Real behaviour change in cyber security starts here

Leadership | Read time: 5 minutes
Written By Melonie Cole

Author: Melonie Cole  |  Founder and CEO, Mindshift


Building a cyber security awareness programme from the ground up is genuinely hard work. I have seen it done well and I have seen it fall apart, and the difference is rarely about budget or technology.

What I have noticed, is that the programmes that make a real difference are the ones where the people driving them genuinely want to change behaviour. Not tick a compliance box. Not improve an audit score. Actually change how people act.

That sounds obvious. In practice, it is rarer than you might think. The motivation behind a programme shapes everything: how it is designed, how it is resourced, and whether it survives when a champion moves on.

What change actually looks like

The goal of any awareness programme worth its name is a workforce where good security habits have become second nature. Not compliance under supervision, but genuine instinct.

That kind of change reduces risk in a way that compliance training simply does not. When good security habits are genuinely embedded, the chance of someone making a preventable mistake, clicking something they should not, leaving a system exposed, sharing credentials without thinking, goes down significantly.

Getting there requires more than good content. It requires understanding what actually drives human behaviour and designing for that, not just for knowledge transfer. 

The framework I keep coming back to

A few years ago I came across the Fogg Behaviour Model, developed by Dr BJ Fogg at Stanford University. It is widely used in cyber security awareness and forms part of the SANS Institute's Workforce Security and Risk Training curriculum. I have found it consistently useful, both as a design tool and as a way of explaining to leaders why their current programme may not be producing the results they expect.

The model is straightforward. Behaviour happens when three things converge at the same moment: motivation, ability and a prompt. When a behaviour is not occurring, one of those three elements is usually missing. That is it. Simple in theory. The work is in the application. 

How it works in practice

The easiest way to explain the model is through a concrete example. Take one of the most common target behaviours in any workplace: staff locking their computer screen every time they step away from their desk.

It sounds simple. But if you look at how often it actually happens without a prompt, you will find it is far less consistent than most organisations assume. That is because all three conditions need to be in place at once.

  • Motivation.
    People need a genuine reason to care. Policy statements do not cut it. What works is something personal and concrete. A real example of what happens when a screen is left unlocked. An unathorised access. An approval made without anyone’s knowledge. That kind of specificity gives people a stake in the behaviour. Abstract risk does not tend to motivate, real consequences does.

  • Ability.
    The behaviour needs to be easy. Locking a screen is a single keypress. The lower the friction, the more likely the behaviour becomes automatic over time. Where the secure action is complicated or interrupts workflow, ability becomes a genuine barrier and the behaviour suffers regardless of how motivated someone is.

  • Prompt. Timing matters enormously. A screen prompt after a period of inactivity reaches someone at the exact moment the behaviour is needed. A reminder delivered in a training module six months earlier does not. The prompt has to arrive at the right moment to be effective. 

When motivation, ability and prompt converge, locking the screen becomes automatic. That is the goal.  

What this means for how you design your programme 

When I review an awareness programme that is not delivering expected results, I almost always find that one of these three elements is weak or missing. Usually it is motivation. The programme is telling people what to do without giving them a genuine reason to care. Sometimes it is the prompt. The right information is being delivered at the wrong time.

Designing for all three changes the questions you ask when you build a programme. Instead of ‘what do we need to train people on?’, you start asking ‘what do we need people to feel, how do we make the right behaviour easy, and when is the best moment to reach them?’ Those are the more useful questions. And they tend to produce better outcomes.

Building programmes this way takes more thought upfront. But in my experience, it is the difference between a programme that produces a real change and one that produces completed training records.

If you are thinking about how to make your awareness programme more effective, I would be happy to have a conversation. Get in touch at melonie@mindshift.kiwi 

Melonie Cole
Previous

How a multi-model approach builds lasting security culture