Hand holding cogwheels showing security culture and behavior design

Building a Security Culture With Behavior Design

Human error accounts for the vast majority of security breaches largely due to successful phishing campaigns. Here are tips on fortifying the human firewall via the Fogg model of behavior design.

For organizations committed to establishing a secure environment to protect their systems and data, as well as the data of employees, customers, and others, there are two broad challenges:

  1. Ensuring they have the right technology and security layers in place to keep data safe and keep cybercriminals out.
  2. Ensuring employees’ actions protect systems and data rather than put them at risk.

Which of these is the most challenging to address?

If you said the second you would be right. People are, by and large, the greatest factor standing in the way of organizations’ efforts to build and maintain a strong security culture.

So what can organizations do about that? They can apply time-tested principles of behavior science to build a security culture that leverages the principles of behavior design.

What is behavior design?

Behavior design, a field of science pioneered by Dr. BJ Fogg of Stanford University, is a systematic way of thinking about human behavior and how people make decisions. He describes it as, “a new approach to understanding human behavior and how to design for behavior change.”

According to the Fogg Model for behavior design, behavior happens when three things come together at the same time: Motivation, Ability, and a Prompt to do the behavior.

By extension, to change a person’s behavior, three things need to be in place:

  • Motivation to change the behavior—they have to want to change because they recognize a benefit (to them) in doing so.
  • The ability to change the behavior—they have to have the knowledge and tools needed to successfully change behavior. The behavior has to be (and feel) easy enough to accomplish given the person’s current level of motivation.
  • Prompts to inform or remind people of the need for behavior and to help keep that knowledge top of mind.

Let’s take a look at each of these components and how they can be applied to building a security culture.


If we want employees to change their behaviors we need to give them a reason for doing so. That means we leverage both intrinsic and extrinsic motivators. In many instances, this means tapping into an employee’s emotions. We do that through messaging. That messaging needs to be visually appealing and impactful to resonate. For instance, using leadership, a celebrity, or a powerful visual or story to capture their attention and motivate them to want to learn more—or to want to change their behavior.


Phishing attacks are increasingly common these days as cyber criminals employ increasingly clever tricks to get people to click on things they shouldn’t click on, or open things they shouldn’t open.

Your employees may have the motivation to avoid these attacks—after all, they don’t want to be the ones responsible for putting critical data at risk. But motivation alone isn’t enough.

They must also have the ability to avoid these attacks. In this case, that ability is based on having the knowledge, tools, habits, and gut instincts needed to perform the desired behaviors.

An example of a tool might be providing employees with a password manager to make it easy for them to create, change, and securely store their passwords so they’ll act on the motivation to not reuse passwords.


Human behavior being what it is, we know that motivation and ability isn’t enough to ensure ongoing behavior change. Face it, we live in a complex, busy, and cluttered world. It seems like everything is in constant competition for our attention. We can’t possibly be expected to remember all of the myriad things we need to know to go about our daily business.

We need prompts.

So, perhaps when a suspect email makes it past your firewall, a pop-up may display in an employee’s inbox saying: “Do you really want to click on that?” Simple prompts make people pause and give them time to consider options and the pros/cons of taking, or not taking, certain actions.

That’s it. Motivation > Ability > Prompt. Sounds simple, right? But have you ever noticed that sometimes the simplest constructs shroud a sea of complexity? That’s certainly true when using behavior design to improve security culture or build security awareness.

The devil, as they say, is in the details.

Human error accounts for the vast majority of #security breaches largely due to successful #phishing campaigns. Here are tips on fortifying the human firewall via the Fogg model of behavior design. #respectdataClick to Tweet

Organizations have an opportunity to learn about and apply behavior design principles to positively affect or change a security culture, or to build a security culture by using techniques that have worked in behavior science for many, many years.

You have the technology and security layers in place to protect your systems and data. Now you need to get your people on board. Behavior design can help.


Author | Chief Evangelist at KnowBe4