September 15, 2025
Why “we already have that data” is bullsh*t
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
Who we are affects how we take in information and learn new skills.
Of course it does. That’s hardly revolutionary, right?
And (shocker) when interventions align with who we are as individuals, we’re more likely to take them on board. In other words, personal interventions are more effective.
It’s a whole thing. Head to our essential guide to get up to speed:
But here’s the problem: Surprisingly few of us understand the mechanisms behind this. Or how to use them in cybersecurity.
This blog takes a look at 3 big behavioral change techniques (BCTs) that you need to know about:
Why do they work? And how exactly do they help make a big impact on people’s security awareness and skills?
And…what does a vintage planning hack have to do with it?
We get it. Do you really need more acronyms floating around in the alphabet soup of your brain?
Yes (#sorrynotsorry). As part of our 2023 Cyber Security Quirks study we put three BCTs under the microscope.
We assessed if and how RM, BP and AP impacted people’s security behaviors.
And the results were eye-opening! Take these nuggets for instance:
That’s why you should care.
When personalized interventions incorporate RM, BP, and AP the result is improvements in people’s cybersecurity behaviors.
RM x BP x AP = where the magic happens.
Enough preamble. We’re about to dig into what the big three BCTs are, how they work, and what makes them so useful.
No prizes for guessing that risk message is all about…yep, delivering messages about risks.
Specifically, we’re talking about personalized messages about potential cyber risks.
Risk messages tell people about specific threats they might face online, emphasizing the importance of vigilance.
This technique aims to raise awareness and provide insights into the individual's unique risk landscape, enabling them to make informed decisions about their actions.
By shaping a message to individual contexts, RMs serve as a crucial tool for bolstering online safety consciousness.
Behavioral practice involves guided exercises to enhance practical cybersecurity skills.
It’s about translating theoretical knowledge into actionable behaviors, which encourages people to actively engage in secure practices.
BP focuses on turning knowledge into routine habits. Over time it improves someone’s ability to implement secure practices in real-world scenarios. Practice makes progress.
Behavioral practice offers a hands-on approach to cybersecurity, enabling people to develop practical skills in a controlled environment, before it matters.
This technique reinforces better security behaviors. It’s the training dojo where theoretical knowledge becomes actionable habits. And that can make all the difference in defense.
Right, let’s hit the brain-fizzing stats, shall we?
How CybSafe does it
Speaking of practical skills, CybSafe GUIDE and PHISH both provide hands-on exercises tailored to individual cybersecurity needs. So whether it's identifying phishing attempts or beefing up passwords, CybSafe helps people to actively engage in building and applying their cybersecurity skills.
Action planning is a structured approach to cybersecurity goal-setting.
It helps individuals plan and implement specific security measures, breaking down the overall security strategy into manageable steps.
AP is about converting intentions into actions. By setting clear goals and providing a roadmap for implementation, it supports individuals in taking proactive steps to enhance their cybersecurity.
Action planning provides a structured framework for individuals to set clear cybersecurity goals and implement proactive security measures. By offering a step-by-step approach, AP gives better goal clarity, making it easier for people to integrate cybersecurity practices into their daily routines.
Vintage tip: It’s an oldie but a goodie! Assuming you haven’t just woken up from a forty-year cryosleep you will have heard about SMART goalsetting. Chances are you’ve used it too. SMART stands for specific, measurable, achievable, relevant, and time-bound.
The concept’s been around forever (alright, 1981) because it really works.
So, don’t forget to keep it in mind when crafting any action-planning opportunities.
Tomato. Mozzarella. Basil. These components work beautifully together, and so does this trio of BCTs. They form a comprehensive and personalized approach to cybersecurity. And they can address both awareness and hands-on skill development.
That’s the what and the why. What about the how?
By now, you might be wondering which specific factors in cybersecurity strategies are worth personalizing?
Based on the Cyber Security Quirks report's insights, here are a few places to focus your personalization efforts:
Tailor interventions to guide individuals on creating strong and secure passwords. Emphasize techniques like using three random words for password generation.
Address misconceptions and concerns related to two-factor authentication (2FA). Offer clear explanations of how 2FA functions, and encourage people to try it out on a few accounts initially.
Clarify the benefits and address misconceptions surrounding password management strategies, such as browser-saving or password manager applications. Encourage gradual changes and provide information on the security of these strategies.
Influence false beliefs by explaining 'why' and 'how' specific cybersecurity advice is the most secure option. Provide information that helps individuals understand the rationale behind cybersecurity recommendations.
Raring to go with your organization’s cybersecurity awareness personalization? Hold your horses! Implementing ALL the personalization, all the time, everywhere is not it.
Burnout and overwhelm is not the way. This is all about playing the long game.
Some personalization is better than no personalisation. So start small by personalizing across one or two factors. Here are some factors to consider:
How CybSafe does it
CybSafe RESPOND provides actionable insights, allowing organizations to tailor their response plans based on real-time data and user behaviors.
There’s a lot more personalization gold in the full Cyber Security Quirks report, by the way. Not only will you want to read it, but you’ll want to share it with the team.
Oh, and if you’re curious about how CybSafe’s products make security awareness personalization easier, you can book a demo (personalized—obvs 😉).
