Cybersecurity Awareness Training and Behavioral Psychology

Adaptive Security Awareness Training: Unlearning and Relearning Routines

Jul 10

Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.

View Profile

In this article

The Roots of Human-Centric Cybersecurity Awareness Training The Role of Behavioral Economics in Cybersecurity Awareness Training Transforming Cybersecurity Awareness into Routine Behavior Lessons from Broader Workplace Transformations

Discover OutThink's Human Risk Management Platform

Watch Demo

Cybersecurity is evolving, and so must our approach to training. Traditional security awareness training programs have often fallen short, focusing merely on compliance rather than cultivating a genuine culture of cybersecurity. As Professor Angela Sasse highlights in today's Secure and Engage Podcast episode, effective security awareness training requires us to rethink routines and integrate continuous learning principles to meet the challenges presented by an incredibly dynamic cyberthreat landscape.

The Roots of Human-Centric Cybersecurity Awareness Training

Aside from serving as OutThink's scientific advisor, Professor Sasse also consults for the UK’s National Cyber Security Centre (NCSC) and the EU Agency for Cybersecurity (ENISA). She is the founding director of the multidisciplinary UK Research Institute for Science of Cyber Security (RISCS) and has overseen over 30 Ph.D. students to successful defense of their dissertations. Needless to say, every time I speak to Angela I get to learn something new, which, back to my earlier point, makes it an absolute pleasure.

For our podcast, we started with a great story of how Angela got pulled into studying the human factors of cybersecurity. It all started with pesky passwords – a telecom company in the 1990’s whose internal support center to help people reset their passwords had grown 100 strong. That’s an awful lot of expense. Their question to the new professor: Why can’t these “stupid users” remember their passwords? Relatable question!

The Role of Behavioral Economics in Cybersecurity Awareness Training

Sasse’s insights draw heavily from Daniel Kahneman’s research on System 1 and System 2 thinking. These behavioral economics principles explain how most human actions are driven by routines (System 1), while problem-solving requires deliberate thought (System 2). Effective cybersecurity training must account for these cognitive patterns to be effective.

Most of our actions—80-90%—are automatic, governed by System 1 thinking. For example, entering passwords or recognizing phishing emails can become intuitive with proper training. However, asking employees to engage in deep, continuous System 2 thinking for every task can lead to cognitive overload and frustration.

Professor Sasse underscores the importance of designing security practices that blend seamlessly into daily routines. She quotes General MacArthur to drive home her point: "Never give an order that's impossible to execute." By making secure behavior effortless, organizations can ensure consistent adherence without overburdening employees.

Transforming Cybersecurity Awareness into Routine Behavior

Occasional, one-off cybersecurity awareness training alone isn’t enough. Organizations must invest in ongoing, regularly updated training that reinforces secure behaviors until they become routine. Gamified and role-specific modules, scenario-based content, and real-time reminders can help embed these practices into employees’ daily lives.

Cultural transformation requires top-down support. Corporate leaders must champion cybersecurity culture and initiatives, allocate resources for training, and model secure behavior themselves. A Chief Information Security Officer (CISO) can act as an enabler, but the real change comes when the entire leadership team prioritizes security.

Lessons from Broader Workplace Transformations

The workplace has undergone significant changes over the past two decades, from embracing racial diversity to fostering gender inclusivity. These shifts demonstrate that systemic change is possible with sustained effort and should serve as models for the drive to embrace human-centric cybersecurity culture. Transforming cybersecurity culture demands continuous reinforcement, strategic planning, and alignment with organizational goals - its increasingly clear that the benefits of achieving such progress are well worth the efforts involved.

Enjoyed this blog post? Share it with someone!Share