There is a quiet contradiction at the heart of most security functions. They exist because people are the most consequential variable in organisational risk, yet they are staffed, trained and measured almost entirely in terms of technology. The result is a profession highly fluent in controls and architecture, and largely self-taught, if taught at all, in the science of why people behave the way they do under pressure, deadline and deception. That gap was tolerable when the threat moved at human speed. It is becoming dangerous now that it does not.

The argument here is not that technology expertise matters less. It is that behavioural expertise has become a peer discipline, and that the teams who fail to build it are about to find themselves managing a risk they do not have the language, methods, or practitioners to address.

A function still solving the wrong half of the problem

Walk into most security operations, and you will find genuine depth on the technical side. Detection engineering, threat intelligence, cloud posture, identity architecture, all of it served by specialists who have spent years acquiring hard-won expertise. Then look at how the same function handles human risk. More often than not it is delivered through an annual training module, a phishing simulation platform, and a communications calendar, run by people who are skilled and committed but who were never trained in behavioural science and were never expected to be.

This is not a criticism of individuals. It is an observation about how the discipline grew up. Security inherited its identity from engineering and from compliance, and it built its competencies accordingly. The behavioural side was bolted on later, framed as awareness, and quietly treated as the soft, secondary work that anyone could pick up. The consequence is a structural imbalance. We have applied our most sophisticated expertise to the technical layer of risk and our least developed expertise to the human layer, despite knowing that the human layer is where the majority of incidents now originate.

The gap shows up in predictable ways. Programmes that measure knowledge and completion rather than behaviour, because measuring behaviour requires methods that the team was never given. Interventions chosen by intuition and vendor pitch rather than by behavioural evidence. A reflex to answer every human problem with another tool, because tooling is the language the function actually speaks. None of this is failure. It is the natural output of a capability that was built lopsided, and it is precisely the imbalance that artificial intelligence is about to exploit.

Why AI turns a tolerable gap into an urgent one

For most of the last decade, the behavioural shortfall in security was a slow leak rather than a rupture. The attacks that exploited human behaviour were limited by human effort. A convincing pretext took time to craft. A persuasive phishing lure required a degree of skill. Social engineering at scale was constrained by the number of skilled social engineers an adversary could field.

Artificial intelligence removes that constraint. The capability to manufacture persuasion, fluency, urgency and authority, the precise psychological levers that move human behaviour, is now abundant and cheap. The adversary is, in effect, industrialising the exploitation of behavioural science, while the defender still treats behavioural science as optional. That is the asymmetry that should concern security leaders most. It is not that AI gives attackers new technical capabilities, though it does. It is that AI lets attackers operate fluently in the human domain that defenders have underinvested in for years.

This is where the wider thesis of my work becomes practical rather than abstract. In Behavioural Convergence Theory, and further developed in Singularity, I argue that the technological and behavioural singularities are not separate events but a single, entwined process, accelerating together as our systems and -evolve. The singularity is not a future event we are waiting for. It is a present condition we are co-authoring. For a security function, the implication is concrete. You cannot defend the human layer of an AI-shaped threat landscape with a capability designed for an era when human-targeted attacks were slow and scarce. The defending expertise has to converge with the threat, and at present, it is being left behind.

A team that remains stuck on technology problems and technology solutions will keep buying detection for a threat whose centre of gravity has moved into human judgement, trust and decision-making. The tooling will catch some of it. The rest will land where the function has the least expertise to respond.

The evolution of behavioural science in security, and how far it still has to travel

It would be unfair to suggest nothing has changed. Over the past several years, a genuine behavioural movement has emerged within security. Human risk management has entered the vocabulary. A small number of organisations have hired behavioural scientists, established dedicated human risk roles, and begun applying models such as COM-B, the Behaviour Change Wheel, and choice architecture to the design of their programmes. The language of behaviour is no longer entirely foreign to the profession.

But honesty about the scale of this is important. The behavioural cohort within security remains very small and very thinly spread. For every organisation with a trained behavioural practitioner, there are many more where the entire human risk programme rests on the goodwill and instinct of a security awareness lead who has read widely but has never been formally developed in the discipline. The expertise exists, but it is concentrated in a handful of teams and individuals, and it is nowhere near the density an organisation needs to operate confidently at scale. We have proof of concept. We do not have distribution.

This matters because the threat is not waiting for the discipline to mature at its current pace. The gap between the small number of teams building real behavioural capability and the large number still relying on technical instinct is widening, and AI is the accelerant. Closing it through the slow accretion of specialist hires alone is not realistic. There are not enough behavioural scientists in the security market to staff every function that needs one, and there will not be for years. Scaling the capability, therefore, cannot mean scaling headcount. It has to mean scaling expertise itself, building knowledge, skill and judgement into the practitioners already in post.

How the capability actually gets built

If recruitment cannot solve this on its own, what does? The honest answer is that behavioural capability is built the way any genuine expertise is built, through a combination of training, mentoring and applied experience, sustained over time rather than delivered as a one-off.

Training establishes the foundations. A security awareness lead does not need a doctorate in psychology, but they do need fluency in the core models that explain and predict behaviour, and the methods that turn those models into interventions. This is learnable, and it is the part most organisations skip, assuming that good intentions and common sense will substitute for method. They do not. A practitioner who can identify the behavioural mechanism underlying a problem and select an intervention based on evidence rather than instinct is operating at a different level from one who improvises.

Mentoring and coaching turn knowledge into judgment. Behavioural science applied to a live security programme is full of contextual decisions that no training course can fully prepare you for. Which behaviour to target first? How to read a culture. When an intervention is failing and when it simply needs more time. This is where access to behavioural expertise, on demand and in context, accelerates a practitioner from theoretical understanding to confident practice far faster than trial and error alone.

Experience consolidates the capability. Each cycle of diagnosing a problem, designing an intervention, measuring the result, and iterating builds the practical wisdom that distinguishes an expert from a novice. The organisations that scale fastest are the ones that compress this loop, giving their people the support to run it often and to learn from each pass.

The barrier, for most, is access. Training is available, but the mentoring and the in-context expert judgement, the parts that genuinely accelerate capability, have historically required a behavioural scientist on staff, which brings the conversation back to a resource most teams cannot obtain. The question that matters for the next few years is therefore a practical one. How do you give a security team expert-level behavioural support, continuously and in context, without making it dependent on a hire that the market cannot supply at scale?

How CyBehave is approaching the challenge

This is the problem we built Athena to solve. Athena is an expert partner in behavioural cybersecurity, designed to give a security team the depth of a behavioural scientist without requiring one on staff. It is grounded in CyBehave's research and frameworks, draws on established models such as COM-B, the Behaviour Change Wheel, EAST, choice architecture, and others, and makes the source of each recommendation transparent, so the team learns the discipline as it works rather than simply being handed answers.

Crucially, Athena is calibrated to where a programme actually stands. It begins with a structured maturity intake across six dimensions: programme structure, leadership sponsorship, champion network, measurement, intervention capability, and culture and communication, scored from absent through to optimising. That profile means a team at the very beginning and a team refining a mature programme receive genuinely different advice to the same question, with realistic next steps rather than sophistication they are not ready to use. From there, it produces a staged development plan, a roadmap with first interventions and the measures that prove impact, and it calibrates every later conversation to the programme as it grows.

Athena maps directly onto the way behavioural capability is genuinely built. It provides the training foundation through models and transparent reasoning, the mentoring through expert guidance available on demand and in context, and the support for experience through diagnosis, intervention design and iteration across the behaviour-change lifecycle. It will not replace the slow, valuable work of growing human expertise, and it is not meant to. It is meant to put a behavioural-security expert within reach of every team that needs one, so the discipline can scale at the pace the threat now demands.

The security functions that thrive over the next few years will be the ones that finally build behavioural expertise to sit alongside their technical depth, and do so before the AI-shaped threat makes the gap impossible to close. The capability is buildable. The only real question is whether you start before the divide widens, or after.

Athena is coming in late Summer 2026. Stay tuned for more information.

#Athena #BehaviouralCybersecurity #BehaviouralCoaching