The human side of cybersecurity is evolving. Fast.
But there’s a good chance you might be stuck in the past.
You probably have well-established views on security awareness, culture, and human risk.
You genuinely believe they matter.
But if we’re being honest – you mostly pay lip service to them.
And it’s not your fault. You mean well. You probably believe you’re doing what’s best.
But most of what’s being done today has little to no impact on actual people-related cyber risk.
Let’s be real.
For most organizations, security awareness training is treated as an administrative control.
Its stated purpose? Something like:
“To reduce human risk by influencing behavior, improving vigilance, and minimizing the likelihood of risky actions (e.g. falling for phishing, misconfiguring access).”
It’s embedded in frameworks like ISO 27001, NIST SP 800-53, and CIS Controls.
It shows up in every security strategy under some vague banner like “awareness, education, and training.”
So far, so predictable.
You know that tick-box training isn’t enough.
That’s why you’ve added simulated phishing – maybe to satisfy insurance requirements, maybe to feel a little more in control.
But deep down, you’ve been conditioned to believe that training + education + phishing simulations = effective security controls and human risk mitigated.
The evidence? Weak.
Your whole mental model (and approach to the human aspect of cybersecurity) is built on the unspoken dogma that “if users understand, care, or know enough – they will behave securely”.
Here’s the uncomfortable truth:
Behavior doesn’t change with knowledge alone.
And if behavior doesn’t change, your risk hasn’t either.
SAT completion rates and phishing click reports might look good on paper.
But they tell you very little about your real-world risk exposure.
You keep investing time and money into security education, believing it’s an effective control.
Because you’re busy. Because it’s familiar. Because it’s what everyone does.
But let me say this clearly:
Better awareness ≠ better behavior
Talking about culture ≠ reducing risk
Simulated phishing metrics ≠ meaningful insight
But, if knowledge != behavior change, why is the default security team response usually to subject the workforce to more learning and education?
You’re not alone in making this mistake. It’s easy to confuse activity with impact.
Take a hard look at your current reporting:
Still relying on phishing click rates, report rates, and training stats?
Then you’re still in the old world.
Your team might say they’re focused on “security behaviors.” But chances are, they’re lumping together behaviors, attitudes, and vague notions of “culture.”
They’re trying. They care. But they’re stuck.
The good news? The world is changing.
What’s driving the shift?
- Security leaders want proof—not intentions. Measurable impact, not effort.
- Behavioral science and evidence-based practice are replacing assumptions.
- Telemetry and analytics are showing us where risk actually lives.
- Automation enables real-time, personalized intervention—at scale.
- There’s increasing pressure to prove business value, not just run training programs.
The best teams aren’t treating people as the weakest link.
They’re treating people as dynamic, context-dependent actors in the security ecosystem.
They’re not just raising awareness.
They’re using data, automation, and behavioral science to understand, measure, and reduce human risk.
Let’s call it what it is:
A shift from security awareness training to human risk management.
Old world:
SAT programs aim to educate users. They’re compliance-driven. Centered on communication, not outcomes. Focused on knowledge, not behavior.
New world:
Human risk management starts with the belief that knowledge alone isn’t enough.
It’s a mindset shift. A strategy shift. A technology shift.
It uses data to pinpoint risky behaviors in real time.
It uses automation to deploy personalized, adaptive interventions.
It reduces incidents, lightens workloads, and frees up your team to focus on what matters.
This isn’t semantics. Despite what the pessimists, doomerists and cynics say.
It’s a fundamental evolution in how we protect our people—and our organizations.
Because in today’s world, knowing isn’t enough.
Understanding and influencing behavior is the new frontier in cybersecurity.
If you remember nothing else, remember these four things:
- Knowledge != behaviour change, so don’t just default to more training, education or comms. Consider more effective interventions.
- You must focus on and measure individual security behaviors – or accept you have no idea whether you’re being effective.
- Move beyond phishing simulations. Many other behaviors contribute to incidents – don’t ignore them.
- Your workforce needs timely, relevant support. Give it to them.
The future of cyber risk reduction isn’t more training.
It’s smarter intervention, powered by science, data, and automation.
It’s time to evolve.
Are you ready?
—
Want a deeper look into how the human aspect of cybersecurity is evolving? Check out these links below:
- The Security Behaviors Database (SebDB): A searchable database mapping real-world cyber risks to specific human behaviors—ideal for anyone serious about behavioral insight.
- The definitive guide to HRM: A no-fluff overview of what human risk management is, why it matters, and how to do it right.
- Research Library: A collection of cutting-edge studies, insights, and evidence on how people shape cybersecurity outcomes.
- Oh Behave! Report: Fresh data and analysis on global cybersecurity attitudes and behaviors—what’s working, what’s not, and why.
- The IMPACT conference: A forward-thinking event exploring the science and practice of driving secure behavior at scale.
- (Blog) Why security awareness still isn’t taken seriously (and how to fix it): A sharp take on the perception problem in security awareness, and what can actually be done about it.
