In our previous article, Why Knowledge Alone Isn’t Enough, we explored why traditional cybersecurity awareness training often fails to prevent real-world cyber incidents.
Cybersecurity incidents are frequently attributed to human error. An employee clicked a malicious link, approved a fraudulent payment, or shared information with someone they believed to be legitimate.
These explanations are common in post-incident reports and security briefings. While they may accurately describe what happened, they rarely explain why the decision was made in the first place.
In many cases, the individual involved was not acting recklessly or ignoring security guidance. They were responding to a request that appeared legitimate within the context of their everyday work. The message may have come from what appeared to be a trusted colleague, referenced an ongoing project, or created a sense of urgency that felt consistent with normal operational pressure.
Modern cyber attacks are deliberately designed to exploit these situations. Rather than relying purely on technical vulnerabilities, attackers increasingly focus on influencing human behaviour — blending malicious requests into routine communication and business processes.
This creates a challenge for organisations. Employees are expected to remain productive, respond to requests quickly, and collaborate across digital platforms while at the same time identifying subtle signs of potential cyber threats.
In this environment, cybersecurity becomes less about simply knowing that threats exist and more about how individuals recognise and respond to risk within the flow of everyday work.
This article explores why many traditional cybersecurity awareness approaches struggle to address this challenge and introduces a different perspective: viewing cybersecurity not purely as a technical or knowledge problem, but as a behavioural and judgement-based capability that organisations must actively develop.
Cybersecurity as a Behavioural Challenge
When cyber incidents are analysed after the event, the explanation often appears deceptively simple. An employee clicked a malicious link, transferred funds to the wrong account, or shared information with someone who should not have received it.
At first glance, these events can appear to be failures of awareness. It may seem that the individual involved simply did not recognise the threat.
In reality, the situation is usually more complex.
Most modern cyber attacks do not rely primarily on technical exploitation. Instead, they rely on influencing human behaviour within the context of normal work activity. Messages are crafted to look familiar, requests are designed to appear legitimate, and situations are constructed so that responding quickly feels like the correct professional response.
Attackers understand how organisations operate. They understand that employees receive large volumes of communication each day, often across multiple platforms, and that responding quickly is often expected as part of professional responsibility. They also understand that people tend to trust messages that appear to come from colleagues, managers, or established suppliers.
For this reason, many cyber attacks are designed not to bypass technology, but to blend into everyday workflows.
A message requesting a payment update may appear as part of an ongoing conversation with a supplier. A document may arrive that looks relevant to a current project. An email may appear to come from a senior colleague asking for urgent assistance.
In these situations, the individual receiving the request must make a judgement call. They must decide whether the request is routine or unusual, whether verification is necessary, and whether the situation requires escalation.
These decisions are rarely made in ideal conditions. They are made during busy working days, often under time pressure, and frequently while managing competing priorities.
This is why cybersecurity cannot be treated purely as a knowledge problem.
It is fundamentally a behavioural and decision-making challenge.
When incidents are investigated, organisations often record the cause as human error. While this description may be technically correct, it rarely explains what actually happened. Labelling an incident as human error can obscure the more important question: why did the person make that decision at that moment?
Was the request consistent with normal workflows?
Did the message appear to come from a trusted authority?
Was the employee under time pressure or cognitive load?
Did the situation resemble legitimate activity they encounter every day?
Understanding these factors is essential if organisations want to reduce the likelihood of future incidents. Rather than treating human behaviour as the weakest link, organisations must recognise that employees operate within complex environments where attackers deliberately exploit trust, urgency, and routine activity.
This behavioural dimension of cyber risk is what has led to the emergence of new approaches to cybersecurity training.
The Emergence of Behaviour-Led Cybersecurity Training
As organisations have begun to recognise the behavioural nature of cyber risk, a shift in thinking has started to emerge within the field of cybersecurity education.
Traditional awareness programmes were designed primarily to increase knowledge. Employees were taught what phishing emails look like, why strong passwords matter, and how attackers attempt to gain access to systems or information. While this knowledge remains useful, experience has shown that awareness alone does not consistently prevent incidents.
Employees rarely fail because they have never heard of cyber threats. More often, incidents occur because individuals must make decisions within complex working environments where requests appear legitimate, time pressures are real, and the signals of risk are often subtle.
Modern cyber attacks are deliberately designed to exploit these conditions. Messages are crafted to resemble normal communication, requests appear consistent with everyday workflows, and attackers frequently impersonate trusted colleagues, suppliers, or senior leaders. In these situations, employees are required to make rapid judgements about whether something is routine or suspicious.
This growing recognition has led to the development of a different approach to cybersecurity education — one that focuses not simply on what employees know, but on how they recognise and respond to risk in practice.
At Cyber Rebels, this shift led to the development of what we describe as Behaviour-Led Cybersecurity Training.
Behaviour-Led Cybersecurity Training is an approach to cybersecurity education that focuses on developing the behavioural judgement employees use to recognise, verify, and respond to cyber risk within real working environments, rather than relying solely on awareness of threats or compliance-based instruction.
The distinction is important. Traditional awareness training aims to ensure employees are aware of cyber threats and common attack techniques. Behaviour-led training aims to ensure employees can apply sound judgement when faced with ambiguous or unexpected situations during their normal work activities.
This approach recognises that most cyber incidents do not occur because employees lack information. Instead, they occur because attackers successfully create situations that appear routine, credible, or urgent. The challenge for organisations, therefore, is not simply to inform employees about threats, but to help them develop the behavioural capability to identify and challenge suspicious activity within the flow of everyday work.
In this sense, the objective of cybersecurity training changes. Rather than measuring success purely through awareness scores or knowledge retention, the goal becomes the development of consistent behavioural responses to cyber risk.
Recognising that organisations needed a practical way to develop these capabilities, Cyber Rebels formalised this approach through the Five-Domain Model. The model provides a structured framework for building the behavioural skills employees require to recognise and respond to cyber threats within real organisational environments.
Together, Behaviour-Led Cybersecurity Training and the Five-Domain Model represent a shift in how organisations approach human cyber risk. Instead of viewing employees as the weakest link in security, the focus becomes developing the judgement and behavioural capability that enables them to act as a confident and effective line of defence.
The Cyber Rebels Five-Domain Model
Recognising that cyber risk is fundamentally behavioural raises an important question for organisations: how can employees develop the judgement required to recognise and respond to cyber threats within the flow of everyday work?
Awareness alone does not automatically translate into secure behaviour. Employees may understand that phishing emails exist, or that sensitive information should be protected, but when confronted with a request that appears legitimate and urgent, they must still decide how to act in that moment.
To address this challenge, Cyber Rebels developed the Five-Domain Model. The model provides a structured way of understanding the behavioural capabilities employees rely on when navigating cyber risk in real organisational environments.
Rather than treating cybersecurity purely as a technical or compliance issue, the Five-Domain Model focuses on the decision-making processes that influence how employees recognise risk, verify information, and respond to unusual situations during their normal work activities.
The model identifies five interconnected domains, each representing a different aspect of the behavioural capability required to operate securely in modern digital workplaces.
Why the Domains Exist
Cyber incidents rarely occur because a single control failed or because an employee lacked information. More often, incidents occur because several factors combine at the same time. A request appears legitimate, the employee is working under time pressure, the message seems to come from a trusted colleague, and the task aligns with something they might reasonably expect to do.
In these situations, employees must rely on judgement rather than simple rules.
The Five-Domain Model exists to help organisations understand and develop the different forms of judgement that influence these decisions. By breaking behavioural cyber capability into distinct domains, organisations can move beyond general awareness and instead focus on strengthening the specific skills employees use when interacting with digital information, communication, and systems.
Together, the five domains describe the behavioural foundations of effective cyber resilience.
Domain One: Contextual Risk Recognition
The first domain focuses on the ability to recognise when something appears unusual within the context of normal work activity.
Cyber attacks rarely present themselves as obvious threats. Instead, they are designed to blend into routine communication and business processes. A message may reference an ongoing project, an invoice request may appear consistent with a supplier relationship, or a document may arrive that seems relevant to a current task.
Employees therefore need the ability to recognise when a request does not fully align with the context in which it appears.
Contextual risk recognition involves noticing subtle inconsistencies: an unexpected change to payment details, a request that bypasses normal procedures, or a message that creates a sense of urgency without clear justification. These signals are often small, but recognising them is the first step in preventing many forms of social engineering and fraud.
Domain Two: Verification and Control Discipline
Recognising a potential risk is only the first step. Employees must also know how to verify the legitimacy of requests before acting on them.
Verification and control discipline refers to the consistent use of established processes that confirm whether a request is genuine. This may include verifying payment details through a known contact, confirming identity before sharing sensitive information, or following internal approval processes for financial transactions.
Many successful cyber attacks occur when attackers persuade employees to bypass these verification steps. Under time pressure or when responding to senior colleagues, individuals may feel compelled to act quickly rather than confirm details.
Strong verification discipline creates friction for attackers and helps ensure that important decisions are not made solely on the basis of a single message or request.
Domain Three: Secure Operational Behaviour
The third domain focuses on the everyday habits and behaviours that shape an organisation’s overall security posture.
Much of cybersecurity is influenced by routine actions. How employees manage passwords, how they handle sensitive documents, how they use organisational systems, and how carefully they manage access to information all contribute to the security environment within an organisation.
Secure operational behaviour involves maintaining these practices consistently, even when working under pressure or managing multiple responsibilities. When secure habits are embedded within everyday workflows, the organisation becomes more resilient to opportunistic attacks and accidental exposure of information.
Domain Four: Incident Judgement and Escalation
Even in well-managed environments, suspicious situations will still arise. Employees may receive unusual messages, encounter unexpected system behaviour, or notice activity that appears inconsistent with normal processes.
When this happens, employees must decide whether the situation requires escalation.
Incident judgement and escalation focuses on the ability to recognise when something may represent a genuine threat and to involve the appropriate people or teams. Equally important is the confidence to raise concerns without hesitation.
Organisations with strong cyber cultures encourage employees to report concerns early rather than second-guess themselves. Early escalation can prevent minor incidents from developing into larger security breaches.
Domain Five: Professional Cyber Judgement
The fifth domain reflects the broader mindset employees bring to cybersecurity within their professional roles.
Professional cyber judgement involves recognising that digital risk is not solely the responsibility of technical teams or security specialists. Instead, it forms part of the everyday responsibilities of employees working with information, communication, and digital systems.
Employees who develop professional cyber judgement begin to consider the potential consequences of their actions in digital environments. They balance productivity with security considerations and recognise when it is appropriate to pause, verify, or seek guidance before proceeding.
Over time, this mindset helps embed cybersecurity as a normal part of professional practice rather than an external compliance requirement.
A Framework for Behavioural Cyber Capability
Taken together, the Five-Domain Model provides a structured framework for developing behavioural cyber capability across an organisation.
Rather than relying solely on awareness campaigns or technical controls, the model focuses on strengthening the judgement employees apply when navigating everyday work situations that may involve cyber risk.
Each of the five domains contributes to reducing cyber risk in a different way.
When employees develop contextual risk recognition, they become more likely to notice when a request, message, or activity does not fully align with normal workflows. This increases the likelihood that suspicious situations are recognised before an action is taken.
Strengthening verification and control discipline ensures that employees confirm unusual requests through trusted channels before acting. By reinforcing simple verification behaviours, organisations introduce friction that many social engineering and fraud attacks struggle to overcome.
Developing secure operational behaviour improves the everyday habits that shape an organisation’s security posture. Consistent practices around handling information, managing credentials, and following established procedures reduce opportunities for both opportunistic attacks and accidental exposure.
Building capability in incident judgement and escalation encourages employees to raise concerns when something appears suspicious rather than ignoring or second-guessing potential risks. Early escalation allows organisations to intervene before an issue develops into a larger security incident.
Finally, strengthening professional cyber judgement helps employees recognise that cybersecurity is part of their everyday professional responsibility. Instead of treating security as an external compliance requirement, individuals begin to balance productivity, trust, and security when making decisions in digital environments.
When these behavioural capabilities are developed together, they reduce the conditions that attackers typically rely upon: unquestioned trust, rushed decisions, and unverified requests that appear legitimate within routine business activity.
By strengthening judgement across these five domains, organisations can significantly reduce the likelihood that attackers will successfully exploit normal workflows, professional relationships, and operational pressure.
The Five-Domain Model therefore forms the foundation of Behaviour-Led Cybersecurity Training, providing organisations with a practical way to build the behavioural resilience required to operate securely in modern digital environments.
From Awareness to Behavioural Capability
For many years, cybersecurity training has focused on awareness. Employees were taught to recognise threats, follow policies, and understand the risks associated with digital systems. That foundation remains important.
But awareness, on its own, doesn’t determine what happens in the moment.
Modern attacks are designed to blend into normal work. They mimic familiar communication, align with expectations, and rely on situations where there is no clear signal that something is wrong. In those conditions, people aren’t recalling training — they’re responding to what’s in front of them.
That’s where the outcome is shaped.
Not by what someone knows, but by how they interpret the situation — and what they decide to do next.
This is where behavioural capability becomes critical.
It reflects the ability to recognise context, question what doesn’t quite align, verify when something feels uncertain, and act appropriately even when the pressure is to continue. These are not abstract skills. They are applied in real time, within the flow of everyday work.
Frameworks such as the Five-Domain Model provide a way to strengthen this capability — not by adding more information, but by focusing on how decisions are made when situations are ambiguous.
Awareness still has a role. But it is only the starting point.
Because cybersecurity doesn’t usually break down through a lack of knowledge.
It breaks down in the moments where something feels routine enough to continue — and there’s no clear reason to question it.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
