
Practical Guide to COM-B
Jul 25

Experience OutThink
In today’s rapidly evolving digital world, changing human behavior has become one of the most critical components in managing cybersecurity risk. Whether you’re trying to encourage secure password practices, improve incident reporting, or embed a culture of security awareness, knowing how to change behavior is essential.
But behavior change isn’t just about giving people more information or asking them nicely to do something different. It’s about understanding the deeper drivers of behavior - and designing interventions that actually work.
That’s where the COM-B model and Behavior Change Wheel (BCW) come in.
What is COM-B?
COM-B, developed by Dr. Susan Michie and colleagues, stands for:
- Capability – Do they have the knowledge and skills?
- Opportunity – Do their environment and social context support the behaviour?
- Motivation – Do they want or need to do it?
Behaviour (B) occurs when (С)apability, (O)pportunity, and (M)otivation are present at the same time. If any one is missing, the behaviour is unlikely to happen.
What is the Behavior Change Wheel?
The Behavior Change Wheel (BCW), also developed by Dr. Susan Michie and colleagues, is a powerful framework for designing behavior change interventions which builds upon COM-B.
It helps you:
- Diagnose the behavior using COM-B
- Choose the right intervention functions (e.g. education, enablement, persuasion)
- Select supporting policy categories (e.g. guidelines, regulation, communication)
The wheel sits at the centre of a systematic approach to designing targeted and effective behavioral interventions.
How to Get Started: Step-by-Step Guide
Here’s how to use COM-B and the BCW in practice.
Step 1: Define the Behavior
Clearly identify the behaviour you want to change.
Example: “Report phishing emails within 1 hour of detection”
Step 2: Conduct a COM-B Assessment
Use the COM-B model to explore what’s enabling or preventing the behaviour.
Ask:
- Do they have the Capability to recognise phishing?
- Do they have the Opportunity (e.g. time, systems, social norms) to report it?
- Are they Motivated to take action?
This diagnosis highlights what needs to change.
Step 3: Identify Intervention Functions
Use your COM-B findings to select suitable intervention functions from the BCW (there are 9 total), such as:
1. Education
Increase knowledge or understanding.
Example: Delivering awareness sessions or e-learning modules explaining how phishing works, what signs to look out for, and how to report it.
Best for: Psychological Capability
2. Training
Imparting practical skills.
Example: Interactive simulations where employees practice spotting and reporting phishing emails, or hands-on secure coding workshops for developers.
Best for: Physical and Psychological Capability
3. Persuasion
Using communication to induce positive or negative feelings that can stimulate action.
Example: Sharing compelling case studies of real-world cyber incidents and the consequences of failing to report or secure data.
Best for: Reflective and Automatic Motivation
4. Incentivization
Creating expectation of reward.
Example: Recognizing teams with high secure behavior compliance or rewarding individuals who consistently report suspicious activity.
Best for: Reflective Motivation
5. Coercion
Creating expectation of punishment or cost.
Example: Policies that clearly define consequences of failing to adhere to acceptable use policies or repeated non-compliance with training.
Use with caution - consider acceptability and psychological safety.
Best for: Reflective Motivation
6. Enablement
Increasing means or reducing barriers to increase Capability or Opportunity beyond education and training.
Example: Making reporting easier through one-click buttons, or implementing password managers to reduce the cognitive load of strong password creation.
Best for: Capability, Opportunity, and Motivation
7. Modelling
Providing an example for people to aspire to or imitate.
Example: Using Security Champions or respected team members to demonstrate secure behaviors in everyday workflows.
Best for: Social Opportunity and Motivation
8. Environmental Restructuring
Changing the physical or social context.
Example: Introducing warning banners for external emails, restructuring access to systems to enforce least privilege, or creating team norms around incident sharing.
Best for: Physical and Social Opportunity
9. Restriction
Using rules to reduce opportunity to engage in risky or unwanted behaviors.
Example: Blocking access to malicious websites or disabling USB ports on devices.
Best for: Physical Opportunity - but ensure acceptability and proportionality
Step 4: Select Supporting Policy Categories
The outer layer of the Behavior Change Wheel includes seven policy categories, which support and enable the interventions you choose. These are especially relevant when you need wider organizational or systemic support to make your intervention feasible or sustainable.
Here’s how each applies in a cybersecurity context.
1. Communication/Marketing
Using media or messaging to raise awareness.
Example: Running ongoing internal campaigns about secure behavior.
2. Guidelines
Creating written documents or standards.
Example: Developing a behavioral security policy or secure working guidelines.
3. Fiscal Measures
Using financial levers such as incentives or penalties.
Example: Budgeting for security tools, or investing in team-based security incentives.
4. Regulation
Creating rules or principles governing behavior.
Example: Implementing organizational policies that require specific behaviors, such as regular security training.
5. Legislation
Setting formal laws or mandates.
Example: Adhering to GDPR or NIS2 regulations and ensuring staff behaviors align.
6. Environmental/Social Planning
Changing physical or organizational structures.
Example: Restructuring onboarding processes to include secure behavior modules from day one.
7. Service Provision
Delivering services to support behavior change.
Example: Providing a security hotline, IT support for implementing controls, or on-demand coaching from a Cyber Champion.
Step 5: Design, Implement and Test
Build your intervention, roll it out, and measure what works. Behavior change is rarely one-and-done, it’s an iterative process that requires reflection, adaptation, and feedback.
Want to Go Deeper?
This article only scratches the surface. For a deeper dive into how to apply this framework specifically in cybersecurity, including worked examples, templates, and planning guides, check out the book:
Behavioral Change Playbook for Cybersecurity
Your practical guide to designing effective, evidence-based interventions that actually change behavior in the digital world.
