A six-stage behavioural change framework built purely for cybersecurity. Specify, Hypothesise, Intervene, Embed, Learn, Diffuse, with sustainment engineered into every turn of the cycle. Every stage grounded in published evidence, every source cited.
Most security awareness programmes measure attention, not action. People complete training, pass quizzes, and then reuse passwords, click links and share credentials because the conditions surrounding the behaviour never changed. The evidence on this is not new: awareness campaigns routinely fail to change behaviour because knowing what to do and doing it are separated by motivation, workload, habit and environment[3], and users make rational trade-offs inside systems that were never designed with their limits in mind[1].
SHIELD is not a general behaviour change model with security examples bolted on. Every stage addresses conditions that are distinctive to security behaviour: the behaviour is secondary to the primary task, the benefit is invisible when it works, the cost falls on the individual while the gain falls on the organisation, and the threat adapts. Five principles underpin the framework, and each constrains what a legitimate security behaviour programme is allowed to do.
Nobody comes to work to be secure. They come to close deals, treat patients, ship code. Much rejection of security advice is economically rational: the time cost of following it often exceeds the loss it prevents[9]. Employees hold a finite compliance budgetThe finite reserve of time and effort employees will spend on security before they start cutting corners. Every security ask draws it down, and it does not refill by asking harder., a reserve of effort they will spend on security before they start cutting corners[4]. Any programme that ignores the budget will exhaust it.
The gap between awareness and action is one of the most replicated findings in behavioural science, and security is no exception[3]. Behaviour occurs when capability, opportunity and motivationA behavioural diagnosis model: behaviour happens only when Capability (can they do it), Opportunity (does the environment allow and encourage it) and Motivation (do they want to, consciously or by habit) are all present at once. converge[13], or when motivation, ability and a prompt coincide at the same moment[8]. Training addresses capability only. The other components must be engineered.
People act on threat messages when they perceive the threat as real and believe their response will work[17]. When threat is high but efficacy is low, they control the fear rather than the danger, through avoidance, denial or fatalism[22]. Threat information belongs in a behaviour programme only when paired with a clear, achievable, effective action.
Where the environment can be changed, change the environment[20]. Making the secure path the default path will outperform any poster campaign, because it removes the need for a decision at all. Applied ethically, choice architectureDesigning environments and defaults so the secure option is the easiest one, removing the need for a conscious decision at all. is a legitimate and well-mapped security lever[15].
Completion rates and click rates are proxies at best. Security fatigueA measurable weariness caused by too many security demands and decisions, which degrades judgement and drives risky shortcuts. is a measurable state that degrades decision quality[18], and where official security is unworkable, employees invent shadow securityThe unofficial workarounds people invent when official security gets in the way of the job. Invisible to compliance metrics, but it defines how work really gets done., workarounds invisible to the metrics[10]. Measurement must triangulate observed behaviour, validated self-report[7] and the psychological drivers behind both.
SHIELD runs as a cycle, not a project. Nothing is designed until something is diagnosed, nothing is claimed until something is measured, and nothing is scaled until something is validated. Each stage below is paired with a running worked example that follows one behaviour, verifying bank detail changes by phone, from definition through to organisation-wide rollout. Select a stage to explore it.
A behaviour programme fails at conception when its target is an abstraction. “Improve security culture” and “raise awareness” are not behaviours. A behaviour is observable, specific and situated: reports a suspicious email within four hours of receipt, verifies a payment change request by phone before actioning it, locks the workstation when leaving the desk.
Start from the organisation's actual threat picture, not a generic list. The behaviours that matter in a hospital differ from those in a software house. Established taxonomies of end-user security behaviour help separate behaviours requiring motivation work from those requiring capability work[19], and the SeBIS domains of device securement, password generation, proactive awareness and updating offer a validated structure for the personal hygiene layer[7].
For each candidate behaviour, record the risk it addresses, the population that performs it, and the moment in the workflow where it occurs. Then prioritise ruthlessly. A programme targeting three behaviours well will outperform one targeting thirty behaviours nominally, because the compliance budgetThe finite reserve of time and effort employees will spend on security before they start cutting corners. Every security ask draws it down, and it does not refill by asking harder. is spent per person, not per policy[4].
A ranked register of no more than five target behaviours per audience segment, each written as an observable action with a defined trigger moment.
The diagnostic instrument is COM-BA behavioural diagnosis model: behaviour happens only when Capability (can they do it), Opportunity (does the environment allow and encourage it) and Motivation (do they want to, consciously or by habit) are all present at once.: behaviour occurs when Capability, Opportunity and Motivation are all sufficient[13]. A deficit in any one is enough to stop the behaviour, and each deficit demands a different remedy. The diagnosis is written as a hypothesis, not a verdict, because the Learn stage will test it and the cycle depends on being able to say the diagnosis was wrong.
The social opportunity component deserves particular weight in security. Local team norms, what colleagues actually do rather than what policy says, are the strongest determinant of real practice[10]. Social proofThe human tendency to copy what visible peers do, especially under uncertainty. If nobody around you verifies requests, you are unlikely to start. explains the mechanism: people calibrate against observed peers, especially under uncertainty, and security decisions are almost always made under uncertainty[5].
Gather the evidence through mixed methods: a structured COM-B questionnaire for breadth, short interviews or team observation for depth, and existing telemetryData collected automatically by systems: clicks, logins, completions, log events. It records what happened, never why. as a cross-check rather than a source of truth. Where self-report and observed behaviour diverge, that divergence is itself diagnostic. It usually points at social desirability pressure or at shadow securityThe unofficial workarounds people invent when official security gets in the way of the job. Invisible to compliance metrics, but it defines how work really gets done. in operation.
A per-behaviour diagnostic hypothesis stating which COM-B components are deficient, with evidence, for each audience segment.
The Behaviour Change Wheel links each COM-B deficit to intervention functions that can plausibly correct it[13]. The security translation is set out below.
| Diagnosed deficit | Matched intervention functions | Cybersecurity examples |
|---|---|---|
| Psychological capability | Education, training, enablement | Scenario-based practice on real lures received by the organisation; just-in-time guidance at the point of decision |
| Physical opportunity | Environmental restructuring, enablement | One-click reporting in the mail client; password manager deployed, pre-configured and paid for; secure defaults on collaboration tools |
| Social opportunity | Modelling, enablement | Security Champions embedded in teams; leaders visibly reporting their own near-misses; team-level norms made visible |
| Reflective motivation | Persuasion, incentivisation, education | Feedback loops that show reporters what their report prevented; recognition for protective behaviour rather than punishment for error |
| Automatic motivation | Habit formation, prompts, environmental restructuring | Consistent cue-action pairing; prompts placed at the trigger moment identified in Specify |
Candidate interventions are then screened against the APEASE criteria before anything is committed: Affordability, Practicability, Effectiveness and cost-effectiveness, Acceptability, Side-effects and safety, and Equity[14]. APEASE is what stops a theoretically sound intervention that the organisation cannot afford, that the team will resent, or that quietly disadvantages one group, from reaching delivery.
Three design rules apply on top of the mapping. First, reduce cost before adding motivation: increasing ability is almost always cheaper and more reliable than increasing motivation[8]. If reporting a phish takes six clicks and a form, no campaign will fix the reporting rate. Make it one click, then campaign.
Second, design for habit, not decision. Behaviours that recur at a stable cue should be built as habits: consistent context, immediate confirmation, and repetition until automaticityThe point at which a behaviour runs on cue without conscious thought, built by repeating the same action in the same context. develops, which takes a median of 66 days and varies widely between individuals[12]. Habit change is most achievable at moments of context disruption such as onboarding, office moves and new systems, so time interventions to these windows[21].
Third, keep fear appeals honest. If a threat message is used, it must carry response efficacyResponse efficacy: the belief that the recommended action actually works against the threat. Without it, threat messages produce anxiety rather than action. and self-efficacySelf-efficacy: the belief that you personally are capable of performing the recommended action in your real working conditions. in the same breath[22]. “Criminals are targeting our payment team” is incomplete and harmful on its own. “Criminals are targeting our payment team; a thirty-second call-back on any bank detail change defeats them, and here is the number” is a legitimate intervention.
An APEASE-screened intervention specification per behaviour, stating the deficit it corrects, the mechanism it uses, the sources it draws on, and the moment it will be delivered.
Delivery lives or dies on proximity to the trigger moment. An instruction delivered in an annual module is gone within days; the same instruction delivered as a prompt at the moment of decision has a fighting chance[8]. Wherever technically possible, interventions ship inside the tools where the behaviour happens: the mail client, the code repository, the payment system.
The second delivery mechanism is people. Security Champions, respected peers inside teams who model, translate and advocate for secure behaviour, exploit the social proof and local norm effects surfaced in Hypothesise. Champion networks are one of the few practices that reliably distinguish organisations that changed behaviour from those that merely trained[2]. Champions collapse the distance between “the security team says” and “we do it this way here”. They need selection for credibility rather than seniority, genuine time allocation, direct lines back into the security function, and recognition. A Champions network run as an unfunded mailing list is theatre.
Delivery must also protect the compliance budgetThe finite reserve of time and effort employees will spend on security before they start cutting corners. Every security ask draws it down, and it does not refill by asking harder.[4]. Sequence interventions so that no audience receives more than one behavioural ask at a time, retire asks that measurement shows are now habitual, and publicly remove security requirements that Hypothesise exposed as pointless. Removing a useless control is itself an intervention: it buys back budget and signals that the security function is paying attention.
Interventions live in the workflow, a resourced Champions network, and a delivery calendar that enforces one ask at a time per audience.
The measurement layer triangulates three sources, and the triangulation is the point. Observed behaviour: reporting rates and time-to-report, verification call volumes, screen-lock compliance, credential hygiene signals, and simulation outcomes where simulations are run ethically, with no entrapment lures, no naming and shaming, and feedback in the moment. Observed data answers “what changed”. Self-reported behaviour and intention: validated instruments such as SeBIS for the hygiene domains[7], supplemented by items built for the organisation's specific target behaviours. Self-report answers “what do people believe they do”, and its divergence from observation is a finding, not a nuisance. Drivers: the COM-B diagnostic repeated at intervals to detect whether capability, opportunity and motivation are actually moving, with security fatigueA measurable weariness caused by too many security demands and decisions, which degrades judgement and drives risky shortcuts. items included[18], because a programme can improve behaviour in quarter one by methods that exhaust people by quarter three.
Set baselines during Hypothesise, define success thresholds during Intervene, and review on a fixed cadence. Treat every intervention as an experiment with a falsifiable prediction. Where the prediction fails, the hypothesis was wrong, and the cycle returns to Hypothesise rather than shouting the same message louder. Where it holds, the intervention earns its place in Diffuse.
One warning belongs here explicitly. Do not collapse this measurement layer into an individual risk score derived from telemetryData collected automatically by systems: clicks, logins, completions, log events. It records what happened, never why. alone. A score built purely from clicks and completions measures exposure and logging coverage, not the person, and steering interventions by it invites both unfairness and gaming. Scores, where used at all, should sit at team or process level and always alongside the driver data that explains them.
A behavioural dashboard per target behaviour showing observed change, self-reported change, driver movement and fatigue, against baseline and threshold, with a verdict on each hypothesis.
A pilot that worked in one business unit is evidence, not victory. Diffuse is the disciplined spread of validated interventions across the organisation, and it has its own science. Innovations spread when adopters can see relative advantage, when the change is compatible with how they already work, when it is simple to try, and when its results are observable[16]. An intervention that succeeded in the pilot because a respected team lead backed it will stall in a unit where nobody plays that role, so each wave of rollout begins with a light re-run of Hypothesise for the receiving context.
The Champions network built during Embed is the natural diffusion infrastructure. Champions function as the opinion leadersThe trusted individuals a group watches when deciding whether to adopt something new. Influence follows credibility, not the org chart. and early adopters through whom new practice reaches the majority[16, 2], which means the network map matters: a wave should land where champion coverage is strong, and gaps in coverage are addressed before rollout rather than discovered during it.
Two rules keep scaling honest. First, adapt the periphery, protect the core: local units may change the wording, the channel and the timing, but the behavioural mechanism the pilot validated is not negotiable, otherwise the evidence no longer applies. Second, meter the pace against the compliance budget[4]: a wave per audience at a time, with Learn measurement running at each wave so that decay or local failure is caught early rather than averaged away in an organisation-wide number.
A wave-based rollout plan for each validated intervention, with per-context diagnosis, champion coverage confirmed, and measurement gates between waves.
Sustainment is not a stage, it is a property of the running cycle. Initiation and maintenance are different problems with different mechanisms: changed behaviour persists through sustained motives, self-regulation skill, habit, a supportive environment and social support[11]. SHIELD engineers those conditions continuously across every stage, and the loop itself closes the register: Learn and Diffuse feed Specify on an annual cycle or after any material incident, retiring behaviours that have become habitual and promoting new ones the threat picture demands.
People who report phishing and hear nothing stop reporting. Every protective act gets a closed loop within days: what the report or call-back was, and what happened because of it. “Your call-back stopped a £48,000 diversion attempt” sustains a behaviour better than any campaign.
Lapse recovery is made cheap and blame-free. A mistaken click met with help rather than sanction keeps people inside the system instead of hiding from it[10, 1]. This is psychological safetyThe shared belief that it is safe to speak up, admit mistakes and ask questions without fear of punishment or embarrassment. Without it, incidents go unreported. applied to security, and it keeps the reporting channel honest.
Habit survives on environmental stability. Every system rollout, restructure and office move is a scheduled re-run of Hypothesise, Intervene and Embed for the behaviours it touches, because disruption is when habits break and when new ones form most easily[21].
Information security culture is the accumulated result of what the organisation repeatedly does, rewards and tolerates[6]. It cannot be declared, only earned by running the cycle consistently. Leadership behaviour is the loudest signal: an executive who verifies a payment request by phone in front of their team does more than any campaign asset.
SHIELD is a synthesis, and it is open about its parts. Each model, theory or instrument below is used at a specific point in the cycle, marked by its stage letter. The ∞ marker denotes the Sustainment Layer.
The diagnostic core: behaviour requires Capability, Opportunity and Motivation, and each deficit demands a different remedy[13].
Maps each diagnosed COM-B deficit to the intervention functions that can plausibly correct it[13].
Screens candidate interventions for Affordability, Practicability, Effectiveness, Acceptability, Side-effects and Equity before commitment[14].
Behaviour happens when motivation, ability and a prompt converge; drives prompt placement at the trigger moment and ability-first design[8].
Explains when threat messaging works: perceived severity and vulnerability paired with response efficacy and self-efficacy[17].
Explains when fear appeals backfire: high threat with low efficacy produces fear control, not danger control[22].
Employees hold a finite effort reserve for security; SHIELD paces asks, retires dead controls and meters rollout against it[4].
Secure defaults and reduced friction change behaviour without persuasion, applied within published ethical guardrails[20, 15].
Automaticity develops through consistent cue-action pairing over a median of 66 days, and context disruption is the window for change[12, 21].
People calibrate against observed peers under uncertainty; the mechanism behind local norms and the Champions model[5].
Validated practice spreads through opinion leaders when advantage is visible, adoption is compatible and results are observable[16].
A validated Security Behavior Intentions Scale providing structured self-report across the personal hygiene domains[7].
Separates behaviours needing motivation work from those needing capability work when building the register[19].
A measurable exhaustion state that degrades security decisions; tracked so gains in one quarter do not exhaust people in the next[18].
Workarounds reveal where official security is unworkable; treated as diagnostic signal rather than disobedience[10].
Changed behaviour persists through sustained motives, self-regulation, habit, environment and social support[11].
Culture as the accumulated output of repeated organisational practice, assessable and earned rather than declared[6].
The single most common implementation failure is entering at Intervene, buying an intervention because a vendor sold it convincingly, then reverse-fitting a justification. The second is scale without validation. Five behaviours, properly diagnosed, precisely intervened upon, honestly measured and then diffused, will shift real risk. Fifty behaviours addressed through content distribution will shift completion statistics. A realistic operating rhythm for a mid-sized organisation looks like this.
Six to eight weeks of behaviour definition, prioritisation and diagnosis per cycle.
Four weeks of APEASE-screened design matched to the diagnosis, with predictions set.
Continuous delivery through workflow, prompts and the Champions network.
Quarterly review of observed behaviour, self-report, drivers and fatigue against baseline.
Wave-based scaling of validated interventions, with measurement gates between waves.
Standing practice across all stages, with a full-cycle refresh annually or after any material incident.
SHIELD synthesises published behavioural science and security usability research. Everything drawn from others is cited below.
Heroes operationalises the framework: behavioural diagnosis, Champion networks, and measurement that goes deeper than click rates.