Building a Security Culture With Behavior Design

Anyone who has run security awareness programs for a while knows that changing human behaviour is not an easy task. And that sometimes the problem with awareness is that "awareness" alone does not automatically result in secure behavior.

Let’s look at the challenge of building a security culture through the lens of behaviour design. BJ Fogg’s much-quoted behavior design model neatly outlines that behavior happens when three things come together at the same time: 


Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behaviour. 


Fogg’s Behaviour Model highlights three core motivators: Sensation, Anticipation, and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.

Let's try apply these to cybersecurity: 

  • Tapping into people’s emotions by using visually appealing content, engaging with humour and story-based techniques, and activating positive sensations. 
  • Fear can be a powerful motivator too. Show what could happen when. But too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
  • Using the power of leadership or celebrity to tell stories and invoke a sense of belonging. 
  • Making it personally relevant by providing information on how to protect kids or family members 

Caveats: Humour is a great technique to grab people’s attention, evoke positive emotions and help with memory retention. However it has to be applied carefully and with a sensitivity to the audience's cultures, else it can backfire. Also, it shouldn’t be used too much, as it could result in the audience not taking the core message seriously enough. 


BJ Fogg says that training people is hard work, and most people resist learning new things. That’s just how we are as humans: lazy. Give someone a tool or a resource that makes the behaviour easier to do. A great example is a password manager. This is a tool that takes care of desired behaviour and simplifies the complexity of having to remember multiple different passwords. 


The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on and they all have the purpose to remind and tell people to "do it now". A good example are the password strengths meters reminding people to come up with better passwords as and when they create them. 

When designing an awareness campaign, it’s important to consider where prompts may be used. For example, in the moment nudges, such as when users look at emails while on the go or when they are about to send a large file to someone externally.

When it is possible to combine the three elements of motivation, ability and prompts, changing behaviour is a much more likely outcome than just spreading awareness content and hoping for a result. 

Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!

Get Your Free 2023 Cybersecurity Awareness Month Resource Kit

Cyber threats can be scary, and for good reason. Malware can be lurking in a suspicious email your users get convinced to click. All it takes is one crack in the door of your network to let all the wrong ones in; spear phishing witches, ravenous ransomwolves, you name it! We've put together these resources so you can keep your users on their toes with security top of mind. Request your kit now to help your users keep up their cybersecurity defenses. Request your free resource kit now!

2023 Free Cybersecurity Awareness Month Resource KitHere's what you'll get:

  • Access to free resources for you including our most popular on-demand webinar and whitepaper
  • Resources to help you plan your activities, including your Cybersecurity Awareness Month User Guide and Cybersecurity Awareness Weekly Planner
  • NEW! Featured video module for your users: "Security Culture and You;" plus eight additional video and interactive training modules, all available in multiple languages
  • NEW! Four security hints and tips newsletters; plus additional security docs and awareness tips, all available in multiple languages
  • NEW! Five cyber-monster character cards and posters; plus additional posters and digital signage assets available in multiple languages

Get Your Free Resource Kit Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: 

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews