What Is the 'COM-B' Scientific Behavioral Model in Cybersecurity Awareness?

Gartner emphasizes integrating behavioral science principles into security awareness programs to manage human cyber risk effectively. Traditional, curriculum-based approaches often fall short in changing employee behavior. Gartner's PIPE Framework advocates for Security Behavior and Culture Programs (SBCPs) that leverage behavioral science, data analytics, and automation to foster a security-conscious culture. These models focus on understanding and influencing human behavior to promote secure practices. One such model is the COM-B Model (Capability, Opportunity, Motivation—Behavior), which provides a structured framework for encouraging positive security behaviors.

Below, we explore the COM-B Model and how it can be applied to cybersecurity awareness.

The COM-B Model: Shaping Secure Behavior

The COM-B model suggests that behavior (B) results from the interaction of Capability (C), Opportunity (O), and Motivation (M). Here's how this applies to cybersecurity:

1. Capability (C):

Refers to the knowledge, skills, and abilities required to perform a behavior. In cybersecurity:

• Psychological capability: Employees must understand cybersecurity concepts, like identifying phishing emails, using multi-factor authentication, and avoiding insecure links.

Example: Provide training on recognizing phishing emails with clear, real-world examples.

• Physical capability: Employees should have access to and proficiency with necessary tools (e.g., password managers or secure file-sharing platforms).

Example: Hands-on training to use security tools or password managers during onboarding.

2. Opportunity (O):

This involves external factors that enable or hinder the desired behavior:

• Physical opportunity: Ensure employees have access to secure systems, updated software, and intuitive cybersecurity tools.

Example: Integrate an easy-to-use phishing reporting button into email clients like Outlook.

• Social opportunity: Foster a workplace culture where cybersecurity is prioritized, and employees feel encouraged to report suspicious activities.

Example: Reward employees for reporting phishing attempts or securely handling sensitive data.

3. Motivation (M):

This includes the internal processes that drive or inhibit behavior:

• Reflective motivation: Employees must recognize the importance of secure behavior and align it with organizational goals.

Example: Use real-world examples in a storytelling format to show how human error can lead to real breaches.

• Automatic motivation: Create habits or reflexive responses through regular training, simulations, and nudges.

Example: Simulated phishing attacks and nudges that train employees to report suspicious emails instinctively.

How COM-B Enhances Cybersecurity Awareness Training

The COM-B Model helps organizations understand why employees struggle with secure behaviors, implement targeted solutions, and make security awareness programs more effective.

• Tailored Interventions – Identify the root causes of security issues. If employees lack knowledge, provide regular training. If tools are missing, simplify processes. If motivation is low, emphasize real-world consequences.
• Behavior Change Techniques – Combine training with security tools, policies, and nudges. For example, use short training videos with quizzes, user-friendly security tools, and reward-based encouragement.
• Sustained Engagement – Focus on long-term behavior change through gamification, interactive learning, and role-based training instead of one-time sessions.

Example in Action: Preventing Phishing

Scenario: Employees frequently fail to report phishing emails, increasing the risk of cyberattacks. The COM-B Model helps address this by improving their ability, access, and motivation to act securely.

For example, organizations can:

• Capability – Train employees to identify phishing signs like suspicious URLs or unusual requests for sensitive data.
• Opportunity – To simplify reporting, provide an easy-to-use phishing report button in email platforms.
• Motivation – Show the impact of their reports with real stats and publicly recognize employees who contribute to security.

By applying COM-B, organizations can turn phishing reporting into a habit, strengthening cybersecurity awareness and reducing human risk.

How Keepnet Applies the COM-B Model to Strengthen Cybersecurity Awareness

Keepnet’s platform leverages the COM-B Model to drive lasting cybersecurity behavior change. Here’s how it applies each element to enhance security awareness and empower employees.

1. Capability: Empowering Employees

Keepnet builds employees' cybersecurity skills by providing real-world simulations, interactive training, and continuous feedback.

How Keepnet Enhances Capability:

• Phishing Simulations – Employees receive realistic phishing emails to improve their ability to detect and respond to threats.

Example: Simulated attacks mimic real techniques like fake MFA requests or HR-related phishing emails.

Interactive Training – Short, scenario-based videos and quizzes reinforce learning and boost knowledge retention.

Example: A video explains common phishing tactics, followed by a quiz on identifying fake links.

• Nudges Theory – Real-time guidance helps employees recognize and learn from mistakes.

Example: If an employee clicks a phishing simulation, a pop-up explains what they overlooked (e.g., mismatched domains or suspicious formatting).

2. Opportunity: Enabling Secure Behavior

Keepnet removes barriers to secure actions by making cybersecurity tools easily accessible and fostering a strong security culture.

How Keepnet Creates Opportunities:

• Phishing Reporting Button – A one-click tool in Outlook and other email clients streamlines phishing reporting.

Example: A clearly labeled "Report Phishing" button makes reporting effortless.

• Incident Responder – AI-powered analysis provides instant feedback on reported phishing emails.

Example: Employees receive a confirmation message: "Thank you! This email was confirmed as phishing and has been removed from other inboxes."

• Building a Security Culture – Keepnet encourages engagement through team-level phishing response scores and friendly competition.

Example: The team with the highest phishing reporting rates gets recognition in the company newsletter.

3. Motivation: Reinforcing Secure Behavior

Keepnet drives motivation by incorporating gamification, real-world storytelling, and rewards that reinforce security habits.

How Keepnet Builds Motivation:

• Gamification – Employees earn badges and points for completing training or reporting phishing emails.

Example: Employees can achieve the "Phishing Guardian" badge after reporting 10 phishing emails in a month.

• Storytelling – Sharing real-world cybersecurity success stories highlights the impact of secure behavior.

Example: "John from Marketing spotted a phishing email targeting finance, preventing a $50,000 wire fraud attempt!"

• Feedback Loops – Employees receive real-time recognition when they take secure actions.

Example: "Great job! You reported this phishing email in 30 seconds, helping us respond faster."

• Incentives for Consistent Action – Employees who regularly report phishing emails can earn perks.

Example: Monthly raffles for top reporters with prizes like gift cards or extra PTO hours.

Explore Keepnet’s Human Risk Management Platform to enhance cybersecurity awareness and drive lasting behavior change

Example Scenario: Preventing Vishing Attacks

Vishing (voice phishing) attacks manipulate employees into revealing sensitive information over the phone. Using the COM-B Model, Keepnet helps organizations strengthen their defense against these threats.

Read our guide to learn about the definition of vishing, its detection, and its protection.

1. Capability: Training Employees to Recognize Vishing

Keepnet’s vishing simulations expose employees to real-world social engineering tactics, helping them recognize and respond to suspicious calls.

• Example: A simulated attacker posing as IT support requests an MFA code. Employees practice saying “No” and reporting the attempt.

2. Opportunity: Providing Easy Reporting Channels

Employees need simple, accessible ways to report real-time vishing attempts.

• Solution: Keepnet offers a dedicated hotline and reporting portal for immediate incident submission.
• How it Works: The Incident Responder analyzes reports and alerts the security team to active threats.

3. Motivation: Reinforcing Secure Behavior

Employees are more likely to act securely when they see the impact of their actions.

Example: Sharing real statistics: “Because our team reported 15 phishing emails last quarter, we prevented an estimated $120,000 in potential ransomware damages.”

Check out Keepnet’s Vishing Simulator to train employees against voice phishing threats and strengthen your organization's defense.

COM-B Elements in Keepnet’s Platform

Keepnet’s Human Risk Management platform is designed to tackle human risk by addressing the key elements of the COM-B Model: Capability, Opportunity, and Motivation. By focusing on realistic training, accessible tools, and consistent motivation, employees become more aware and proactive in responding to cybersecurity threats.

The table below breaks down how Keepnet applies each COM-B element to create lasting behavior changes in employees.

Table 1: How Keepnet Implements the COM-B Model

By integrating Capability, Opportunity, and Motivation into its platform, Keepnet not only trains employees but also enables and encourages them to make secure decisions, creating a sustained shift in cybersecurity behavior.