Security Behavior and Culture Programs (SBCP): What They Mean in 2026
Only 8% of organizations run a formal SBCP while 41% of employees admit bypassing security guidance. How to measure behavior, engage executives, and train beyond email.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-05-30
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
A Security Behavior and Culture Program (SBCP) is not a rebranded annual training course. It is the operating model for reducing human-driven cyber risk: executive sponsorship, behavior targets you can measure, simulations across the channels attackers actually use, and feedback loops when people bypass policy under deadline pressure.
I talk to CISOs every week who already run phishing simulations and SCORM modules. Completion rates look fine. Then an employee approves a fake invoice, shares a verification code on WhatsApp, or clicks a deepfake voice callback. The program did its job on paper. Behavior did not change.
Gartner's 2025 Secure Behavior Strategies Survey (65 cybersecurity leaders, June through November 2025) puts numbers on that gap. Only 8% of organizations run a formal SBCP. 66% are still on traditional awareness. And 41% of employees admit they have intentionally bypassed cybersecurity guidance. That is the problem SBCP is meant to solve.
Key takeaways
- SBCP targets behavior and culture, not course completion.
- Most organizations still measure training completion (84% in Gartner's sample) while almost nobody tracks policy exception volume (6%).
- Phishing reporting gets priority focus from 73% of programs; deepfake recognition from 10%.
- Executive sponsorship is often passive (45% of leaders in the survey). SBCP needs visible mandates and resourcing.
- Practical design: fewer behaviors, multi-channel practice, report-rate metrics, manager reinforcement.
Three program types (and where most teams stall)
Gartner groups awareness maturity into three buckets. The labels matter because they explain why 'we already do training' is not the same as running an SBCP:
| Program type | Share of organizations | What it usually includes |
|---|---|---|
| Traditional awareness | 66% | Computer-based training, phishing simulations, risk communications |
| Engagement-enhanced | 22% | Gamification, security champions, incentives |
| Security behavior and culture program (SBCP) | 8% | Systematic executive engagement, data-driven high-risk targeting, reduced control friction, advanced platforms |
Program maturity (Gartner 2025 survey)
Traditional programs can raise awareness. They rarely change what people do on a busy Tuesday when payroll is late. SBCP is built for that Tuesday.
What to measure instead of quiz pass rates
If your dashboard stops at completion and click rate, you are optimizing compliance theater. In Gartner's sample, 84% of organizations prioritize training completion and 73% prioritize phishing metrics. Only 6% prioritize volume of policy exception requests, and 16% track specific employee behaviors known to increase risk.
| Indicator | Organizations giving it priority focus | Why it matters |
|---|---|---|
| Training completion | 84% | Easy to measure; weak link to fewer incidents |
| Phishing click/report rates | 73% | Useful, but narrow if voice, SMS, and deepfake are ignored |
| Senior leadership engagement | 40% | Culture follows visible executive behavior |
| Incidents caused by employees | 31% | Ties program work to outcomes leadership cares about |
| Risky behaviors (specific) | 16% | Focuses coaching on repeat failure patterns |
| Policy exception requests | 6% | Surfaces control friction before it becomes bypass |
Vanity metrics vs risk-relevant indicators (Gartner 2025)
We go deeper on the KPI layer in our guide to security behavior and culture metrics. Start with report rate, time-to-report, repeat-failure cohorts, and verification compliance. Those numbers survive a board conversation better than '92% completed Module 3'.
What this means for security leaders
If your board deck still leads with completion rate, you are reporting LMS activity, not risk reduction. Reframe the next quarterly review around employee-driven incident share, time to resolve, and repeat-failure cohorts. Gartner's sample shows most teams still optimize the easy exports. SBCP is the shift to metrics leadership will fund.
Train beyond the inbox
Phishing simulations are necessary. They are not sufficient. Gartner found 73% of organizations give priority focus to phishing reporting, but only 10% prioritize deepfake recognition and reporting. Credential hygiene sits at 44%, appropriate data handling at 32%.
Attackers already moved. Voice callbacks, SMS parcel scams, QR codes in parking lots, and AI-cloned executives are routine in 2026. If your program only tests email, you are drilling for last year's breach pattern. The Verizon 2026 Data Breach Investigations Report attributes 62% of breaches to the human element. SBCP is how you shrink that surface with measurable behavior change, not annual reminders.
At Keepnet we built multi-channel simulations for that reason. Email is one lane. For program owners mapping the employee journey, see cybersecurity awareness training for employees and our phishing simulator (multi-channel, not email-only).
Executive sponsorship cannot stay passive
Culture programs fail quietly when leadership approves the budget and disappears. Gartner reports 45% of executive leaders are passive supporters of cybersecurity, 23% indifferent, and only 22% forceful advocates.
Three asks that actually move the needle:
- Visible sponsorship: the CEO or COO names security behavior in a town hall, not only the CISO.
- Performance mandates: managers measured on report quality and verification habits in high-risk teams, not on completion percentages alone.
- Resourcing: budget for simulations, nudges, and friction fixes when employees show you where controls break.
For evaluation criteria and communication tactics, see SBCP success factors and nudges for executives.
Employee-driven incidents your leadership team should quantify
Less than half of organizations in Gartner's survey consistently measure the business impact of insecure behavior. Without that baseline, SBCP investment looks like soft culture spend.
| Metric | % tracking |
|---|---|
| Average time to resolve employee-driven incidents | 48% |
| Employee-driven share of all incidents | 46% |
| Incident demographics (unit, role) | 44% |
| Average cost of employee-driven incidents | 32% |
Employee-driven incident metrics (share of organizations tracking)
If you cannot answer those four questions, start there before you buy another content library. Tie the answers to human risk management so technical and awareness teams share one narrative.
Reduce control friction, or people will route around you
Employees bypass guidance when the secure path is slower than the risky shortcut. Gartner notes that most organizations still do not prioritize user experience improvements, yet only 35% run control pilots with employees, 34% proactively solicit UX feedback, and 26% automate controls to reduce friction.
SBCP co-designs policy with the teams who live in the workflow. Pilots, feedback loops, and automation are not nice-to-haves. They are how you earn the behavior change simulations are supposed to produce.
What SBCP design looks like on the ground
Strong programs do not try to teach everything at once. They pick the handful of decisions that drive most human risk, then reinforce with current examples and a clear reporting path.
- Choose five to seven behaviors (verify payment changes, report suspicious voice calls, handle customer data, third-party access) instead of generic 'cyber hygiene'.
- Run short modules and realistic simulations on a monthly cadence, not one annual hour.
- Measure reporting, repeat risk, and remediation behavior.
- Give team leads a role in reinforcement. Culture is local.
Accountability remains rare at the top: only 22% use time-bound risk acceptance for critical risks, 18% document board-level risk acceptance, and 3% tie remuneration to cybersecurity outcomes (Gartner 2025). SBCP without accountability metrics is still awareness with better slides.
What changed when teams treated this seriously
Tiryaki, a global agricultural company, used Keepnet simulations and reporting workflows to improve phishing detection rates by 89% within twelve months, with measurable cost avoidance in incident response.
Teknosa ran vishing simulations plus security awareness training and reported roughly 80% improvement in scam recognition within ninety days.
How Keepnet fits an SBCP
Keepnet's Extended Human Risk Management Platform (xHRM) connects simulations, adaptive training, reporting workflows, and analytics so you can run SBCP as one program instead of four disconnected tools. The goal is not more content. It is fewer risky decisions per thousand employees.
Watch the demo below to see how teams operationalize behavior change, not just assign courses.
Completion rate is a comforting metric. It is not a security outcome. SBCP is what you run when you are ready to measure behavior under deadline pressure, not hours spent in a learning portal.
FAQ
What is a security behavior and culture program (SBCP)?
An SBCP is a formal program that uses executive engagement, targeted simulations, behavioral metrics, and reduced control friction to change how employees act under real work pressure. It goes beyond annual awareness training and completion tracking.
How is SBCP different from security awareness training?
Security awareness training teaches concepts. SBCP measures and changes behavior across roles and channels, with leadership accountability and incident-linked metrics. Gartner's 2025 survey found only 8% of organizations run a formal SBCP versus 66% on traditional awareness.
What metrics should an SBCP track?
Prioritize report rate, time-to-report, repeat-failure cohorts, employee-caused incident rates, leadership engagement, and policy exception volume. Deprioritize completion percentage as a standalone success metric (84% of organizations still over-index on it).
Why do employees bypass cybersecurity guidance?
Often because the secure path is slower or unclear under deadline pressure. Gartner reports 41% of employees admit intentionally bypassing guidance. Friction reduction, manager reinforcement, and multi-channel practice address that gap better than another generic module.
Do phishing simulations alone count as an SBCP?
No. Simulations are one input. SBCP also requires executive sponsorship, behavior metrics beyond click rate, coverage of non-email channels, and accountability. Email-only programs align with the 73% of organizations that over-focus on phishing reporting.
Sources
- Gartner, Infographic: 6 Ways to Transform Your Cybersecurity Awareness Program (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65, June 11 through November 19, 2025).
- Verizon 2026 Data Breach Investigations Report (human element in breaches): https://keepnetlabs.com/blog/2026-verizon-data-breach-investigations-report
Related reading
SHARE ON