Security awareness

Typical goals of a behavior change program

October 2, 2019 by Susan Morrow


The decisions we make every day, the way we act and interact with other human beings, are based on the characteristics of human behavior that are innate or that we learn. We develop these traits that are reflected in our behavior over a lifetime and we bring those behaviors into work with us too.

Human behavior is a very complex landscape of instinct and biology overlaid with cultural expectations and norms. Some behavioral traits can be highly specific to a situation, too. Take, for example, how we behave while waiting in line. The relation of behavior and “queue decisions” has been looked at from many angles. Human beings have to process complex variables like how fast a teller is and the relative queue speed before making a decision. However, anyone who has been in the crush during a Black Friday event will know that the process of queuing can fall apart under the right circumstances.

It is with the manipulation of natural human behavior in mind that cybersecurity awareness training programs must work. Human beings are still the weakest security link, with human error being behind 90% of data breaches, according to Kaspersky.

But changing behavior is something that takes time and effort. Behavioral change, to develop better security behavior, is a goal that we must work towards if we wish to make our organization more secure.

The goals of behavior change in cybersecurity

You may well ask yourself, what exactly is a security awareness training program? When teaching your staff about security issues, you ultimately want them to not only be aware but to act on that awareness. 

Cybercriminals are already way ahead of the game by using our own behavioral traits to their own ends. Many cybercriminal techniques, such as Business Email Compromise (BEC) and phishing are built upon a foundation of behavior manipulation. Deep-seated human traits such as urgency, fear and trust are used by cybercriminals to perpetuate a scam.

Security awareness training offers a way to change, or make aware of, certain behaviors so that cybercriminals cannot take advantage of them. Here are some behavior change goals of a security awareness training program, organized by activity.



  • Phishing


  • Clicking on a link    
  • Downloading an attachment


  • Prevent the knee-jerk behavior that leads to clicking a link or downloading an attachment, even if the email looks like it is legitimate. Teach users to recognize the signs of phishing.

Using login credentials


  • Using login credentials, including password hygiene


  • Sharing a password
  • Certain insecure passwords
  • Reusing passwords
  • Not setting second factors


  • Ensure that users understand the risks of sharing passwords with other staff members.
  • Train your users in the use of secure password practices, including the use of a password manager.
  • Ensure that users understand that setting up a second factor wherever supported is important.

See also Infosec Institute’s Password Dos and Don’ts.

Safe internet use 


  • Safe internet use


  • Poor attention to detail when using online services and websites
  • Cloud computing now means that users are more likely to use cloud-based repositories to share and download data and documents. This behavior-tech combination is being used by cybercriminals who spoof sites using brands like Microsoft Office 365 and Dropbox which have a massive commercial audience
  • Poor social media security awareness


  • To reduce the chances of malware infection via this vector.
  • To reduce the chances of a staff member being tricked into visiting a malware infected website.
  • Prevent information leaks via social media.
  • Train users to spot tell-tale signs of issues such as possible spoof sites and insecure sites. If your company uses a VPN, teach your staff about why your company uses this and when and why it is vital to ensure it is switched on.

Safe mobile use 


  • Safe mobile use inside and outside of work.


  • Not using safe Wi-Fi connections
  • Phishing (SMiShing)
  • Sharing mobile passwords/PINs
  • Downloading of unauthorized apps


  • To ensure that users know not to share data in an insecure Wi-Fi environment, such as when traveling.
  • To look for the signs of SMiShing.
  • To secure their mobile devices and not share PINs or passwords.
  • To stop downloading of potentially malicious apps or apps that may inadvertently leak data.

Handling sensitive information 


  • Handling sensitive information, including customer personal data


  • Taking too much information from customers during calls or other communications
  • Not taking due care when sending data out via email
  • Mis-sent emails that contain sensitive information
  • Leaving documents on printers


  • Data minimization must be a company remit. In the age of GDPR, this is a simple way to reduce the likelihood of mass data exposure.
  • Create a clean desk policy that is adhered to. 

Remote working 


  • Remote working


  • Working in a home office
  • Working in a cafe
  • Traveling

All of the above have behaviors that can lead to leaked data and company information.


  • Increase awareness of the risks of working in an uncontrolled environment.
  • Use of VPN on mobile devices and laptops.
  • Use of a privacy screen.
  • To be aware that conversations can be overheard in public places.

Conclusion: Not just behaviors, but quantifiable data

One thing that must be included in a behavior change program is feedback and metrics. These data can be used to show your staff that the program is effective. The metrics can be used to tailor the program to ensure activities are optimized.

Whatever goals you decide to focus on, they should be aligned to your business. What type of cyberthreats are seen as a priority in your sector? Do business sections require a varying focus on behavior change goals? What is the risk level of each threat and can this be mapped to the expectations of a behavior change program?

Behavior change may seem daunting but applied correctly and with the engagement of your staff, it will become a vital part of your cybersecurity arsenal.



  1. Fantastic Metrics, Elevate Security
  2. 90 percent of data breaches are caused by human error, TechRadar
Posted: October 2, 2019
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.