7 domains. 30 competencies. 5 proficiency levels. Select your role to see recommended target levels across each competency.
Can explain basic behavioural terms using provided materials but struggles to apply them to cyber scenarios.
Identifies simple capability, opportunity and motivation barriers for straightforward behaviours with guidance.
Independently conducts behavioural diagnosis for defined security behaviours and selects appropriate models such as COM-B or Social Learning Theory.
Integrates multiple behavioural theories to explain patterns across incidents and programmes and adapts models to the organisational context.
Sets the organisation's behavioural diagnostic approach, mentors practitioners and contributes to external thought leadership or research.
Recognises common bias names such as authority or scarcity when given examples.
Can spot obvious bias patterns in phishing or scam content and describe them to others.
Systematically analyses user journeys and incidents for cognitive biases and recommends simple countermeasures.
Designs interventions that directly address specific biases and tests different framings or decision aids.
Advises senior leaders on bias in strategic decisions and codifies guidance on bias-aware security design.
Understands the basic idea of habits and nudges at a conceptual level.
Suggests small reminders, prompts or default settings to encourage simple secure actions.
Designs habit formation strategies for key behaviours including cues, routines and rewards and integrates them into processes.
Works across teams to embed secure defaults and nudges into products, workflows and tooling and evaluates long-term habit formation.
Leads the overall organisational strategy for secure habits and choice architecture and shares proven patterns across multiple contexts.
Is familiar with basic terms such as survey, interview, experiment and observation.
Supports simple data collection activities following a defined protocol and understands the importance of consent and anonymity.
Designs and runs small-scale behavioural studies or pilots, selects appropriate methods and draws cautious conclusions.
Plans more robust evaluations with control or comparison groups where feasible and accounts for common validity threats.
Leads complex behavioural research programmes, partners with academic or data science teams and publishes or shares evidence-based insights.
Can list key human-driven threats such as phishing, social engineering and insider mistakes.
Describes in simple scenarios how attackers exploit people in common attacks.
Translates technical threat intelligence into human behaviour stories tailored to different audiences.
Anticipates how new technologies and business changes will create new human attack paths and advises on mitigations.
Shapes the organisation's human threat narratives and influences external communities on emerging human-centric threats.
Recognises that human behaviour is part of overall cyber risk but not how it maps to frameworks.
With support, maps simple behaviours such as password reuse to controls or categories in frameworks like NIST CSF or ISO 27001.
Consistently expresses behavioural risks in terms of likelihood, impact and control effectiveness within existing risk registers and frameworks.
Integrates human risk systematically into cyber and enterprise risk processes and reporting.
Influences how risk frameworks and regulators treat human factors and represents the organisation in external risk discussions.
Understands at a high level what key security controls do from a user perspective.
Can describe obvious user frictions created by specific controls when prompted by examples.
Collaborates with control owners to identify usability and workflow issues that drive workarounds or non-compliance.
Works with product, UX and engineering teams to redesign controls and processes so that secure behaviour is usable and low effort.
Sets standards for human-centred control design and ensures usability considerations are embedded in control governance.
Reads incident reports but focuses mainly on technical causes or user error labels.
Starts to identify simple behavioural and contextual contributors in incidents when prompted.
Conducts incident reviews that systematically surface behavioural, system and cultural contributors without blame.
Establishes just culture-oriented incident learning processes that feed into behavioural risk assessments and interventions.
Shapes organisational norms for learning from incidents and shares approaches externally as good practice.
Has basic awareness that behavioural data can be sensitive and must be protected.
Follows defined rules for handling behavioural or monitoring data and flags concerns to senior staff.
Defines ethical and compliant use cases for behavioural data across tools such as training platforms, phishing simulations and system logs.
Designs a coherent behavioural data strategy with clear governance, transparency and safeguards.
Chairs or advises on ethics and data use forums for human risk data and adapts strategy to new laws or societal expectations.
Reports basic activity metrics such as training completion and phishing click rates when asked.
Understands the difference between activity metrics and risk-relevant indicators and can explain limitations of simple measures.
Designs balanced metric sets that include leading indicators, behaviour measures and relevant cultural indicators aligned to risk outcomes.
Embeds human risk metrics into regular management information and decision processes and iteratively refines them.
Sets the organisation-wide approach to human risk measurement and influences external discussions on meaningful metrics.
Uses standard dashboards and reports but struggles to interpret them without guidance.
Performs basic sorting, filtering and simple analysis to answer straightforward questions.
Combines multiple data sources to identify patterns and segments and presents clear visual insights for stakeholders.
Works with data specialists to develop more advanced analyses or simple models that inform targeted interventions.
Leads complex analytical work on human risk, sets analytical standards and translates sophisticated findings into strategic decisions.
Recognises that informal networks and influencers exist but not how to identify them.
Can name key influencers in their own area based on observation.
Uses simple network or relationship mapping techniques to identify potential Security Champions and influence points.
Applies social network analysis concepts to design or optimise Champion networks and intervention routes.
Sets the organisation's approach to influence mapping and collaborates with specialists to refine network-based strategies.
Understands that interventions should be based on behavioural diagnosis but requires templates and step-by-step guidance.
Uses basic COM-B style templates to identify barriers for a single behaviour and suggests simple interventions such as training or reminders.
Conducts structured diagnosis and designs coherent intervention packages using Behaviour Change Wheel functions and APEASE-style criteria.
Integrates organisational constraints and multiple levers into a multi-channel intervention plan with feedback and measurement loops.
Owns and evolves the organisation's standard method for behavioural intervention design and mentors others in its use.
Delivers standard training material created by others with little adaptation.
Adapts existing content to audience needs and includes simple scenarios or examples.
Designs learning experiences that target specific behaviours using adult learning principles and spacing or reinforcement.
Builds blended learning and practice journeys that integrate with campaigns, nudges and local coaching.
Sets learning design standards for behavioural cyber risk and oversees a coherent curriculum across the organisation.
Sends out standard security messages and notices as provided.
Tailors basic language and channels for different groups while keeping core messages intact.
Crafts messages that use framing, social proof and clear calls to action to promote desired behaviours.
Designs multi-touch communication strategies that build shared norms and narratives around secure behaviour.
Acts as a trusted advisor on security communication to senior leaders and shapes the overall security story for the organisation.
Recognises that interface and process design affect user behaviour but cannot yet specify changes.
Suggests simple prompts or reminders in existing tools when asked about improving behaviour.
Works with product and process owners to embed secure defaults, prompts and checks into user journeys.
Leads cross-functional initiatives that redesign workflows and interfaces to make desired behaviours easy and mistakes less likely.
Defines patterns and guidelines for secure choice architecture that are reused across products and services.
Participates in delivery of interventions planned by others and completes assigned tasks.
Manages small pilots or local rollouts with support and documents basic lessons learned.
Plans and manages end-to-end delivery of behavioural interventions, including stakeholder engagement and risk management.
Designs and oversees scaling of proven interventions across multiple business units or geographies, adapting to local context.
Leads a portfolio of behavioural programmes and ensures a coherent, prioritised and sustainable change roadmap.
Is aware that security culture can be assessed but has limited experience with tools or methods.
Administers standard culture surveys or focus groups following guidance and helps summarise responses.
Selects and applies culture assessment tools, interprets results and identifies key themes for action.
Designs multi-method culture assessments and maturity models and links findings to strategy and programmes.
Owns the organisation's security culture assessment approach and benchmarks performance internally and externally.
Attends meetings with stakeholders and shares updates when asked.
Identifies key stakeholders for specific initiatives and conducts basic engagement activities.
Develops engagement plans, tailors messages and gains support or resources for behavioural risk initiatives.
Builds coalitions across functions and levels, negotiates trade-offs and maintains long-term sponsorship.
Acts as a strategic influencer on human risk with senior executives and external partners, shaping agendas and priorities.
Understands the purpose of Security Champions or similar networks in general terms.
Supports Champion activities locally or participates in Champion events.
Designs or manages a Champion network, including selection, enablement and basic governance.
Optimises the network using behavioural and network insights, defines clear roles and measures impact.
Defines the organisational model for Champions and peer networks and evolves it as part of wider security culture strategy.
Recognises that people need to feel safe to speak up about issues but sees it mainly as a general HR topic.
Encourages colleagues not to fear reporting mistakes and avoids blaming language in their own communication.
Co-designs processes, communications and policies that support non-punitive reporting and learning from incidents.
Works with leaders to embed psychological safety behaviours and just culture principles into everyday practice and governance.
Acts as a key voice on psychological safety for cyber, influences policy and models behaviours that support trust and openness.
Understands that leaders influence security behaviour but focuses mainly on their own individual tasks.
Provides leaders with simple talking points and asks them to reinforce specific messages.
Coaches leaders on specific behaviours that support secure culture and helps integrate them into routines.
Develops and delivers leadership development elements focused on behavioural cyber risk and measures leadership impact.
Advises executive teams on their role in security culture, aligns leadership development and performance management with behavioural expectations.
Reads and applies security policies but rarely questions their design.
Provides feedback on policy clarity from a user perspective and suggests small improvements.
Collaborates in rewriting or creating policies and standards so they are behaviourally realistic and clear.
Leads policy and standard design for key human risk areas and ensures alignment with behaviour change strategies.
Sets principles and templates for behaviourally informed policy design and influences wider organisational policy practice.
Follows existing rules about monitoring and behavioural interventions and escalates any concerns.
Recognises ethical tensions in monitoring or influence techniques when they are pointed out.
Conducts basic ethical impact assessments of behavioural initiatives and monitoring proposals.
Establishes and maintains ethical guardrails, consultation processes and transparency practices for human risk initiatives.
Acts as a recognised authority on ethics in behavioural cyber risk and engages with external bodies or regulators as needed.
Attends governance or steering meetings when requested and shares status updates.
Tracks actions and risks for small initiatives and reports into existing governance forums.
Designs governance structures for behavioural programmes that integrate with cyber and operational risk governance.
Chairs or co-chairs governance forums for human risk, ensuring clear priorities, escalation paths and assurance.
Embeds human risk governance into the organisation's overall risk and performance framework and adjusts as strategy evolves.
Uses assigned tools and platforms following instructions.
Provides user feedback on tools and contributes to basic requirements lists.
Defines behavioural and functional requirements and participates in vendor evaluation and selection.
Leads selection and integration of tools into a coherent human risk ecosystem and evaluates their performance.
Sets long-term strategy for human risk tooling and manages key supplier relationships at a strategic level.
Accepts most claims at face value, particularly from senior people or vendors.
Starts to question bold claims and looks for basic evidence when prompted.
Reviews research or vendor material for methods and limitations and prefers evidence-based approaches.
Systematically appraises evidence, compares options and communicates balanced recommendations.
Leads the organisation's stance on evidence-based behavioural practice and contributes to broader knowledge bases.
Occasionally reflects on what went well or badly but does not record or structure learning.
Responds constructively to feedback and can describe some lessons learned from past work.
Maintains regular reflective practice, identifies patterns in own behaviour and adjusts approach.
Encourages reflective practice within teams and integrates it into ways of working, especially around incidents.
Models high standards of reflective and ethical practice and shapes the culture of learning and integrity in the human risk function.
Works mainly within own function and engages others when asked.
Participates in cross-functional meetings and respects other perspectives.
Proactively builds relationships with functions such as HR, legal, IT, risk and communications to deliver joint outcomes.
Leads cross-functional initiatives that reconcile different priorities and creates shared ownership of behavioural risk.
Acts as a trusted integrator across disciplines and shapes organisational structures or forums to support ongoing collaboration.
Shares useful resources informally with close colleagues.
Presents work informally in team meetings or internal communities when asked.
Regularly shares case studies, tips and lessons learned internally through appropriate channels.
Organises or leads internal communities of practice on behavioural cyber risk and encourages contribution from others.
Represents the organisation in external forums, publishes or speaks on behavioural cyber risk and brings external insight back inside.
The Heroes Training Academy structures Champion development around the Framework domains.