How Living Security Drives Cybersecurity Behavior Change

Let's be honest: when was the last time you actually read the airplane safety card? We all glance at it, but it doesn't really stick. This is the perfect metaphor for so much of today's security training. It might satisfy certain NIST awareness and training controls, but it rarely inspires action. To move beyond simple NIST compliance training and achieve genuine living security cybersecurity behavior change, we need a smarter approach. It's time to focus on what actually works, not just what checks a box.

Maybe you flipped through it while waiting to take off, or maybe you glanced at it while the flight attendants gestured towards your nearest exit. But when you were done reading it (if you read it at all) you probably tucked it back in the pocket and went back to playing games on your phone, drinking ginger ale, or silently negotiating for the use of the armrest with your already-sleeping neighbor’s elbow.

What is the point of those cards, anyway? And who really pays attention to the “white lights lead to red lights, red lights lead to exits” routine? Do you?

Like most of us, even knowing how important it would be to know these things in the event of a rare emergency, do we pay attention? And do we learn from them—and does it really help us change our behavior?

Cybersecurity incidents are a lot more common than airplane emergencies, but it’s surprising to find out that the overwhelming attitude towards security awareness and training (SA&T) is a lot like how we read an airline safety card. We read the card or take the yearly training just to say we’ve done it, just to check a box, but we don’t really expect to learn anything, much less change what we do.

(Some of this, let’s be honest here, is because a lot of cybersecurity training is about as interesting as watching paint dry. Another powerpoint presentation from 1998? I’m vibrating with delight and anticipation!)

We know that it’s the human element that makes the difference when it comes to a sizable percentage of security incidents. The data couldn’t be clearer. We know that Human Risk Management is the future of cybersecurity training. We know all of this, but the current frameworks barely account for it.

Instead, most cybersecurity frameworks and guidelines care more that you read the safety card, or took the training, than whether you actually changed your behavior.

Recently, in her article "A Sneak Peek Into The Future Of Security Awareness And Training," Forrester VP and Senior Analyst Jinan Budge says, “Two decades of increasing the focus on the human side of security has inadvertently, and well meaningly, created a status quo that’s difficult to break. Security and risk leaders must reject the status quo of their well-intentioned, commonly accepted awareness program and focus on managing the human risk.”

To learn more about what Living Security is doing in order to break this status quo and offer a solution that gets to the heart of Human Risk Management, let’s first explore what one of the top recommended cybersecurity frameworks does — and what it might be missing.

What is the NIST Cybersecurity Framework?

The NIST framework is a set of voluntary guidelines and best practices set forth by the National Institute of Standards and Technology in order to help companies better manage cybersecurity risk. At its core, the framework identifies five key functions that help organize cybersecurity practices: Identify, Protect, Detect, Respond, and Recover. It’s a flexible framework, intended to be a broad and adaptable guideline for companies of various sizes. The five foundations are:

• Identify – After performing a risk assessment, security leaders will be able to define the risk management strategy that’s appropriate for their business.

• Protect – At this level, protective measures can be both automated (firewalls, regular data backups, encryption and access controls) and human (disseminating information protection and procedures and engaging in security awareness training).

• Detect – Being able to monitor all devices for anomalies and events, unauthorized access, or potential issues is key to addressing them as quickly as possible.

• Respond – With the initial strategy in mind, define how your company will respond to threats and potential risks. How will the incidents be handled, and how will damage be mitigated?

• Recover – After the incident, a plan must be in place to recover, not just to re-secure data but also to keep key stakeholders informed of the actions being taken.

To be clear, the NIST framework is a great starting point for cybersecurity. It works — not only as an initial framework to begin conceptualizing an organization’s unique cybersecurity needs and challenges, but also as a pathway to follow, stepping stones that can lead you through each phase of a process, hopefully cycling back around to learn and integrate the information gleaned during the post-incident recovery phase.

It’s good, but it could be better. So what do we need to add in order to find that missing piece?

From Compliance to Culture: The Role of HRM Framework

What the NIST framework is missing is a dedicated focus on human behavior — at every step of the process. Yes, it’s important to have tech-focused solutions, but the technology attack vector isn’t the whole picture, given that 85% of all breaches in 2021 involved a human element.

This is where the HRM Framework comes in. Rather than replacing NIST, the HRM Framework complements and strengthens it — ensuring that security leaders can reduce risk from not just a process or technical standpoint, but a human one as well.

Future iterations of the HRM Framework will be aligned with NIST, making it easier for organizations to see how human risk aligns directly with each of NIST’s five functions. The two together provide a holistic approach: NIST as the broad structure, and the HRM Framework as the layer that ensures behavior change and measurable human risk reduction.

Is Your Compliance-Only Mindset Creating Security Gaps?

The problem with most companies is that they are only focused on compliance and need to focus on behavior change instead. Without integrating the human element, cybersecurity can become more about checking boxes than reducing risk.

Much like reading that laminated safety card, what does it matter if your employees complete a mandated training, attend a security awareness event, or rack up views on materials if their behavior doesn’t change as a result?

This is why mapping the HRM Framework to NIST is so important. It moves organizations beyond compliance metrics and into true risk reduction.

Understanding the "Behavior Gap" vs. the "Knowledge Gap"

Traditional security training often fails because it only addresses the "knowledge gap." Your employees might watch the annual video, pass the quiz, and know what phishing is. But knowing the risk and avoiding it in the moment are two different things. The real challenge is the "behavior gap," which is the space between what employees know they should do and what they actually do. True security improvement comes from changing daily actions and building secure habits, not just checking a box on a training module. Human Risk Management (HRM), as defined by Living Security, focuses directly on this gap. It’s about understanding the drivers behind risky actions and using targeted interventions to measure and influence behavior for lasting change, turning awareness into action.

Common Examples of High-Risk Employee Actions

Focusing on behavior means identifying the specific, everyday actions that introduce the most risk. A compliance-based mindset often overlooks these subtle but dangerous habits because they are difficult to track with traditional tools. These actions are rarely malicious; they are usually attempts to be more efficient or work around a cumbersome process. However, they create significant vulnerabilities that attackers are quick to exploit. Understanding these common risky behaviors is the first step toward building a proactive security culture that addresses the human element head-on. Here are a few of the most prevalent examples security leaders face.

Weak and Reused Passwords

It’s a classic for a reason. Employees often use simple, easy-to-guess passwords or reuse the same one across multiple personal and professional accounts. While it feels convenient, this single action can neutralize millions of dollars in security investments. A compromised password from a third-party breach can give an attacker a direct key to your corporate network. This isn't just a knowledge problem; employees know passwords should be complex. It's a behavior problem rooted in convenience. An effective HRM program moves beyond simple policy reminders and helps predict which users are likely to engage in this behavior, allowing for targeted nudges or adaptive training before an incident occurs.

Falling for Advanced Phishing Scams

Today’s phishing attacks are not the poorly worded emails of the past. Attackers use AI to craft highly personalized and convincing messages that are incredibly difficult to spot, even for trained employees. These sophisticated scams exploit trust and urgency, preying on human psychology. While phishing simulations are useful, they are reactive. Living Security, a leader in Human Risk Management (HRM), helps organizations shift from detection to prediction. By analyzing data across employee behavior, identity systems, and real-time threat intelligence, the leading Human Risk Management Platform can identify which individuals are most likely to be targeted and susceptible, enabling you to act with preemptive, tailored interventions.

Mishandling Sensitive Data

Have you ever seen an employee email a work file to their personal account to finish a project at home? Or use a personal file-sharing tool because the corporate one was too slow? This is data mishandling, and it’s a widespread risk. These actions often stem from a desire to be productive, not to cause harm, but they move sensitive corporate information outside of your secure environment. This creates a massive blind spot for security teams. An HRM platform can help make this risk visible by correlating signals from different systems to identify when data is being moved to unapproved locations, guiding employees toward secure alternatives in real-time.

Using Unapproved "Shadow IT"

Shadow IT refers to employees using applications, software, or services without explicit approval from the IT or security department. An employee might use a new AI-powered design tool or a project management app to collaborate more effectively, unaware that the tool lacks proper security controls. Each unapproved application is a potential entry point for attackers and a compliance risk. A compliance checklist can’t account for tools it doesn’t know exist. A data-driven Human Risk Management program provides the necessary visibility, identifying the use of shadow IT so you can assess the risk and guide your team toward sanctioned, secure tools without stifling their productivity.

Actionable Strategies for Driving Lasting Behavior Change

Moving beyond a compliance-only mindset requires more than just good intentions. It demands a deliberate strategy focused on what actually works to change human behavior. Simply telling people to be more secure is like handing them an airline safety card and expecting them to become a pilot. To truly reduce human risk, you need to create an environment where secure behaviors are understood, encouraged, and easy to adopt. The following strategies, grounded in organizational psychology and behavioral science, provide a roadmap for building a resilient security culture that moves beyond checking boxes and toward meaningful risk reduction.

Build a Positive Security Culture

A strong security culture is the foundation of any effective Human Risk Management program. It’s the shared set of beliefs, values, and norms that shape how people approach security in their daily work. When security is seen as a collective responsibility rather than a list of rules enforced by a single department, employees become active participants in defending the organization. Building this kind of culture does not happen by accident. It requires intentional effort, starting with leadership and extending to every corner of the business, creating an environment where people feel empowered and safe to do the right thing.

Lead by Example

If you want your team to take security seriously, they need to see that you do, too. When company leaders consistently follow security protocols and openly discuss the importance of cybersecurity, it sends a powerful message. This is not about a single all-hands meeting; it is about integrating security into the leadership vocabulary and daily actions. When a CISO shares a personal story about avoiding a phishing attempt or a department head praises their team for high reporting rates, it demonstrates that security is a core business value. This visible commitment from the top down builds trust and shows everyone that security is not just a compliance exercise, but a critical part of the organization's success.

Foster Psychological Safety to Encourage Reporting

One of the most valuable assets for a security team is early information about a potential threat. However, employees will not report a mistake or a suspicious email if they fear blame or punishment. Creating a culture of psychological safety is essential. This means establishing a no-blame environment where people feel secure enough to raise their hand and say, "I think I clicked on something I should not have." This approach transforms potential security incidents into learning opportunities and provides your SOC team with invaluable, real-time intelligence. When employees feel safe to be vulnerable, they become your most important line of defense, turning every individual into a human sensor for your security program.

Use Positive Reinforcement

Fear is a poor long-term motivator. While scary stories about data breaches might grab attention, they rarely inspire lasting behavior change. A more effective approach is to use positive reinforcement to celebrate and reward good security practices. Instead of only highlighting failures, focus on successes. Recognize individuals or teams who consistently report phishing emails or champion secure practices within their departments. Gamification, leaderboards, and other forms of recognition can make security feel engaging and collaborative. By rewarding employees for their progress and effort, you reframe security from a punitive chore into a shared goal, encouraging proactive participation and building positive momentum across the organization.

Apply Behavioral Science to Security Training

Traditional security awareness training often fails because it ignores the fundamental principles of how adults learn and make decisions. A yearly, one-size-fits-all presentation is unlikely to stick, especially when employees are busy with their primary job functions. To drive real change, we must apply insights from behavioral science to our training methods. This means designing interventions that work with human nature, not against it. By making security easy, timely, and relevant, we can create training programs that lead to measurable improvements in behavior and a tangible reduction in risk.

Make the Secure Path the Easiest Path

If a security process is complicated or time-consuming, people will inevitably find workarounds. This is a core principle of behavioral science: people tend to follow the path of least resistance. Instead of fighting this tendency, we should use it to our advantage. The goal is to design systems and workflows where the most secure option is also the easiest and most intuitive one. This could mean implementing single sign-on (SSO) to reduce password fatigue or providing clear, simple tools for encrypting and sharing sensitive files. When secure actions fit seamlessly into daily work, you are not just asking people to change their behavior; you are changing the environment to guide them toward better choices automatically.

Use Nudging and Realistic Simulations

A "nudge" is a small, timely prompt designed to guide someone toward a better decision without restricting their choices. In cybersecurity, this can be incredibly powerful. For example, an AI-driven system can provide a helpful reminder or a micro-training module at the exact moment an employee is about to perform a risky action, like using a weak password. This is far more effective than a generic annual training. Paired with realistic simulations, such as advanced phishing tests that mimic real-world threats, nudging allows employees to practice their skills in a safe context. This combination of gentle guidance and hands-on practice helps build muscle memory for secure behaviors.

Deliver Personalized, Just-in-Time Interventions

Every employee faces a unique set of risks based on their role, access level, and individual behaviors. That is why personalized, just-in-time interventions are so critical. Instead of generic, company-wide training, a modern Human Risk Management approach delivers specific, timely advice and micro-lessons tailored to each person. Living Security, a leader in Human Risk Management (HRM), accomplishes this by analyzing signals across employee behavior, identity systems, and real-time threat intelligence. This allows the platform to predict risk and autonomously deliver a targeted intervention, like a short video on data handling, right when it is most relevant and likely to be absorbed.

Measure Success Beyond Completion Rates

For too long, security teams have relied on vanity metrics like training completion rates or video views to measure the success of their awareness programs. While these numbers are easy to report, they say nothing about whether behavior has actually changed or if risk has been reduced. To demonstrate true value, we must shift our focus to metrics that reflect real-world outcomes. An effective HRM program makes human risk visible and measurable, allowing you to track progress and prove that your interventions are making the organization safer. This data-driven approach is essential for securing executive buy-in and justifying continued investment in your program.

Focus on Key Metrics like Reporting Rates

One of the best indicators of a healthy security culture is not the phishing click rate, but the employee reporting rate. A high number of employees reporting suspicious emails, even if many are benign, is a sign of an engaged and vigilant workforce. It shows that people are paying attention and feel empowered to act as a line of defense. Tracking this metric over time provides a much more meaningful gauge of your program's success than simply counting how many people failed a test. It reflects a positive shift from passive awareness to active participation in the organization's security, a key goal of any phishing awareness program.

Track Changes in Behavior and Attitude

Reducing human risk is not about a single metric; it is about observing a collection of positive changes over time. Beyond reporting rates, it is important to track shifts in employee knowledge, their attitudes toward security, and their overall participation in security initiatives. Are they using password managers more frequently? Are they challenging strangers who try to tailgate into the office? By correlating data across behavior, identity, and threat systems, platforms like Living Security can provide a holistic view of these changes, helping you understand how your culture is evolving and where your security program is having the greatest impact.

Predict Risk and Drive Behavior Change with Living Security

Human Risk Management is the future of cybersecurity, and with the right tools, your organization can move beyond compliance-based models and actually start to identify risk before it is likely to occur. With  Unify Insights, security professionals can deploy targeted training to those who need it most — training that’s actually interesting, and, dare we say, fun.

Watch how behaviors change as a result, and how risk is affected. Create a custom-fit solution that does more than just tick the boxes. Using Living Security’s Unify Insights platform, you can see what’s missing from compliance-based frameworks: The human element.

The HRM Framework will ensure that companies can align their process, technology, and people efforts — complementing NIST instead of competing with it — and giving leaders a true path to measurable human risk reduction.

To learn more about the HRM Framework, visit www.humanriskmanagement.com.

How AI-Native HRM Moves from Reactive to Predictive

While foundational frameworks like NIST are essential, they often keep security teams in a reactive cycle of detecting incidents and then responding. This is like trying to patch holes in a boat while it’s already taking on water. Human Risk Management (HRM), as defined by Living Security, flips this model. Instead of waiting for an incident, an AI-native HRM platform works to predict and prevent them. It’s a fundamental shift from playing defense to getting ahead of the threat. By understanding the precursors to risky behavior, you can intervene before a simple mistake becomes a costly breach, moving your security posture from reactive to truly proactive.

Analyzing Risk Signals Across Behavior, Identity, and Threats

A predictive approach is only as good as the data it analyzes. To accurately forecast risk, you need to see the whole picture, not just isolated events. This is why the leading Human Risk Management Platform from Living Security correlates data across three critical pillars: employee behavior, identity and access systems, and real-time threat intelligence. Analyzing these signals together provides a rich, contextualized view of risk. For example, an employee who repeatedly fails phishing tests is a concern. But if that same employee also has privileged access to sensitive systems and is being actively targeted by a threat actor, the risk is exponentially higher. By analyzing over 200 such indicators, the platform spots patterns and predicts where your next incident is most likely to originate.

Using AI to Predict and Guide

Once you have the data, you need the intelligence to make sense of it. This is where an AI guide like Livvy becomes a security team’s most valuable asset. Livvy is the reasoning layer of the Living Security Platform, built on the world’s largest HRM dataset. It looks at all the correlated data to figure out which individuals are most at risk *before* a mistake happens. But it doesn’t just give you a score and walk away. Livvy guides your team with explainable, evidence-based recommendations, showing you exactly why a person or role is flagged and suggesting the most effective next steps. This predictive intelligence allows you to focus your resources where they will have the greatest impact.

Automating Interventions with Human-in-the-Loop Oversight

Identifying risk is the first step, but acting on it is what prevents incidents. An AI-native platform can autonomously execute many of the routine interventions that bog down security teams. For instance, it can automatically assign a targeted micro-training module after a risky click or send a helpful nudge to reinforce a security policy. This frees up your team to focus on more strategic initiatives. Crucially, this is all done with human-in-the-loop oversight. The platform makes recommendations and can act on them, but your team always maintains control, ensuring that every intervention is appropriate and effective. This combination of intelligent automation and human oversight allows you to scale your security awareness efforts and drive real, measurable behavior change across the organization.

Frequently Asked Questions

We already follow the NIST framework. Why isn't that enough to manage human risk? The NIST framework is an excellent and essential foundation for your security program, but it primarily focuses on processes and technology to achieve compliance. The problem is that compliance doesn't always equal security. Human Risk Management (HRM), as defined by Living Security, complements NIST by adding a dedicated focus on the human element. It helps you move beyond just checking a box for training and instead provides the tools to measure and influence employee behavior, which is the root cause of a significant number of security incidents.

How is this different from the security awareness training we already do? Traditional security awareness training usually involves annual, one-size-fits-all content that focuses on increasing knowledge. An HRM approach is fundamentally different because it focuses on changing behavior, not just transferring information. Instead of generic courses, the leading Human Risk Management Platform uses data to understand individual risk levels and then delivers personalized, just-in-time interventions. It’s the difference between making everyone read a manual once a year and giving a specific person the exact guidance they need at the moment they need it most.

The post mentions a "behavior gap." What is that, and how does it create risk? The "behavior gap" is the space between what your employees know they should do and what they actually do in their daily work. For example, an employee might know that reusing passwords is a bad idea, but they do it anyway for convenience. This gap exists because knowledge alone doesn't drive action. This creates significant risk because even with the best security tools, a single human action, like clicking a sophisticated phishing link or using an unapproved app, can create a major vulnerability.

How can an AI platform actually predict human actions? Prediction isn't about reading minds; it's about analyzing data to identify patterns. Living Security, a leader in Human Risk Management (HRM), built its platform to correlate data from over 200 signals across three key areas: employee behavior, identity and access systems, and real-time threat intelligence. By analyzing these signals together, our AI guide, Livvy, can identify risk trajectories. For instance, it can see if an employee with high-level access is also failing phishing tests and being targeted by a known threat actor, allowing the platform to predict a high-risk situation before an incident occurs.

My security team is already overwhelmed. Will this platform just add more work? This is a common concern, and the platform was designed specifically to alleviate this problem, not add to it. The goal is to make your team more efficient. The AI-native platform automates many of the routine tasks that consume your team's time, such as assigning targeted micro-trainings or sending policy reminders. This is all done with human-in-the-loop oversight, so your team maintains full control without getting bogged down in manual work. It frees them up to focus on strategic initiatives while the platform handles the day-to-day work of driving behavior change.

Key Takeaways

• Prioritize behavior over compliance: Checking boxes on training modules does not reduce risk. True security improvement comes from closing the "behavior gap" between what employees know and what they do, which is the core focus of a Human Risk Management (HRM) strategy.
• Create a positive security culture: Make security a shared responsibility, not a chore. Foster an environment where employees feel safe to report mistakes, and use behavioral science techniques like timely nudges and personalized interventions to make the secure choice the easy choice.
• Use a predictive, AI-native platform: Shift from a reactive to a proactive security posture with an AI-native Human Risk Management platform. By correlating data from behavior, identity, and threat intelligence, you can predict risk, guide employees with targeted interventions, and act to prevent incidents before they happen.

Related Articles

• Beyond the NIST Framework: Choose Behavior Change over Compliance
• How to Factor Human Behavior into Your Risk Management in Cybersecurity
• What is Human Risk Management? A Complete Guide
• Why Human Risk Management is Crucial for Security
• Cybersecurity Human Risk Management: The Better Approach to Security Awareness