A woman looking at her laptop with a graphic overlay showing components of a security culture including context, knowledge, behavior, and motivation.

Human Risk Management, Behavioral Science

How to create a security culture: The Behavioral Security Model

4 January 2024 · 10 min read

In today’s world, the cyber threat landscape is constantly changing and presents companies with enormous challenges. In addition to the rapid development of artificial intelligence (AI), social engineering, the increasing professionalization of cybercrime, and global geopolitical crises are turning the threat landscape into a breeding ground for cybercriminals. These diverse threats significantly increase the risk of security breaches and require a dynamic and robust response from companies to adapt their defense strategies accordingly.

To effectively combat these cyber threats, companies are deploying cutting-edge technical solutions, including multi-factor authentication, end-to-end encryption, advanced endpoint protection, and conditional access strategies. However, social engineering remains at the heart of cyberattacks, irrespective of the many technical precautions organizations already have in place. With 74% of breaches involving the human factor, organizations are starting to recognize the value of a strong security culture that puts people at the center of their security strategies. This article aims to support that impulse by explaining the different dimensions we need to focus on to create a strong security culture in our organizations.

Quote by Tobias Ludwichowski saying: 'Human behavior is always most easily detected by other people. If you rely 100% on technology and assume that it will catch everything, you’re making a big mistake.'

The Behavioral Security Model: A proactive approach to the human component of cyber security

At SoSafe, we developed the Behavioral Security Model to transcend traditional security approaches by placing employees at the center of the cyber security strategy. This approach recognizes that sustainable security can only be achieved if employees are understood not just as potential risks or the weakest element but rather as key actors in their organization’s defense.

The Behavioral Security Model is based on four dimensions: knowledge, context, motivation, and behavior. However, these dimensions are not seen as separate entities but as an interwoven system that encourages employees to act proactively. The holistic approach of this model aims to strengthen every aspect of employee interaction with cyber security, and the interplay of these four dimensions creates a strong line of defense that promotes both individual and collective security efforts. Let’s now explore each of them:

Graph showing the main components of a strong security culture: context, knowledge, behavior, and motivation.

Knowledge: Empowering employees for stronger cyber security

Ensuring employees have the necessary knowledge is an important part of a company’s defense. Traditional methods of cyber security training, such as a standardized training program or a fixed curriculum, are no longer sufficient. The reason is that they often lead to a rapid reduction in engagement and a significant decline in knowledge retention, as shown by Dr. Ebbinghaus’ forgetting curve. The graph shows how learners forget 90% of what they learned within the first seven days, and this rate of information loss even intensifies when learners interrupt their learning routine and frequency.

Ebbinghaus’s Forgetting Curve

The good news is that there are methods based on behavioral science to motivate employees during cyber security training, keeping them interested in learning and helping them memorize knowledge more sustainably:  

  • Spaced training: Replacing lengthy, infrequent sessions with shorter, more regular training modules that utilize the psychological principles of repetition and engagement.
  • Interactive elements: Incorporating quizzes and other interactive elements that involve the employee in their learning process enhances retention and engagement.
  • Behavioral nudges: Sending periodic prompts and updates remind and actively encourage continuous learning and cyber security vigilance. Our Human Risk Review 2022 confirmed this: “Nudging continuously increases engagement by 30% and even up to 90% in the introductory phase.”

In a world saturated with information and where time is often scarce, simplifying the learning experience and delivering bite-sized modules at critical moments is key. All in all, employees with a solid understanding and knowledge of how to ensure digital self-defense will help their organizations reduce the risk of incidents. A sound training program with continuous, contextual knowledge delivery can efficiently support this.

Context: Personalized training for cyber security excellence

To create a secure culture, personalized training programs that address the specific risks and roles within an organization are also essential. All employees face individual challenges when it comes to cyber threats – managers and employees with company cell phones, for example, are exposed to greater dangers than interns. The sector in which a company operates also significantly impacts the type of risks that need to be managed. Healthcare, banking, and the public sectors are particularly vulnerable.

An effective strategy of personalized training considers the specific role of each employee. For example, managers who frequently use business cell phones will need training sessions that educate them on the risks of mobile threats and how to deal with them properly. In contrast, interns may only need to learn basic cyber security principles. Tailoring training content to everyone’s unique challenges and security awareness will not only make learning more effective but also more engaging. According to research conducted by Towards Maturity, 77% of learners seek content relevant to their work. Therefore, this behavior-based approach focuses on the employees, addresses their unique challenges, and delivers content specific to their roles, profiles, and awareness levels.

But personalized learning is only one piece of the puzzle. To further engage and motivate safer behavior, it’s essential to provide specific tools tailored for this purpose. Here, practical tools like reporting tools have proven to be particularly valuable by minimizing interaction with malicious attacks and thus sustainably improving security practices within the company. For example, employees with access to the SoSafe Phishing Report Button show a 30% lower interaction rate with phishing emails than those without this functionality. That means attacks are less likely to lead to success with this contextual feature. There are other demonstrable benefits to having a reporting button feature:

A graphic illustrating the "Impact of the Phishing Report Button," showing a 38% increase in e-learning adoption rate and a 25% increase in module completion rate.

Motivation: Elevating cyber security awareness with engagement

A strong cyber security culture is not just about using the right tools and technologies. It is about creating an atmosphere where every employee is actively engaged, wants to be part of the security culture, and is eager to develop and actively defend the organization. The importance of motivation in developing such a safety culture is enormous, even if it is not easy to measure. Motivation is a multi-layered concept that manifests itself in the progress, efforts, and performance of employees.

Employee motivation to engage in cyber security efforts significantly increases when leaders take the initiative and exemplify security as a fundamental value. This leadership-by-example creates a solid foundation for an overarching security culture and motivates everyone in the company to contribute to the organization’s protection. It sends a clear message that security is a priority and must be taken seriously by all.

On top of that, gamification has proved to be another powerful tool, as it transforms traditional, often tedious learning into an engaging experience. The positive effects of gamification in e-learning can be seen in several key aspects:

  • Interest and participation: Interactive e-learning modules that incorporate gamification elements make the learning process more engaging and compelling than traditional presentation styles. By integrating elements like points, badges, and leaderboards, learners are encouraged to actively participate. This approach leverages the natural human propensity for competition and reward, thereby increasing interest in the content and encouraging ongoing engagement.
  • Determination: Gamification reinforces determination by setting clear goals and milestones for learners to achieve. Progress is often made visible, which motivates learners to pursue their goals and reach the next level or challenge in the training program. This sense of advancement and accomplishment fosters learners’ goal-oriented behavior and persistence.
  • Stronger connection to the learning material: Gamification enhances the connection to learning material through interactive scenarios that allow for the application of learned concepts in simulated, game-like environments. By actively solving problems and making decisions within a game that mimics real work tasks, employees can develop a deeper connection to the material and retain it better. Engaging with the material in a playful manner leads to a deeper understanding and better practical application of knowledge.

By incorporating elements from computer games into learning processes, cyber security topics become more accessible and enjoyable, fostering continuous learning. Moreover, an immersive learning experience that provides instant feedback helps employees quickly correct and learn from their actions while rewards along the way bolster their motivation. In essence, to cultivate a culture of cyber security, it’s essential to transform learning into an experience that’s both educational and enjoyable, ensuring that motivation and security awareness grow hand in hand. Our own product data supports this: Immersive storytelling and deep gamification increase user engagement to 54%.

Graph on the average activation rate in months since start.

Behavior: Embedding cyber vigilance as a reflex

All of this comes down to the most essential part of a strong security culture: secure behavior. Habits protect your organization, such as locking the screen when leaving a desk, reporting security incidents to IT, and checking emails for suspicious content. But fostering these daily digital habits strongly depends on the other three dimensions.

Only if employees have knowledge of information security, learn in the right context, and are intrinsically motivated will they reliably maintain secure habits. In a dynamic cyber threat environment, a holistic approach is essential; selective measures alone are not enough. Focusing on one of the dimensions exclusively or checking off compliance requirements with a single on-site presentation on security aren’t successful anymore in the dynamic threat landscape that we find ourselves in today.

Instead, decisionmakers should use insights from all dimensions of the Behavioral Security Model to adapt their awareness program so that safe habits become second nature for employees. To learn more about these dimensions and why measuring security behavior pays off, read our Behavioral Security white paper.

Behavioral Security

Read the report

Explore the intersection of information security and behavioural science - and the benefits of measuring behavioral change.

Executive engagement in cyber resilience

All the measures and dimensions above will lose momentum if there isn’t a strong force at the top leading the change. Survey data shows a significant contrast in security awareness within companies, depending on the importance given to cyber risks by the leadership: 71% of security experts who believed their top management is highly aware of cyber risks rated the security awareness in their organization as much higher than those who believed their top management lacks awareness (48%). This disparity underscores the need to effectively communicate security risks to the executive teams and also make them responsible for the security culture in their organizations.

Therefore, it’s important to keep an open mind about both educating and training leaders and making changes to board structures, like adding more specialized roles in cyber security.  

But taking cyber security seriously goes beyond merely understanding the risks. It also requires weaving it into the core of the organizational strategy. To achieve this, cyber security discussions must permeate boardrooms by inviting security professionals to participate and together align cyber defense mechanisms with overarching business goals, allocate the necessary resources, facilitate change, and establish clear lines of accountability.

A quote by Dr. Stefan Lüders, Computer Security Officer at CERN, about the varying awareness of cyber security importance between individuals and groups, and the recognition of the criticality of computer security.

Cultivating cyber resilience with SoSafe’s behavioral security approach

We’ve seen how establishing a strong security culture within an organization is crucial in the age of escalating cyber threats. But to create such a culture, it is crucial that employees have relevant knowledge, are trained in the right context, are motivated to get involved, and adopt secure behavior as a daily routine. These elements are essential for the development of a robust security culture. In addition, leadership commitment is critical to strengthening the organization’s cyber security resilience and serving as a role model for the entire workforce.

SoSafe supports organizations in the practical implementation of the four key dimensions of the Behavioral Security Model, whereby cyber security e-learning sharpens the security skills of everyone through personalized, gamified e-learning modules.  Our real-life phishing simulations also include detailed walkthroughs designed by learning experts, making the training more effective. When combined with ongoing learning, these simulations help employees develop secure habits in their daily work. As these habits become routine, the risk to the organization lowers, and the ability to quickly respond to incidents increases.  

With tools such as the Phishing Report Button, SoSafe enables employees to effectively put their knowledge into practice, actively contributing to the protection of the entire organization. On top of that, our Risk & Reporting Cockpit simplifies communication with an interactive dashboard that translates complex data into actionable insights.

SoSafe’s platform is more than just a tool for awareness; it’s a comprehensive solution for managing security culture. It focuses on reducing risks caused by human error and building a strong, proactive approach to security.

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual

Product Premiere:
The Human Risk OS™

Shape the future of human risk management

Join us on May 23rd as we introduce the Human Risk OS™ and other exciting product innovations and updates, taking security awareness and learning experience to the next level and enabling you to create a positive security culture

Register now