Practical Guide to COM-B

In today’s rapidly evolving digital world, changing human behavior has become one of the most critical components in managing cybersecurity risk. Whether you’re trying to encourage secure password practices, improve incident reporting, or embed a culture of security awareness, knowing how to change behavior is essential.

But behavior change isn’t just about giving people more information or asking them nicely to do something different. It’s about understanding the deeper drivers of behavior - and designing interventions that actually work.

That’s where the COM-B model and Behavior Change Wheel (BCW) come in.

COM-B, developed by Dr. Susan Michie and colleagues, stands for:

• Capability – Do they have the knowledge and skills?
• Opportunity – Do their environment and social context support the behaviour?
• Motivation – Do they want or need to do it?

Behaviour (B) occurs when (С)apability, (O)pportunity, and (M)otivation are present at the same time. If any one is missing, the behaviour is unlikely to happen.

The Behavior Change Wheel (BCW), also developed by Dr. Susan Michie and colleagues, is a powerful framework for designing behavior change interventions which builds upon COM-B.

It helps you:

• Diagnose the behavior using COM-B
• Choose the right intervention functions (e.g. education, enablement, persuasion)
• Select supporting policy categories (e.g. guidelines, regulation, communication)

The wheel sits at the centre of a systematic approach to designing targeted and effective behavioral interventions.

Here’s how to use COM-B and the BCW in practice.

Clearly identify the behaviour you want to change.

Example: “Report phishing emails within 1 hour of detection”

Use the COM-B model to explore what’s enabling or preventing the behaviour.

Ask:

• Do they have the Capability to recognise phishing?
• Do they have the Opportunity (e.g. time, systems, social norms) to report it?
• Are they Motivated to take action?

This diagnosis highlights what needs to change.

Use your COM-B findings to select suitable intervention functions from the BCW (there are 9 total), such as:

1. Education

Increase knowledge or understanding.

Example: Delivering awareness sessions or e-learning modules explaining how phishing works, what signs to look out for, and how to report it.

Best for: Psychological Capability

2. Training

Imparting practical skills.

Example: Interactive simulations where employees practice spotting and reporting phishing emails, or hands-on secure coding workshops for developers.

Best for: Physical and Psychological Capability

3. Persuasion

Using communication to induce positive or negative feelings that can stimulate action.

Example: Sharing compelling case studies of real-world cyber incidents and the consequences of failing to report or secure data.

Best for: Reflective and Automatic Motivation

4. Incentivization

Creating expectation of reward.

Example: Recognizing teams with high secure behavior compliance or rewarding individuals who consistently report suspicious activity.

Best for: Reflective Motivation

5. Coercion

Creating expectation of punishment or cost.

Example: Policies that clearly define consequences of failing to adhere to acceptable use policies or repeated non-compliance with training.

Use with caution - consider acceptability and psychological safety.

Best for: Reflective Motivation

6. Enablement

Increasing means or reducing barriers to increase Capability or Opportunity beyond education and training.

Example: Making reporting easier through one-click buttons, or implementing password managers to reduce the cognitive load of strong password creation.

Best for: Capability, Opportunity, and Motivation

7. Modelling

Providing an example for people to aspire to or imitate.

Example: Using Security Champions or respected team members to demonstrate secure behaviors in everyday workflows.

Best for: Social Opportunity and Motivation

8. Environmental Restructuring

Changing the physical or social context.

Example: Introducing warning banners for external emails, restructuring access to systems to enforce least privilege, or creating team norms around incident sharing.

Best for: Physical and Social Opportunity

9. Restriction

Using rules to reduce opportunity to engage in risky or unwanted behaviors.

Example: Blocking access to malicious websites or disabling USB ports on devices.

Best for: Physical Opportunity - but ensure acceptability and proportionality

The outer layer of the Behavior Change Wheel includes seven policy categories, which support and enable the interventions you choose. These are especially relevant when you need wider organizational or systemic support to make your intervention feasible or sustainable.

Here’s how each applies in a cybersecurity context.

1. Communication/Marketing

Using media or messaging to raise awareness.

Example: Running ongoing internal campaigns about secure behavior.

2. Guidelines

Creating written documents or standards.

Example: Developing a behavioral security policy or secure working guidelines.

3. Fiscal Measures

Using financial levers such as incentives or penalties.

Example: Budgeting for security tools, or investing in team-based security incentives.

4. Regulation

Creating rules or principles governing behavior.

Example: Implementing organizational policies that require specific behaviors, such as regular security training.

5. Legislation

Setting formal laws or mandates.

Example: Adhering to GDPR or NIS2 regulations and ensuring staff behaviors align.

6. Environmental/Social Planning

Changing physical or organizational structures.

Example: Restructuring onboarding processes to include secure behavior modules from day one.

7. Service Provision

Delivering services to support behavior change.

Example: Providing a security hotline, IT support for implementing controls, or on-demand coaching from a Cyber Champion.

Build your intervention, roll it out, and measure what works. Behavior change is rarely one-and-done, it’s an iterative process that requires reflection, adaptation, and feedback.

This article only scratches the surface. For a deeper dive into how to apply this framework specifically in cybersecurity, including worked examples, templates, and planning guides, check out the book:

Behavioral Change Playbook for Cybersecurity

Your practical guide to designing effective, evidence-based interventions that actually change behavior in the digital world.