The Security Learning Curve: 9 Stages for Security Behaviour Change
The 9 stages of the Security Learning Curve help organisations move beyond basic compliance, driving lasting behavioural change and reducing human-related cyber risks. Discover how to embed secure habits and create a resilient security culture.
2024-12-22
The human element remains one of the most significant challenges in cybersecurity. Research consistently shows that most cyber incidents are tied to human error, making human risk management a critical area of focus. According to the 2024 Data Breach Investigations Report by Ventures, the human element was a factor in 68% of breaches.
- Vishing Attacks: Keepnet found that 70% of organizations have been victims of fake phone calls (vishing), with vishing attacks costing an average of $14 million per year per organization. This highlights the growing threat of voice phishing and the urgent need for targeted training.
- Phishing Trends: Phishing simulations conducted by Keepnet reveal that 90% of successful breaches begin with targeted phishing emails. These insights stress the importance of regular testing and awareness campaigns.
- Security Behavior Metrics: Data shows that companies with integrated behavior monitoring reduce human errors by over 40%. This proves the value of continuous behavior tracking and feedback loops.
The path to mitigating these risks lies in transforming security behaviors and fostering a robust security culture. Leveraging data-driven strategies, organizations can implement effective security awareness and behavior programs to drive meaningful change.
This blog post explores the Security Learning Curve, a framework designed to help organisations drive meaningful security behaviour change and foster a resilient security culture.
The Security Learning Curve: Insights from Hielscher
The Security Learning Curve consists of nine stages that individuals must pass through to fully embed secure behaviours. Unlike traditional awareness programs that focus solely on compliance and basic training, this approach targets deeper behavioral transformation.
For example, instead of merely teaching employees about phishing, it involves immersive simulations and interactive exercises to help them internalize secure practices. This method ensures employees consistently apply secure behaviors, fostering resilience against evolving threats.
Most mainstream awareness products focus on only four stages, often emphasizing compliance. By addressing all nine stages, organizations can cultivate a robust security culture that equips employees to recognize, prevent, and respond to emerging threats effectively.
For instance, a mid-sized healthcare organization saw a 50% improvement in employee response times to simulated threats and reduced compliance violations by leveraging all nine stages.
The 9 Stages of the Security Learning Curve
The Security Learning Curve outlines a comprehensive path to transform employee behaviours and embeds secure practices. By progressing through these nine stages, organizations can move beyond basic compliance and achieve lasting behavioral change.
1. Security Hygiene
This phase involves foundational security measures implemented within the framework of an organisation's security policies. Feasibility checks and policy adjustments may be necessary to align with workplace goals.
Example: Ensuring basic cyber hygiene practices like regular software updates and secure configurations.
2. Information
Once awareness of risks has been raised, organisations need to specify the secure behaviours employees should follow to avoid or manage these risks.
Example: Providing security awareness training on password security to inform employees of best practices.
3. Sensitising
This stage focuses on making employees aware of specific threats, risks, and potential consequences for the organisation.
Example: Using phishing or voice scam simulations to help employees experience and understand risks firsthand.
4. Understanding
Building a systematic understanding of threats and risks beyond specific secure routines equips employees to handle novel, "not-yet-trained-for" risks.
Example: Real-life simulations and security training that includes exams, surveys, and tests to deepen knowledge.
5. Agree: Concordance
This stage involves creating mutual agreements between employees and management. Behaviour change is more effective when employees commit to achievable goals.
Example: Engaging employees through surveys, interviews, and feedback sessions to ensure buy-in.
6. Believe: Self-Efficacy
Employees must believe in their ability to adopt new behaviours. Confidence-building through training and support is key.
Example: Role-playing exercises to practice handling scenarios like tailgating in a non-confrontational manner.
7. Implementation: Concordance
Employees must consciously replace old routines with new secure behaviours. Tools and reminders help facilitate this shift.
Example: Password management tools that remind employees to change passwords regularly and suggest strong options.
8. Embedding: Intentional Forgetting, Repetition, Nudging
New secure behaviours need to be repeated frequently to become embedded. Companies should decommission old behaviours and remove triggers for them.
Example: Using nudges like screen savers, posters, and infographics to remind employees of their commitment to secure routines.
9. Secure Behaviour
At this stage, secure behaviours become second nature. Employees consistently apply them without conscious effort.
The Impact of a Comprehensive Security Learning Curve
By addressing all nine stages, organisations can foster a culture where secure behaviours are fully integrated into daily routines. For example, a global financial services company implemented phishing simulations, real-world security scenarios, and gamified training modules across all nine stages.
Within a year, they observed a 60% reduction in phishing-related incidents and improved employee confidence when tackling novel cybersecurity threats.
This phased approach, combining foundational awareness campaigns with advanced simulations and interactive feedback, demonstrates how a holistic strategy can significantly strengthen an organisation's security posture.
How Behavioral Change Occurs
Behavioral change, particularly in the realm of cybersecurity, does not occur overnight. Research indicates that replacing insecure habits with secure ones requires repetition and time. Studies show it takes approximately 28 days for a new behavior to become routine.
This timeframe is significant because it reflects the period required for the brain to form new neural pathways, replacing old habits with new ones. Organizations can apply this knowledge by designing training programs that emphasize repetition, providing consistent reinforcement over these 28 days to help employees internalize secure behaviors. Repeated exposure, reinforcement, and context-specific support are essential to achieve this transformation.
As Ozan Ucar, CEO of Keepnet, emphasizes:
"Providing information alone is not enough. To truly replace insecure behaviors, organizations must engage employees through structured programs, continuous feedback, and practical reinforcements. For instance, a structured program could include weekly interactive workshops that address specific cybersecurity threats, followed by personalized feedback reports for each employee. This approach ensures continuous learning and allows employees to track their progress, fostering confidence and motivation to adopt secure behaviors. It is about building habits, not just awareness."
To support employees in this journey, organizations need to:
- Reinforce behaviors through regular training sessions.
- Utilize real-world simulations and gamified learning experiences.
- Provide consistent feedback and measurable progress insights.
The 28-day principle, combined with structured reinforcement strategies, lays the foundation for lasting behavioral change in cybersecurity.
How Keepnet Helps Organizations Build Security Behavior Programs
Keepnet provides comprehensive tools and services designed to help organizations of any size navigate the stages of the Security Learning Curve. Here’s how Keepnet aligns with these stages to deliver impactful security behavior programs:
- Awareness Stage:
Keepnet’s phishing simulations and risk assessments identify vulnerabilities, creating a baseline for understanding security risks.
Interactive training modules educate employees on recognizing common cyber threats like phishing and vishing.
- Comprehension Stage:
Role-specific training content ensures that employees grasp the implications of cybersecurity in their day-to-day roles.
Resources like infographics, videos, and case studies deepen understanding by connecting concepts to real-world scenarios.
- Behavior Change Stage:
Gamification features, including leaderboards and rewards, encourage employees to consistently practice secure behaviors.
Regular feedback based on behavioral metrics helps employees improve and stay engaged with the program.
- Culture Integration Stage:
Leadership dashboards offer insights into program effectiveness, ensuring alignment with organizational goals.
Keepnet’s automated onboarding solutions introduce new hires to targeted training, pr
With Keepnet, organizations can not only improve security awareness but also foster lasting behavioral change that integrates seamlessly into their culture. For more details on how Keepnet supports building security behavior programs, explore these resources: Risky Security Behaviors in the Workplace, 10 Employee Behaviors That Increase Enterprise Cybersecurity Risk, and What Is a Security Behavior and Culture Program (SBCP).
Conclusion
A data-driven approach to security behavior change is essential for modern organizations aiming to mitigate human risk. By leveraging insights from the Security Learning Curve, adopting targeted strategies, and measuring impact through analytics, businesses can drive lasting change. Incorporating AI and continuous feedback loops ensures these programs remain dynamic and effective, ultimately embedding security into the organizational culture.
Prioritize human risk management by investing in robust security awareness and culture programs today. The transformation of employee behavior is not just a goal—it’s a necessity in the evolving landscape of cybersecurity.