10 impactful ways to improve cybersecurity awareness with behavioural insights

If you increase someone’s ability or motivation, you increase the likelihood they’ll do the secure thing.”

So says Ant Davis, long-time security awareness thought leader and host of The Awareness Angle podcast that focuses on the human aspects of cybersecurity.

This makes human behaviour the biggest opportunity for enhancing cybersecurity effectiveness. It reframes cybersecurity awareness from a compliance requirement into a company cultural habit. Nonetheless, the role of employee behaviour is too often the most underestimated aspect of cybersecurity defence. Instead of only focusing on policies, controls and tools, successful cybersecurity should seek to understand and incorporate how people actually behave at work and why.

This leads to a fundamental conclusion: effective, sustainable cybersecurity develops when awareness becomes part of employees’ daily thoughts and actions. This view aligns with those of other experts on the stage: Melina Chatah, Director of International Customer Success at SoSafe, and human-focused security evangelist Andrew Rose, an award-winning CISO with more than 25 years of experience, including his work as Principal Analyst at Forrester Research.

At the 2025 Human Firewall Conference (HuFiCon) they shared their expertise on how organisations can apply 10 behavioural cybersecurity models to create a powerful company-wide cybersecurity awareness culture.

1. Reduce and increase friction to shape secure behaviour 

Security friction is a behavioural science term that defines the amount of effort needed for a person to act in a secure manner. Based on a model developed by Professor B. J. Fogg, it posits that if you increase people’s motivation or abilities, the higher the likelihood that they will act securely. 

Davis points out that where developers are repeatedly building imperfectly secure environments, the answer is not to add more policies. Instead, by removing friction through automation, “behaviour changed overnight”. Secure behaviour became the easiest option, the path of least resistance.

In a converse example, teams were using bespoke identity verifications rather than best-practice policy-driven methods. Increasing friction by adding structured risk assessments persuaded them to adopt default company policies. As Davis explains, “If they insisted on building their own, they had to go through a heavy risk assessment. If they used standard builds, no friction. Immediately, adoption changed.”

Creating friction score metrics to identify pain points and high friction activity allows an organisation to guide behaviours in the right direction. High friction increases effort, creating the temptation to bypass security controls, whereas removing pain points encourages desired secure behaviour.

2. Use the IKEA effect to create cybersecurityownership

A transformative principle in cybersecurity awareness is that people value what they help create. When employees are actively involved in shaping their organisation’s security culture, they feel a sense of ownership that breeds genuine, lasting engagement.

Involvement can be anything from sharing examples of suspicious emails and creating internal campaign messaging to helping design phishing simulations. It’s important to close the loop by providing feedback on how their input helped.

3. Activate internal influencers and hidden champions

Davis stresses that “influence isn’t tied to job titles“. Every organisation has a diversity of credible voices to champion cybersecurity awareness. Identify early adopters and enthusiastic team members who influence others and engage them in creating a cybersecurity awareness culture. They can become influential cybersecurity champions. Also look for the hidden champions who might quietly sit in HR or finance but have a disproportionately positive effect on those around them. Involving all of these people multiplies and amplifies message reach.

4. Treat branding as part of behaviour change

Cybersecurity should feel clear, modern, and recognisable. Branding bridges the gap between boring security training and more up-to-date learning. Instead of dusty PowerPoint presentations, take a few leaves from the marketing playbook. These could be engaging visuals, laptop stickers, short videos, or even fun Easter-egg messages like those in video games. This also taps into subliminal messaging, which creates cognitive embedding and subconscious reinforcement. 

As Davis says:

Just like films embed phones or drinks brands, embed your security cues around the workplace.”

5. Stack security habits into daily workflows

Pairing actions forms habits through conscious and unconscious association. In the same way as brushing one’s teeth goes with bedtime and fastening seatbelts goes with driving, you can replicate this in the workplace. Examples are pairing screen locking with taking a coffee break or installing updates when opening a laptop. 

These micro-habits shift cybersecurity awareness from reactivity to autonomous proactive human action. Davis recommends that organisations find as many ways as possible to “encourage pairing security actions with daily habits“.

6. Use storytelling to make security memorable

Davis notes that people only remember 5-10% of raw information and 25% of information accompanied by visuals. But retention soars up to 75% when the information is wrapped in a story. Simply instructing employees not to use the same password for multiple platforms can be ignored as undue effort.

However, telling them a story about someone losing money when their Facebook business page was hacked through a weak password creates a deeper psychological imprint. This is because stories result in deeper elaboration and better retention. A cognitive approach creates longer-lasting attitudinal adaptations. To support this, encourage teams to keep and share “story notebooks” of relatable incidents, close calls, and other cybersecurity experiences. To quote Davis:

The story lands far more powerfully than the policy.”

7. Leverage temporal landmarks for maximum impact

Temporal landmarks are natural moments when employees are already resetting behaviour and revising habits. New joiners, those returning from leave, promotion transitions, and organisational retooling are examples of opportunities to create cognitive space for new behaviours and routines. 

These temporal landmarks can have a powerful effect on motivation. They can restructure perceptions and increase desire to pursue goals. Target these moments to encourage secure behaviour, through contextual reminders and micro-inductions when habits are already recalibrating. These will land more effectively when they align with broader personal employee changes. “Intervene when people are mentally resetting anyway”, Davis advises.

8. Make learning fun and personalised

The human brain is designed to respond positively to fun. Enjoyable, creative interactivity boosts engagement with cybersecurity awareness training. For instance, letting employees create their own phishing templates to trick others creates a sense of friendly competition and curiosity. 

Positive reinforcement and publicly celebrating successful security behaviours empower people, making them want to participate in creating a company-wide cybersecurity awareness culture. Davis suggests following the mantra of “make it playful but psychologically meaningful.”

9. Build peer-powered conversations into your culture

“Security hits harder when shared among peers“, Davis reminds us. The idea is to encourage security dialogue as the norm. The effectiveness of “water cooler chats” is long established. Today, these conversations take place through multiple channels like WhatsApp, Slack, Teams, and the like. 

These provide opportunities for well-placed comments reminding employees to be security-aware and normalising this type of conversation. Middle managers act as force multipliers here, shifting company norms so that secure behaviour spreads organically.

10. Turn mistakes into learning moments, not punishment

It’s crucial to create a company culture where mistakes become learning opportunities rather than failures to be punished. Open discussion without fear of retribution in “fail sessions” goes a long way towards successful behavioural change. Security metaphors and physical artefacts further reinforce this. 

Positive reinforcement and transparency help employees learn from real scenarios because they remove fear and guilt factors. The goal is to normalise security dialogue and create a cybersecurity awareness culture where mistakes surface early rather than being buried for fear of reprimand.

Conclusion: from tactics to real cultural change

The core takeaway is simple: cybersecurity awareness is most effective when it’s continuously human-centred. Awareness becomes culture when learning comprises storytelling, personal identity, social influence, habit forming, and the right timing. Collectively, these 10 tactics help turn employees into active cyber defenders by creating ownership and personal empowerment.And for teams looking to scale these ideas with structure, measurement, and people-centred training, SoSafe provides the tools that make these cultural shifts easier to start, sustain, and prove.