In today’s rapidly evolving digital world, changing human behaviour has become one of the most critical components in managing cybersecurity risk. Whether you’re trying to encourage secure password practices, improve incident reporting, or embed a culture of security awareness, knowing how to change behaviour is essential.

But behaviour change isn’t just about giving people more information or asking them nicely to do something different. It’s about understanding the deeper drivers of behaviour – and designing interventions that actually work.

That’s where the COM-B model and Behaviour Change Wheel (BCW) come in.

What is COM-B?

COM-B, developed by Dr. Susan Michie and colleagues, stands for:

  • Capability – Do they have the knowledge and skills?
  • Opportunity – Do their environment and social context support the behaviour?
  • Motivation – Do they want or need to do it?

Behaviour (B) occurs when (C)apability, (O)pportunity, and (M)otivation are present at the same time. If any one is missing, the behaviour is unlikely to happen.

What is the Behaviour Change Wheel?

The Behaviour Change Wheel (BCW), also developed by Dr. Susan Michie and colleagues, is a powerful framework for designing behaviour change interventions which builds upon COM-B.

It helps you:

  • Diagnose the behaviour using COM-B
  • Choose the right intervention functions (e.g. education, enablement, persuasion)
  • Select supporting policy categories (e.g. guidelines, regulation, communication)

The wheel sits at the centre of a systematic approach to designing targeted and effective behavioural interventions.

 

A diagram illustrating the Behaviour Change Wheel (BCW), showing its components including Capability, Opportunity, and Motivation at the center, surrounded by various intervention functions and policy categories.

Behaviour Change Wheel (BCW)

[Adapted from https://www.behaviourchangewheel.com/]

How to Get Started: Step-by-Step Guide

Here’s how to use COM-B and the BCW in practice.

 

Step 1: Define the Behaviour

Clearly identify the behaviour you want to change.

📌 Example: “Report phishing emails within 1 hour of detection”

Step 2: Conduct a COM-B Assessment

Use the COM-B model to explore what’s enabling or preventing the behaviour.

Ask:

  • Do they have the Capability to recognise phishing?
  • Do they have the Opportunity (e.g. time, systems, social norms) to report it?
  • Are they Motivated to take action?

This diagnosis highlights what needs to change.

Step 3: Identify Intervention Functions

Use your COM-B findings to select suitable intervention functions from the BCW (there are 9 total), such as:

1. Education

Increase knowledge or understanding.

🔐 Example: Delivering awareness sessions or e-learning modules explaining how phishing works, what signs to look out for, and how to report it.

📌 Best for: Psychological Capability

2. Training

Imparting practical skills.

🔐 Example: Interactive simulations where employees practise spotting and reporting phishing emails, or hands-on secure coding workshops for developers.

📌 Best for: Physical and Psychological Capability

3. Persuasion

Using communication to induce positive or negative feelings that can stimulate action.

🔐 Example: Sharing compelling case studies of real-world cyber incidents and the consequences of failing to report or secure data.

📌 Best for: Reflective and Automatic Motivation

4. Incentivisation

Creating expectation of reward.

🔐 Example: Recognising teams with high secure behaviour compliance or rewarding individuals who consistently report suspicious activity.

📌 Best for: Reflective Motivation

5. Coercion

Creating expectation of punishment or cost.

🔐 Example: Policies that clearly define consequences of failing to adhere to acceptable use policies or repeated non-compliance with training.

📌 Use with caution — consider acceptability and psychological safety.

📌 Best for: Reflective Motivation

6. Enablement

Increasing means or reducing barriers to increase Capability or Opportunity beyond education and training.

🔐 Example: Making reporting easier through one-click buttons, or implementing password managers to reduce the cognitive load of strong password creation.

📌 Best for: Capability, Opportunity, and Motivation

7. Modelling

Providing an example for people to aspire to or imitate.

🔐 Example: Using Security Champions or respected team members to demonstrate secure behaviours in everyday workflows.

📌 Best for: Social Opportunity and Motivation

8. Environmental Restructuring

Changing the physical or social context.

🔐 Example: Introducing warning banners for external emails, restructuring access to systems to enforce least privilege, or creating team norms around incident sharing.

📌 Best for: Physical and Social Opportunity

9. Restriction

Using rules to reduce opportunity to engage in risky or unwanted behaviours.

🔐 Example: Blocking access to malicious websites or disabling USB ports on devices.

📌 Best for: Physical Opportunity — but ensure acceptability and proportionality

Step 4: Select Supporting Policy Categories

The outer layer of the Behaviour Change Wheel includes seven policy categories, which support and enable the interventions you choose. These are especially relevant when you need wider organisational or systemic support to make your intervention feasible or sustainable.

Here’s how each applies in a cybersecurity context.

1. Communication/Marketing

Using media or messaging to raise awareness.

🔐 Example: Running ongoing internal campaigns about secure behaviour.

2. Guidelines

Creating written documents or standards.

🔐 Example: Developing a behavioural security policy or secure working guidelines.

3. Fiscal Measures

Using financial levers such as incentives or penalties.

🔐 Example: Budgeting for security tools, or investing in team-based security incentives.

4. Regulation

Creating rules or principles governing behaviour.

🔐 Example: Implementing organisational policies that require specific behaviours, such as regular security training.

5. Legislation

Setting formal laws or mandates.

🔐 Example: Adhering to GDPR or NIS2 regulations and ensuring staff behaviours align.

6. Environmental/Social Planning

Changing physical or organisational structures.

🔐 Example: Restructuring onboarding processes to include secure behaviour modules from day one.

7. Service Provision

Delivering services to support behaviour change.

🔐 Example: Providing a security hotline, IT support for implementing controls, or on-demand coaching from a Cyber Champion.

Step 5: Design, Implement and Test

Build your intervention, roll it out, and measure what works. Behaviour change is rarely one-and-done, it’s an iterative process that requires reflection, adaptation, and feedback.

Want to Go Deeper?

This article only scratches the surface. For a deeper dive into how to apply this framework specifically in cybersecurity, including worked examples, templates, and planning guides, check out our book:

➡️ Behavioural Change Playbook for Cybersecurity

Your practical guide to designing effective, evidence-based interventions that actually change behaviour in the digital world.