Practical advice, expert perspectives, and applied guides on building security culture, managing human risk, and running effective Champions programmes.
This is Part 2 of a four-part series. Part 1 introduced dual process theory and the knowledge-behaviour gap. This article maps specific cognitive biases to the attack techniques that exploit them, and examines how the same biases affect security professionals as well as the users they protect. Parts 3 and 4 cover intervention design and measurement.
Read article →This is Part 1 of a four-part series on behavioural science for cybersecurity practitioners. It introduces the foundational theory that explains why people behave insecurely despite knowing better, and why the security industry's default response has been so persistently ineffective. Parts 2, 3 and 4 cover cognitive biases, intervention design, and measurement, respectively
Read article →If you are looking for a single, high-leverage move to strengthen your security culture in 2026, build (and genuinely enforce) a cyber psychological safety policy. Not a poster. Not a slogan. A clear organisational mandate that tells your people, in plain terms, that raising security concerns, reporting mistakes, and admitting uncertainty will be met with fairness, support, and learning, not blame.
Read article →Despite years of simulations and mandatory e-learning, phishing continues to succeed. Why? Because too many organisations treat phishing simulations as a one-off training exercise rather than a behavioural challenge. Clicking “next” on an annual training module doesn’t rewire the habits and decision-making shortcuts that attackers exploit every day.
Read article →Beneath the firewalls and encryption layers lies a far older human force: our need to belong. This drive for group identity, which has shaped societies for millennia, now shapes how we behave online. This is where cybersecurity meets anthropology, a lens that helps us understand why people in digital spaces form “cyber tribes” and how these tribal affiliations influence behaviours, risk perception, and even compliance with security practices.
Read article →As cyber threats become more sophisticated, organisations are coming under increasing pressure to monitor employee activity more closely. From detecting insider threats to preventing data leaks, behaviour monitoring has become a standard security policy within many organisations.
Read article →What do con artists from the 1800s and modern-day hackers have in common? More than you think. While the tools have changed, the tactics haven’t. Welcome to the age of digital deception.
Read article →While technical vulnerabilities remain important, attackers increasingly exploit human vulnerabilities through methods rooted in dark psychology: the use of manipulation, coercion, and deceit to influence behaviour for malicious gain. These tactics operate in the shadows, undetected by firewalls, unnoticed by endpoint protection, and strike at the core of human decision-making.
Read article →From a behavioural and human factors perspective, there’s one critical ingredient that matters more than any tool, training module, or policy: Psychological safety. This may sound surprising in a world dominated by technical controls, but here’s the truth: without psychological safety, even the most sophisticated cybersecurity systems are undermined by silence, fear, and inaction.
Read article →Global organisations face unique challenges due to scale, diversity, and varying maturity levels in their cybersecurity cultures. Behavioural boosting, a cognitive empowerment approach derived from behavioural science, offers a promising pathway to enhance resilience systematically and sustainably. However, a realistic approach recognises that not all employees will actively engage in ongoing microtraining, necessitating a hybrid approach.
Read article →Start your Security Champions programme with CyBehave Heroes.