Most security culture programmes stop at awareness. CyBehave applies the COM-B model and Behaviour Change Wheel to diagnose why people behave the way they do - then designs interventions that last.
We do not invent new theory. We apply established, validated frameworks to a context - cybersecurity - that has historically relied on intuition and awareness campaigns instead.
The foundational behaviour change framework developed by Susan Michie et al. at UCL. COM-B explains why people behave as they do by analysing what they can do (capability), what their environment allows (opportunity), and what drives them to act (motivation). Every pulse survey, intervention, and training module in Heroes maps back to COM-B.
Built on COM-B, the Behaviour Change Wheel provides a structured method for selecting and designing interventions. The Heroes Intervention Designer uses a five-step BCW-aligned workflow to diagnose deficits, select matched techniques, and build actionable improvement plans.
Rather than applying a generic catalogue of behaviour change techniques, CyBehave has developed its own Behavioural Change Taxonomy - drawing on established behavioural science literature, including the work of Michie et al., to build a structured set of techniques specifically validated for cybersecurity contexts. This means the interventions recommended in Heroes are not just theoretically grounded - they are mapped to the specific behaviours, motivations, and environmental conditions that drive security risk in real organisations.
People are profoundly influenced by what they perceive others around them to do and approve of. Security Champions work precisely because they shift perceived norms within a team - making secure behaviour feel normal, expected, and socially reinforced rather than exceptional or effortful.
Intrinsic motivation produces far more durable behaviour change than extrinsic compliance pressure. The Heroes platform is designed around SDT principles - Champions develop genuine competence and connect with a meaningful identity, not just tick boxes to satisfy a policy requirement.
Organisations with high psychological safety see dramatically higher voluntary incident reporting. The Champions programme is designed to build exactly this kind of trust between security teams and the wider workforce - so reporting feels safe, not risky.
The COM-B model is not just referenced in Heroes - it is built into the architecture. Every pulse survey question maps to a COM-B dimension. Every intervention recommendation draws from the CyBehave Behavioural Change Taxonomy. Every training module is grounded in dual-process theory.
This means your Champions programme is always applying the right lever - whether the deficit is in capability, opportunity, or motivation - rather than repeating the same awareness activity and hoping for different results.
See the platform →As autonomous AI systems become integral to digital infrastructure, the question of behavioural risk expands beyond human actors. CyBehave is developing frameworks for understanding and managing the behavioural risks posed by agentic AI systems - where objectives and reward functions replace intentions and motivations, but the analytical approach remains grounded in the same scientific principles.
Driven by intentions, motivations, cognitive biases, social pressures, and capability gaps. Addressed through the COM-B model, Champions programmes, and culture design.
Driven by objectives, reward functions, training data distributions, and emergent behaviours. Addressed through alignment frameworks and governance structures that parallel human risk management.
CyBehave Heroes applies COM-B and the Behaviour Change Wheel to your Security Champions programme.