Building Security Culture through Behavioral Insights

Parkinson's UK is the United Kingdom's leading charity dedicated to finding a cure for Parkinson’s disease and improving life for all those affected by the neurological condition. As a vital healthcare organization that supports over 166,000 people living with Parkinson's, the charity relies heavily on technology to deliver services, conduct research, and maintain essential operations.

As Parkinson’s UK’s Technology Lead, Marc Green understood that securing the organization’s critical operations required more than just technical security measures. Given their staff’s reliance on digital infrastructure to support vulnerable individuals and deliver services, he recognized that the human element of cybersecurity was paramount: “My primary goal was to minimize the organization’s exposure to cyber threats. We had a lot of sensitive data, data on our supporters, our volunteers, people with Parkinson’s disease.”

"It's my job to support, secure, maintain and improve the technology we use throughout the charity," Marc continued. "And part of that job is to foster a strong culture of cyber resilience amongst all our staff."

Prior to OutThink, Parkinson's UK didn’t have a comprehensive security awareness training platform that engaged their employees and volunteers effectively. Their approach was fragmented and failed to reinforce the importance of secure behavior - insufficient for building the resilient cybersecurity culture Marc had in mind. "The problem was we didn't have a proper cyber awareness platform before. We did things in house, we had some really basic training that new users would get, and when people join a company, they've got hundreds of things they need to read. There's processes, procedures, they got a new laptop, they're trying to learn how to use new systems," Marc recalled. "Our previous cybersecurity training was just a really small part of that. I wanted something more than that."

Parkinson’s UK’s security awareness training program suffered from poor engagement since employees found the content boring or were too busy with their other onboarding activities to participate meaningfully. This created significant gaps in the organization's security posture. "Traditional training can be boring and people tune out or they're too busy. So we wanted something snappy that was going to grab people's attention," Marc emphasized.

Without proper metrics and tracking capabilities, he found it impossible to identify areas for improvement or demonstrate the effectiveness of security initiatives to leadership. This lack of visibility on human risk and organizational security hygiene was of serious concern to Marc and the rest of the Parkinson’s security team: "We wanted it [training] to be measurable. So we want to track progress and pick out the areas where people need to improve."

The charity sought a solution that would consistently reinforce, update, and refresh cybersecurity principles rather than one-time training sessions with minimal lasting impact. Marc wanted to make security awareness top-of-mind-across the organization: "I wanted something more than that [one-time training sessions]. Something to be ongoing, something that's just going to keep on reinforcing how important staying safe online is."

What immediately stood out to Marc and the rest of the Parkinson’s security team was OutThink’s foundation in behavioral science and psychology. Marc was looking for a human-centric, evidence-based solution that went well beyond standard issue legacy security awareness training. "What set it apart for me was the way it set out to teach people. There was science behind it, there was psychology behind it,” he pointed out. “And it was really interesting to me how that was used to generate ideas and structure campaigns."

OutThink’s engaging, attention-grabbing content enabled Parkinson's UK to overcome the limitations of traditional training approaches. Additionally, the fact that the right training is delivered to the right person at the right time really appealed to Marc: “One of the reasons I signed up with OutThink is that there was a lot of psychology behind it and a lot of science about how people should train, when people should train and how [the platform] engages with people to get the best out of the training.”

The OutThink platform provided Parkinson’s UK with the data-backed insights and visibility at the organizational and individual levels to identify risky behaviors and gaps in understanding. That understanding then allowed the security team to hone in on those risk zones with personalized training specific to the users who needed it, according to Marc: “We're looking at the sort of users who are maybe apathetic or classed as rule breakers in the system and trying to find out why they're like that to try and engage with them a bit more, offer some more targeted training, and see if we can pinpoint if they're in particular groups or particular departments. We've definitely used those metrics to provide additional training for them.”

Marc worked closely with OutThink to create and implement highly relevant phishing campaigns that reflect the real systems and threats that Parkinson's UK employees encounter daily. He highlighted that the level of support he received from the OutThink team made a real difference to Parkinson’s security awareness program: "I really try and make sure that I'm picking up examples that are really relevant to our users. So when I use the gallery templates, I'm picking systems that we use every day." He underscored that, "I've also worked with the team at OutThink to create bespoke phishing emails which replicate internal systems that we use which aren't necessarily going to be around in the gallery."

Marc also singled out OutThink’s innovativeness and focus as a key aspect of Parkinson’s UK’s success in using the platform. OutThink’s new features and capabilities have enhanced the organization’s security culture over time: “The [OutThink] team have been brilliant since we came on. You're coming up with new features all the time. You're not some IT behemoth for whom cyber awareness is tacked onto another part of their business. This is what you do. Just in the last few years, the improvements you've made for the platform are great. And you'll still help with little things as well.”

The most significant outcome for Marc and Parkinson’s UK was the measurable decrease in the organization’s overall Human Risk Score* and the concrete evidence of its improved security posture. Over the course of the past 12 months, Parkinson UK’s Human Risk Score decreased by 10%, a significant improvement. "Our risk score has dropped. It has dipped in the last year and I'm sure over the two or three years it's dipped even more than that.” He added that, “There have been so many changes or improvements to the system around the way it sort of detects user behavior." *OutThink’s Human Risk Score is a composite metric comprised of adaptive security awareness training data (such as knowledge, confidence, compliance), phishing simulation data (such as click rate, reporting rate) privileged access data, and data from integrations.

Marc attested that key performance metrics he tracks showed substantial improvement, particularly in areas that indicate genuine behavioral change: Reporting Rate: the rate at which users report suspicious emails has doubled since Parkinson’s deployed the OutThink platform "The obvious one is click rate. How many people are clicking on links they shouldn't be, and the less people, the better. I think one important one for us which we've seen improvement on is reporting rate, because that shows that people are paying attention to the training. They're looking at things more closely and the telltale signs of phishing emails are being picked up."

Beyond the quantitative indicators demonstrating an improved security posture, Marc insisted that he’s observed genuine cultural transformation in how employees engaged with cybersecurity in their daily work throughout Parkinson’s UK. There’s been a transformation in security culture, much to his satisfaction: "It's [cybersecurity culture] improved significantly. I think now that we've got proper programs in place, people are really engaging. People are engaging more and are really worried when they see an email from me," he joked. “'Are you trying to trick me, Marc?' I'm like, 'No, this is a genuine email.' They're on their toes, which is good. I don't want everyone to be panicking non-stop, but it's good that some people are wary enough to wonder. 'Hang on, let me just speak to Marc about this because I'm not sure about this email.'"

Marc's outlook emphasized achievable goals that led to incremental improvements across the organization. Cultural change is hard and takes time, but the OutThink platform provided him with the capabilities to measurably move the needle from a human risk perspective: "In an ideal world, we want to be at a place where security is ingrained in everyone's daily routines. I think I'm realistic - I realize that we're not going to get 100% people to think like that, but if I can reduce our organizational human risk score by 15-20%, that's a great start."

- Science-Based Methodology: Evidence-based approach rooted in behavioral psychology

- Customizable Content: Simulations that reflect real internal systems and threats

- Measurable Outcomes: Clear metrics for tracking progress and identifying risk areas

- Continuous Engagement: Ongoing reinforcement rather than one-time training events

- Targeted Interventions: Personalized training approaches for high-risk user segments

- Dedicated Focus: Purpose-built platform focused exclusively on cybersecurity human risk management

- Collaboration and Innovation: Ongoing support and innovative feature development by the OutThink team

Parkinson's UK has successfully embedded cybersecurity awareness and human risk management into its organizational culture, creating the foundation for a resilient security culture: "People in general are more aware about the risks out there, whether it be phishing, QR phishing, the threats associated with AI. So people are interested and this has come at a really good time."

Marc stressed the OutThink platform's technical capabilities and its focus on human risk management and adaptive security awareness training, saying, “the adaptiveness [of the training] the focus of the organization purely on building cyber awareness and culture, those are the things that I think have really made a difference.”