Introduction

In an increasingly complex cybersecurity landscape, traditional security measures alone are insufficient. Global organisations face unique challenges due to scale, diversity, and varying maturity levels in their cybersecurity cultures. Behavioural boosting, a cognitive empowerment approach derived from behavioural science, offers a promising pathway to enhance resilience systematically and sustainably. However, a realistic approach recognises that not all employees will actively engage in ongoing microtraining, necessitating a hybrid approach combining boosting with nudging, at least in the short to medium term.

What is Behavioural Boosting?

Behavioural boosting focuses on equipping individuals with the cognitive tools and competencies required to independently make effective decisions (Hertwig, Michie, West, & Reicher, 2025). Unlike nudging, which subtly encourages temporary behaviour changes, boosting develops intrinsic motivation, enhances self-efficacy, and fosters enduring behavioural improvements.

Strategic Position of Boosting in Cybersecurity Maturity

Boosting aligns best within the intermediate to advanced stages of cybersecurity maturity. Initially, organisations typically establish basic security hygiene through compliance training and foundational awareness. As maturity progresses, boosting becomes strategically important:

  • Foundational Stage: Compliance-based education and basic awareness through nudging.
  • Intermediate Stage: Introduction of boosting alongside continued nudging to cultivate intrinsic motivation and deeper cognitive engagement.
  • Advanced Stage: Integration of boosting with continuous behavioural measurement, analytics, and adaptive resilience strategies, complemented by ongoing nudges for those less proactively engaged.

Boosting strategically serves as a bridge, transitioning organisations from a compliance-driven culture to a resilience-focused, proactive cybersecurity practice, while nudging ensures continuous engagement of less proactive employees.

Over time, as more employees adopt the boosting approach, the impact on organisational social norms strengthens, gradually reducing the number of employees requiring nudging. Longer term, as the security culture matures and becomes embedded within organisational norms, new recruits are more likely to possess or rapidly develop intrinsic security awareness, further decreasing the need for continuous nudging.

Benefits of Behavioural Boosting

  1. Enhanced Decision-Making: Boosting equips employees with frameworks and mental models to identify, evaluate, and mitigate cyber threats independently.
  2. Improved Resilience: Employees become proactive, capable of responding adaptively to dynamic and complex threats.
  3. Intrinsic Motivation: Fosters lasting behavioural change through self-driven commitment rather than enforced compliance.
  4. Cultural Responsiveness: Boosting is adaptable to various cultural contexts, crucial for global organisations.
  5. Reduced Risk Exposure: Empowered employees significantly decrease vulnerability to threats like phishing, insider threats, and social engineering.

Drawbacks and Challenges of Behavioural Boosting

  1. Resource Intensity: Effective boosting requires tailored content and sustained engagement, demanding considerable upfront investment.
  2. Cultural Barriers: Different cultures perceive risk differently, complicating standardised implementation across diverse geographies.
  3. Measurement Complexity: Quantifying the impact of cognitive empowerment and intrinsic motivation is challenging and requires sophisticated analytics.
  4. Slow Initial Results: Unlike immediate compliance training outcomes, boosting’s results emerge gradually, making short-term justification difficult.

Implementation Framework for Behavioural Boosting and Nudging

Step 1: Baseline Assessment

  • Evaluate current cybersecurity behaviours, maturity levels, and responsiveness to training.
  • Identify gaps in employee knowledge, capabilities, cultural responsiveness, and willingness to engage proactively.

Step 2: Design and Tailoring

  • Develop culturally sensitive, role-specific microlearning modules and simulation scenarios.
  • Incorporate decision-making frameworks such as “Stop-Think-Check-Act.”
  • Design complementary nudges, including timely reminders, alerts, and prompts, tailored to less engaged or more passive employees.

Step 3: Deployment via Champions

  • Deploy Security Champions trained explicitly in behavioural boosting and nudging techniques.
  • Champions act as mentors, social influencers, and advocates who actively reinforce practices culturally and socially.

Step 4: Continuous Reinforcement

  • Leverage social network analysis to identify and support influential Champions.
  • Provide ongoing, adaptive microlearning and simulations, evolving content based on emerging threats.
  • Continuously deliver nudges alongside boosting to maintain engagement among passive participants.

Step 5: Measurement and Adaptation

  • Use behavioural analytics to track engagement, behavioural changes, and responsiveness to nudges and boosts.
  • Continuously refine interventions based on data-driven insights, balancing boosting with appropriate nudging.

Role of Security Champions in Supporting Hybrid Approaches

Security Champions serve as critical enablers in hybrid behavioural approaches:

  • Act as role models demonstrating resilient behaviours.
  • Promote boosting techniques through peer interactions and provide supportive nudges.
  • Provide contextual feedback to refine both boosting and nudging initiatives.
  • Facilitate cultural integration of security behaviours across diverse organisational landscapes.

Conclusion

Behavioural boosting represents a strategically vital step in maturing global cybersecurity resilience. However, its success depends on recognising the reality that not all employees engage equally. A hybrid approach, combining behavioural boosting with complementary nudging, provides comprehensive coverage, enhancing organisational resilience while accommodating diverse engagement levels. Supported robustly by Security Champions, this combined approach ensures widespread and sustainable security behaviours.


References

Hertwig, R., Michie, S., West, R., & Reicher, S. (2025). Moving from nudging to boosting: Empowering behaviour change to address global challenges. Behavioural Public Policy, 1–12. https://doi.org/10.1017/bpp.2025.9