Make Security A Habit, Not A Hassle

I started smoking when I was 14 and quit smoking when I was 34. At the end of that time, I was up to about three packs a day. I have now been cigarette-free (not including walking into any coffee shop in Croatia) for 15 years. I quit cold turkey. This is not a story about me being a paragon of virtue or about quitting smoking. No, this is a story about changing behavior.

Avoid Checkbox Exercises

As security professionals, we are tasked with teaching our employees about security. Too often, though, this turns into a checkbox exercise, where we send out educational videos once a year along with HR training. In theory, this meets the security training requirement. But does it make a difference?

On the other hand, some security teams implement Red Team exercises that frustrate employees. For instance, an elaborate phishing campaign might catch Kate in Finance just before the quarterly close, ruining her flow state and frustrating her at a crucial time. Now Kate doesn’t want to talk to us, and our attempt at “training” may have backfired.

Both approaches fail to change behaviors meaningfully. They may even undermine security culture.

Teaching People Knowledge Doesn’t Change Their Behavior

If we’re serious about security, we need training that doesn’t just check a compliance box but changes behavior. As we all know, employees are the first line of defense. Some say they’re the weakest link; others say they’re the strongest defense. Both are true, and that’s why we need to understand employee behaviors to harness their strengths and mitigate weaknesses.

People are ingenious

And no, I don’t mean attackers—I mean your employees. Employees are innovative and will naturally find ways to work faster—even if it means sidestepping security protocols that get in their way. I once had a CEO who would write his complex 16-character password on a Post-it note on his computer screen so that he and his admin could log in as needed. This wasn’t secure, but he had passed his security training, and we’d pass our Big 4 external audit every year.

People are helpful

If you search YouTube for “Get into anywhere with a ladder,” you will see a bunch of people doing just that—often with security helping to hold doors open for them. There’s also this great video showing voice phishing (vishing). These videos capture people’s willingness to help and how this trait can be manipulated. And for those of us who have been to DefCon and seen the social engineering village, we know that people want to help, and companies want helpful employees. This highlights the importance of changing behaviors, not just teaching security.

What dictates behavior

Many theories and even advanced degrees are available on this subject. I recommend Daniel Kahneman’s Thinking Fast and Slow and Taking a Deep Dive into the Art of Neuro-linguistic Programming (NLP). However, for the purposes of this blog, the answer is habit, context, and framing.

To improve your employee security training, you need to exploit how people learn and adopt behaviors.

Habit

In essence, these are repeated experiential behavioral actions. Have you ever driven from home to work (back when we used to do such things) and not remembered the drive? Your drive is so rote that you no longer notice it, and then your mind gets occupied with other thoughts.

Implemented

Encourage small habitual behaviors instead of just hoping people will remember complex security protocols. George Finney’s book Well Aware—Master the 9 Security Habits to Protect Your Future offers useful tips, like “frowning while reading email,” to create a subtle sense of scrutiny. Repeated behaviors like these integrate security practices into employees’ daily activities.

Context

But driving isn’t always so rote. On days with detours, heavy traffic, or poor weather, your focus shifts, and you’re more attentive to the road. The context around you changed, and your attention to the drive has heightened.

Implemented

Security training should similarly create contexts that encourage employees to stay vigilant. Instead of surprise phishing attempts that may frustrate employees, try regular, smaller tabletop exercises. Discuss current events or industry incidents with employees, highlighting how similar threats could impact your organization. 

Do you use Slack in your environment? Share with your users how it’s been used in cyber attacks. Was there a recent breach in your industry (probably)? Tell your company how you avoided being the target. Teach them about the current security news and get them to understand how they fit into that role. Show them all the highway accidents as you drive by them and get their alert radars up as they navigate their daily workload.

This continuous, reinforcing approach to training can be as shallow or deep as employees want. It starts conversations and makes security a part of daily life. This training method strikes up conversations and has everyone in the company thinking about how prevalent security is and developing different processes to enhance security at your company (that you and your team didn’t think of). You 10xed your security department at the low, low cost of being interesting!

Framing

Then there’s framing, like when your car breaks down, and now someone else—your partner, Uber, whoever—is driving you to work. Suddenly, you’re paying more attention to the drive and the GPS route because the perspective has changed.

Implemented

This one I think is the most impactful and the least done. Back to my quitting smoking: When you are a smoker, you have friends who are smokers, too—it’s the rules. So when my friends would tell me they were going for a cigarette break, I didn’t say, “I’m trying to quit.” Instead, I’d say, “I don’t smoke.” This retrained my brain and how I thought of myself. I don’t smoke is a truth about myself, and the more I say it and think it, the more I train my neural pathways to recognize it as a truth.

The same approach can apply to cybersecurity. Work with HR and organizational leaders to make cybersecurity part of each job description, framing it as integral to the role. Instead of considering security as an add-on, employees should consider it part of “doing their job well.” For example, someone in accounts payable might think, “My job is to watch out for attempts that could lead to fraudulent payments and pay our bills on time.” Each employee’s job should incorporate relevant security responsibilities, helping them recognize how security directly impacts their role.

By embedding cybersecurity into job functions, employees can feel a sense of pride in contributing to a secure environment. This adds a layer of “why is this important to me” to your security program education. It’s not just “I have to pass the security test, but leave my password on a post-it on my screen.” It elevates the implementation of security into “this is how my job is done properly.”

This approach shifts employees from “weakest links” to essential defenders. It also allows you to tailor your training by job role, creating a stronger impact than a generic video on “complex passwords” ever could.

Measuring What Matters

Phishing campaigns offer one clear benefit: they provide measurable data on compliance and improvement. If you continue with these campaigns, consider using behavior-driven tools targeted to specific users and user behavior profiles rather than broadly testing everyone with generalized training.

The habit-, context-, and framing-based strategies I’ve described are measurable too. One method I’ve used is to measure the number of security-related contacts or outreach interactions between security and employees. My staff was required to initiate two outreach interactions per week while we tracked how many people in the company reached out to us. Employees who initiate conversations or report concerns reflect a growing security awareness, which helps gauge overall engagement and the effectiveness of your training program.

Conclusion

When everyone in the company understands that security is part of their role, it strengthens the security posture of the entire organization. Behavioral changes like these can foster a strong security culture, making the workforce a cohesive line of defense. 

The moral here is that like quitting smoking, building a secure organization isn’t about willpower alone. It’s about creating the habits, context, and framing that make behavior automatic.