Why most security culture programmes fail, and what the evidence tells us actually works
The cybersecurity industry has spent two decades trying to "change culture" through awareness training, phishing simulations, and policy mandates. The results speak for themselves: human factors remain implicated in over 70% of breaches, and most organisations report little meaningful improvement despite significant investment.
The problem isn't effort. It's the sequence.
Culture doesn't change directly. You cannot mandate it, train it into existence, or wish it into being through posters and screensavers. Culture is an emergent property: the collective residue of thousands of individual behaviours, repeated until they become normalised, then institutionalised. Understanding this sequence is the difference between programmes that transform organisations and those that simply consume budget.
The Behaviour-Norm-Culture Cascade
Lasting security culture change follows a predictable cascade, and each stage operates on fundamentally different timescales and requires different interventions.
Stage One: Behaviour Change (Weeks to Months)
Individual behaviour is where all culture change begins, and where most programmes prematurely end. The modern, evidence-based approach to behaviour change draws on decades of behavioural science research, most notably the COM-B model developed at University College London.
COM-B tells us that behaviour occurs when three conditions align: Capability (the knowledge and skills to perform the behaviour), Opportunity (the environmental and social factors that enable it), and Motivation (the reflective and automatic processes that energise and direct it). Miss any one of these, and the behaviour won't occur reliably.
This is why awareness training alone fails. Knowledge addresses only psychological capability, one small segment of a much larger system. Someone might know they shouldn't reuse passwords, but without the right tools (physical opportunity), supportive peer behaviour (social opportunity), and genuine belief that it matters (reflective motivation), knowing changes nothing.
The modern approach:
Effective behaviour change interventions are designed systematically. They begin with behavioural diagnosis, identifying precisely which COM-B components are deficient for a target behaviour in a specific population. Only then are intervention functions selected: education, persuasion, incentivisation, coercion, training, restriction, environmental restructuring, modelling, or enablement. Each maps to specific COM-B deficits.
Timeframe: Individual behaviours can shift within 4 to 12 weeks with well-designed interventions. However, this is behaviour change, not habit formation. The behaviour requires continued support and reinforcement.
Stage Two: Habit Formation (Months)
A behaviour performed once, or even repeatedly under external pressure, is not yet a habit. Habits are behaviours that have become automatic, triggered by contextual cues rather than conscious deliberation. This automaticity is what makes habits powerful: they persist without requiring ongoing motivation or attention.
The neuroscience is clear: habit formation requires consistent repetition in stable contexts. Each repetition strengthens the neural pathways between cue and response, gradually shifting the behaviour from the prefrontal cortex (deliberate processing) to the basal ganglia (automatic processing).
Research by Phillippa Lally and colleagues at UCL found that habit formation takes, on average, 66 days, but with significant individual variation ranging from 18 to 254 days. Complexity matters: simple behaviours automate faster than complex ones.
The modern approach:
Design for automaticity from the start. This means identifying stable cues that can trigger the desired behaviour, reducing friction for the target behaviour while increasing friction for competing behaviours, and providing consistent reinforcement during the formation period. Implementation intentions ("if X happens, I will do Y") dramatically accelerate habit formation by pre-loading the cue-response link.
Timeframe: 2 to 8 months for individual habits, depending on complexity and individual variation.
Stage Three: Norm Emergence (Months to Years)
When enough individuals within a group adopt a behaviour, something qualitatively different begins to emerge: a norm. Norms are shared expectations about how people should behave, and they carry social weight that individual behaviours do not.
Norms operate through two mechanisms: descriptive norms (perceptions of what others actually do) and injunctive norms (perceptions of what others approve or disapprove of). Both matter, but research consistently shows that descriptive norms are more powerful drivers of behaviour. We are, at our core, social creatures who look to others to calibrate our own conduct.
This is why visible behaviour matters so much. Security behaviours that happen invisibly, such as private password practices and individual decisions about link clicking, struggle to become normative because people cannot observe them. Making secure behaviours visible, discussable, and socially rewarded accelerates norm formation dramatically.
The modern approach:
Norm formation requires reaching a critical mass of adopters. Research suggests this tipping point occurs somewhere between 25 and 40 percent of a population, though it varies by context. Strategic targeting matters: early adopters and social influencers (not necessarily formal leaders) have disproportionate impact on norm emergence. Security Champions programmes, when properly designed, function as norm-seeding mechanisms.
Social proof must be authentic. People are remarkably adept at detecting manufactured consensus, and perceived manipulation backfires. The goal is to make genuine adoption visible, not to fabricate the appearance of adoption.
Timeframe: 6 to 18 months for norm emergence, assuming sufficient adoption velocity and visibility.
Stage Four: Culture Crystallisation (Years)
Culture is what remains when you stop actively managing behaviour. It's the set of shared assumptions, values, and practices that have become so deeply embedded they feel like "just how things are done here." Culture is self-perpetuating: it shapes the behaviour of newcomers, survives leadership transitions, and resists deliberate change efforts.
This is both its power and its danger. A strong security culture provides resilience that no technology can match. It adapts to novel threats, fills gaps in formal controls, and operates even when no one is watching. But culture's resistance to change means that weak security cultures persist despite massive investment, and toxic cultures can survive multiple transformation attempts.
Culture crystallises when norms become institutionalised, embedded in hiring practices, promotion criteria, rituals, stories, and physical environment. At this stage, the culture begins reproducing itself, socialising new members into existing patterns without requiring explicit instruction.
The modern approach:
Culture change is not a project with a completion date. It's an ongoing process of reinforcement, adaptation, and renewal. The organisations that sustain strong security cultures treat culture as a strategic capability requiring continuous investment, not a problem to be solved and forgotten.
Leadership behaviour is disproportionately important during crystallisation. Leaders who visibly embody security behaviours signal that these behaviours are valued at the highest levels. Leaders who exempt themselves, who bypass controls, ignore policies, or treat security as someone else's problem, undermine years of progress with single visible acts.
Timeframe: 2 to 5 years for meaningful culture shift, with ongoing maintenance required indefinitely.
The Missing Strategic Layer
Here's the uncomfortable truth: most organisations attempting security culture change are operating blind.
They launch interventions without proper behavioural diagnosis. They measure activity (training completion rates, simulation click rates) rather than genuine behavioural and normative change. They have no mechanism for detecting whether behaviours are converting to habits, whether norms are emerging, or whether culture is actually shifting. They cannot identify which populations are progressing and which are stuck, or diagnose why.
This isn't a criticism of security teams. It's a reflection of the tools available to them. Traditional awareness platforms were built to deliver content and track completion, not to provide strategic intelligence on human risk and cultural trajectory.
The industry needs something different: a strategic layer that transforms fragmented human risk signals into coherent, actionable intelligence. A system that can diagnose COM-B deficits at population level, track the progression from behaviour through norm to culture, identify intervention opportunities with precision, and measure what actually matters, not what's easy to count.
This is exactly what we've been building.
PRISM, a platform for People Risk Intelligence for Security Maturity, represents a fundamentally different approach to measuring and transforming security culture. It's designed from the ground up based on behavioural science evidence, providing the strategic intelligence layer organisations need to move beyond activity metrics toward genuine cultural insight.
We're not ready to reveal everything yet. But PRISM is coming, and it will change how organisations understand and transform their security culture.
The Path Forward
The sequence is clear: behaviour precedes norms, norms precede culture, and each stage requires different approaches operating on different timescales. Organisations that understand this sequence, and have the strategic intelligence to navigate it, will build security cultures that provide genuine resilience. Those who continue launching disconnected awareness initiatives will continue achieving disconnected, temporary results.
The science exists. The frameworks exist. What's been missing is the strategic layer that connects insight to action at organisational scale.
That's about to change.