the information and skills learned.

Another important aspect of cybersecurity training is the use of real-life scenarios to demonstrate the importance of proper security behaviour. This can include simulated phishing attacks, MFA requests, or social engineering attacks to help employees recognise the tactics used by cybercriminals and how to respond appropriately.

By providing employees with the right training and skills, organisations can equip their staff with the knowledge and confidence they need to make better security decisions and reduce the risk of cyber threats.


Providing employees with the resources they need to demonstrate good cyber security behaviours is just as important as providing training. Organisations need to ensure that employees have access to the necessary tools and technology to protect themselves and their organisations from cyber threats.

For example, organisations should provide employees with secure communication tools to help them avoid using unsecured public channels for sharing sensitive information. They also need quick access to a phishing reporting button in their email platform to make it as easy as possible to report a potential threat. Employees should also have access to password managers, two-factor authentication tools, and other cybersecurity software to help them keep their accounts secure.

Organisations can also consider implementing policies that restrict access to sensitive data or limit the use of personal devices for work activities. Additionally, providing clear guidelines on how to handle sensitive information and what to do in case of a security breach can help employees feel more confident in their ability to respond to cyber threats.

By giving employees the resources they need, organisations can empower their staff to take responsibility for their own cybersecurity and make better security decisions.

Employee Empowerment


Incentivising good cyber behaviour and providing frequent feedback are powerful tools for reinforcing cybersecurity habits and driving cyber security behaviour change.

One way to incentivise good cyber behaviour is to recognise and reward employees who consistently demonstrate good security habits. This can be as simple as acknowledging their efforts in team meetings, implementing a leaderboard, or providing bonuses or other incentives for employees who meet specific cybersecurity goals.

Providing frequent feedback is also important for driving cyber security behaviour change. Employees need to know that their efforts are making a difference, and regular feedback can help them understand how they are contributing to the organisation's cybersecurity posture. This can include regular security assessments or phishing simulations, with feedback provided to employees on how they performed and how they can improve.

Feedback should be constructive and supportive, focusing on the positive aspects of an employee's performance and highlighting areas for improvement. By providing regular feedback, organisations can reinforce good cybersecurity habits and encourage ongoing cyber security behaviour change.

Changing employees' behaviour towards cybersecurity requires a multifaceted approach that includes effective training, providing resources, incentivising good behaviour, and providing frequent feedback. By investing in these areas, organisations can create a culture of cybersecurity that empowers employees to protect themselves and their organisations from cyber threats.


Creating a security culture improvement program can be a daunting task for any organisation. It requires a deep understanding of the organisation's culture and the psychological factors that influence behaviour. This is where CultureAI can help.

CultureAI is a comprehensive human risk management solution that goes beyond traditional awareness training to mitigate cyber risk within your organisation. Our platform provides end-to-end support, from data-driven security coaching to automated interventions and nudges, empowering your employees to prevent breaches and promote a security-conscious culture.

With CultureAI, organisations can create personalised cyber security behaviour change programs that are tailored to their specific needs. The platform provides actionable insights that help organisations identify the areas that need improvement, the behaviours that need to be reinforced, and the interventions that are most likely to be effective.

By leveraging the power of human risk management, CultureAI can help organisations create a security culture that is proactive, practical, and effective. The platform can help identify the psychological factors that influence behaviour and provide interventions that nudge people towards safe cyber security practices.

Developing a security culture improvement program is essential for any organisation that wants to mitigate the risks posed by cyber threats. By providing training and skills on proper security behaviour, giving employees the resources to demonstrate cyber security behaviour, incentivising good cyber behaviour and providing frequent feedback, organisations can create a culture of security that is embedded in their everyday routines.

It's time for a change

Speak to us today to find out how you can change cyber security behaviour in your organisation.
Click here