The Reality of Workplace Decisions
There’s an assumption built into most cybersecurity training.
That when an employee is faced with something suspicious, they will recognise the moment, pause what they are doing, and apply what they have been taught. That they will step out of the flow of work, assess the situation, and make a deliberate, rational decision based on risk.
It sounds reasonable.
But it doesn’t reflect how people actually work.
In reality, decisions are rarely made in isolation or under ideal conditions. They are made in the middle of a working day—while emails are coming in, conversations are ongoing, deadlines are approaching, and attention is already divided across multiple tasks.
Work is continuous. It doesn’t pause to allow for careful analysis.
So when something potentially risky appears, it is not treated as a separate event.
It is treated as part of the workload.
An email arrives. It looks familiar. The request seems routine. There is a sense—sometimes subtle, sometimes explicit—that it would be better to deal with it now rather than later.
The decision that follows is quick.
Not because the person is careless, but because that is how work is structured. People are expected to respond, to keep things moving, and to avoid unnecessary delays. Slowing down to analyse every interaction is not how most roles are designed to function.
And that is where the gap begins.
Because in that moment, the decision is not being made as a “security decision” in the way training often imagines. It is being made as a work decision—shaped by context, familiarity, and the need to progress.
This is why so many incidents appear obvious in hindsight.
When we look back, we isolate the moment. We remove the surrounding pressure and examine the decision as if it happened in a controlled environment. From that perspective, the signs seem clearer, and the outcome appears avoidable.
But that is not how the decision was experienced at the time.
It was made quickly, within context, and in line with how hundreds of other decisions are made throughout the day.
Understanding that difference is where effective cybersecurity training begins.
Security Decisions Don’t Happen in Isolation
One of the biggest gaps in how organisations think about cybersecurity is the assumption that security decisions happen as standalone events.
They don’t.
In reality, no one sits down and processes an email in isolation. Every decision is made alongside everything else happening in that moment—messages coming in, deadlines approaching, conversations unfolding, and a constant pressure to keep work moving.
Security is just one small part of a much bigger picture, and most of the time it isn’t the priority.
What tends to matter more is progress. Keeping up with workload, responding quickly, and not becoming the reason something slows down. Those pressures shape behaviour throughout the day, often without people consciously recognising it, creating an environment where speed feels valuable and hesitation can feel like a problem.
Now place a potential security risk into that environment.
Imagine someone in accounts nearing the end of the day. They’ve been working through invoices, responding to queries, and trying to clear their task list before logging off. Their inbox is still active, a few items still need attention, and there’s a quiet pressure to get things finished.
An email arrives that appears to come from a supplier they’ve dealt with before. The tone feels familiar, the request is simple—updated payment details for an upcoming invoice—and there’s just enough urgency in the message to suggest it would be better dealt with now rather than later.
Nothing about it immediately stands out as unusual.
In isolation, it might be questioned. The details might be checked. A quick verification might feel like the sensible next step.
But it doesn’t arrive in isolation.
It arrives at the end of a busy day, in the middle of a workflow, surrounded by other tasks that all feel equally important.
So it is processed in the same way as everything else.
The decision isn’t framed as a security judgement, but as part of getting work done. The employee is not stepping back to analyse risk in a structured way; they are relying on what feels familiar, what appears consistent with past experience, and what allows them to move forward without creating additional friction.
When you look back afterwards, it is easy to focus on what should have happened—the checks that could have been made, the signs that might have been spotted, the policy that wasn’t followed. But those explanations are shaped by hindsight.
At the time, the decision made sense.
It was consistent with how work is normally processed, influenced by the same pressures, expectations, and patterns that guide hundreds of other decisions throughout the day.
And that is the point most organisations miss.
Security decisions are not separate from everyday work. They are embedded within it, shaped by the same conditions, and made using the same mental shortcuts. Unless training and processes reflect that reality, behaviour is unlikely to change in any meaningful or lasting way.
The Four Things That Drive Decisions
When people make decisions at work, especially under pressure, they are not consciously weighing up every possible risk. If they did, nothing would get done.
Instead, the brain relies on shortcuts—fast, efficient ways of interpreting information that allow people to keep moving without stopping to analyse every detail. These shortcuts are not flaws; they are necessary. In a busy working environment, they are what make productivity possible.
But they also shape behaviour in predictable ways.
Across different roles, industries, and situations, four consistent factors tend to influence how employees respond to emails, requests, and potential threats: context, trust, urgency, and effort. These aren’t security-specific concepts—they are fundamental to how human decision-making works. And that’s exactly why they are so effective when exploited.
Context: Does This Look Normal?
The brain is designed to filter information quickly, not perfectly.
If every new piece of information had to be analysed from scratch, even routine work would become overwhelming. So instead, the brain builds patterns based on past experience and uses those patterns to make rapid judgements.
When something looks familiar—similar layout, language, tone, or structure—it is processed as “normal” almost instantly. That decision often happens before conscious thought even kicks in.
Which means the question being answered in the moment isn’t “Is this secure?”
It’s “Does this look normal?”
Most of the time, that works. The majority of interactions in a working day are legitimate, so recognising patterns allows people to move efficiently without overthinking every step.
But this creates a blind spot.
Because once something fits an expected pattern, the brain doesn’t actively search for risk—it assumes safety and moves on. Attention shifts away from scrutiny and towards completion. Subtle inconsistencies are more likely to be overlooked, not because they are invisible, but because the brain has already decided there is nothing worth investigating.
That’s exactly what attackers rely on. They don’t need to be perfect—they just need to be familiar enough to avoid triggering attention in the first place.
Trust: Do I Recognise the Sender?
Humans rely on trust because without it, work would slow to a halt.
In any organisation, people cannot verify every interaction. They need to assume that internal communication, known contacts, and familiar names are legitimate, otherwise even basic collaboration becomes inefficient.
So the brain uses recognition as a shortcut.
If a name is familiar, if the email appears to come from someone known, or if the tone matches previous interactions, the level of scrutiny drops automatically.
Which means the question being answered isn’t “Should I verify this?”
It’s “Do I recognise the sender?”
There is also a social dimension to this.
Challenging or questioning a request—especially from someone more senior—introduces friction. It can feel unnecessary, awkward, or even risky in terms of how it might be perceived. So people often default to cooperation, particularly when the request appears reasonable.
This creates a subtle but powerful dynamic.
Trust doesn’t just reduce scrutiny—it actively discourages challenge. And once a request sits within that trusted space, overriding it requires conscious effort, confidence, and sometimes the willingness to disrupt normal working relationships.
Attackers understand this. They don’t just imitate identity—they position themselves where trust already exists, knowing that once something feels legitimate, it becomes significantly harder to question.
Urgency: Do I Need to Act Now?
Urgency changes how the brain allocates attention.
When something feels time-sensitive, the brain shifts into a more reactive state. The focus narrows, prioritising immediate action over careful evaluation. This is a natural response—one that is useful in situations where speed genuinely matters.
But it comes with a trade-off.
Under pressure, the brain processes less information. It filters out anything that slows decision-making, which makes subtle warning signs easier to miss. Critical thinking doesn’t disappear, but it becomes harder to apply because the situation feels like it doesn’t allow time for it.
So the question shifts.
Not “Is this safe?”
But “Do I need to act now?”
In a workplace where responsiveness is expected, acting quickly often feels like the correct behaviour. People are used to being measured on how efficiently they respond, not how long they pause to assess risk.
This creates a tension.
The very environments that reward speed can unintentionally discourage hesitation, even when hesitation would be the safer choice. And in that moment, urgency doesn’t just influence the decision—it reshapes what “good performance” looks like.
That’s why urgency is so effective in social engineering. It doesn’t force behaviour—it aligns with existing expectations and accelerates them.
Effort: Is It Easier to Just Do It?
The brain is constantly managing energy, even if we’re not aware of it.
Every decision requires mental effort, and over the course of a working day, that effort builds up. This is known as cognitive load, and as it increases, the brain naturally looks for ways to reduce it.
One of the simplest ways to do that is to choose the path that requires the least resistance.
If something can be completed quickly, without additional steps, it becomes the default choice—especially when someone is already busy or mentally fatigued.
Which means the question being answered isn’t “What is the most secure option?”
It’s “Is it easier to just do it?”
This isn’t laziness—it’s efficiency.
In most cases, taking the quicker route is the correct decision. It keeps work moving and avoids unnecessary friction. But when security relies on additional steps—verification, double-checking, escalation—that same instinct can lead to those steps being delayed or skipped entirely.
Over time, this becomes a pattern.
If secure behaviour consistently feels slower, more complex, or more disruptive than simply completing the task, it will never be applied consistently. Not because people don’t care, but because the environment they are operating in makes it difficult to prioritise security without sacrificing efficiency.
And in a busy working day, efficiency usually wins.
Bringing the Four Drivers Together
What makes these four factors particularly important is not just their individual impact, but how naturally they combine.
In isolation, each one seems reasonable. Context helps people move quickly. Trust allows collaboration to function. Urgency keeps work progressing. Efficiency reduces unnecessary effort. None of these are problems on their own—in fact, they are exactly what organisations rely on to operate effectively.
The issue is what happens when they align.
A message that looks familiar, appears to come from someone trusted, introduces a sense of urgency, and can be actioned quickly does not feel like a risk. It feels like something that should be dealt with immediately, something that fits naturally into the flow of the working day.
And that’s where the real challenge sits.
Because at that point, the decision is no longer being evaluated as a security judgement. It is being processed as part of normal work. The same mental shortcuts that help people stay productive are now shaping a decision that carries risk, without that risk ever being fully considered.
This is why so many incidents appear obvious in hindsight but go unnoticed in the moment.
When we look back, we isolate the email, the request, or the action, and assess it in a controlled way. We ask what should have been spotted, what checks should have been made, and why the signs weren’t recognised.
But in reality, the decision was never made under those conditions.
It was made quickly, within context, using patterns, trust, urgency, and effort as guides—just like hundreds of other decisions made that same day.
And that’s the point.
These behaviours are not edge cases. They are not the result of poor judgement or lack of awareness. They are the natural outcome of how people are wired to operate in environments that demand speed, responsiveness, and constant decision-making.
Which is exactly why they are so consistently exploited.
Why This Matters for Cybersecurity
When you step back and look at how these decisions are actually made, a different picture of cybersecurity starts to emerge.
Incidents are often framed as failures—someone clicked something they shouldn’t have, trusted something they shouldn’t have, or didn’t follow the process they were given. The assumption is that if the individual had been more careful, more aware, or more attentive, the outcome would have been different.
But that explanation doesn’t hold up when you look at how work really happens.
Because the conditions that lead to those decisions are not unusual. They are present every day. Familiarity, trust, urgency, and the need to move quickly are not rare—they are built into how organisations operate. They are what allow work to function at pace.
And that’s exactly what makes them so effective when exploited.
Cyber attackers are not working against human behaviour—they are working with it. They design emails, messages, and scenarios that align with the same patterns people rely on to get through their day. They don’t need to bypass security awareness; they position themselves within it.
A message that feels normal, comes from a recognised source, creates a sense of urgency, and can be actioned quickly doesn’t register as a threat in the moment. It registers as something that needs to be done.
Which is why so many incidents feel obvious in hindsight.
When we review them afterwards, we slow everything down. We isolate the email, remove the surrounding pressures, and analyse it in a controlled way. From that perspective, the signs are clearer. The decision appears avoidable.
But the original decision was never made under those conditions.
It was made in the flow of work, shaped by the same drivers that influence hundreds of other decisions every day. And in that environment, the outcome was not irrational—it was consistent with how people are used to operating.
This is the gap that often goes unaddressed.
Cybersecurity is still frequently approached as a knowledge problem. If people understand the risks, they will make better decisions. If they know what to look for, they will spot it in time.
But understanding does not remove context. It does not reduce pressure. It does not change the instinct to trust or the need to act quickly. And it does not make effort irrelevant in a busy working environment.
So even when awareness is high, behaviour does not always follow.
And that is where the limitation begins to show.
Why Awareness Training Reaches a Limit—and What Comes Next
Cybersecurity awareness training has played an important role in improving baseline understanding across organisations.
Most employees today are familiar with the core ideas. They recognise phishing as a concept, understand the importance of strong passwords, and have a general awareness that cyber threats exist. Compared to where organisations were ten or fifteen years ago, that represents real progress.
But awareness was never designed to solve the entire problem.
At its core, awareness training focuses on information. It teaches people what to look for, what risks exist, and what they should do in response. It assumes that if someone has the knowledge, they will be able to apply it when the situation arises.
The challenge is that real-world decisions don’t happen in the conditions that awareness training is built around.
They don’t happen in isolation.
They don’t happen without pressure.
And they don’t happen with unlimited time to think.
They happen in the same environments we’ve already explored—fast-paced, interrupt-driven, and shaped by context, trust, urgency, and effort.
This creates a disconnect.
An employee may fully understand what a phishing email looks like in a training scenario, where they are given time, focus, and a clear prompt to assess risk. But that same recognition becomes far less reliable when the email appears in the middle of a busy working day, surrounded by competing priorities and subtle pressures to act quickly.
It’s not that the knowledge has disappeared.
It’s that the conditions required to apply it are no longer there.
This is where awareness reaches its limit.
Because awareness does not remove the factors that shape behaviour. It does not reduce cognitive load. It does not change how the brain prioritises speed under pressure. It does not override trust, and it does not make verification feel easier in the moment.
So while awareness improves understanding, it doesn’t guarantee action.
And over time, this leads to a familiar pattern.
Training is completed. Knowledge increases. But when incidents occur, they still follow the same pathways—familiarity, trust, urgency, and effort—because those underlying drivers haven’t changed.
At that point, adding more information doesn’t address the root issue.
What’s needed is a shift in focus.
If decisions are shaped by how people operate in real environments, then cybersecurity training needs to reflect that reality. It needs to move beyond simply explaining risk and start addressing how decisions are made under pressure, in context, and at pace.
This is where behaviour-led cybersecurity comes in.
Rather than assuming people will step out of their workflow to make a “security decision,” a behaviour-led approach works with how decisions actually happen. It focuses on recognising risk within normal tasks, building practical verification habits that fit into existing processes, and strengthening judgement in situations where time and attention are limited.
It also acknowledges something that traditional approaches often overlook.
Secure behaviour has to be realistic.
If the secure option consistently feels slower, more complex, or more disruptive than simply completing the task, it will never be applied consistently—regardless of how aware people are. So the focus shifts from telling people what they should do, to helping them develop ways of working that make secure decisions more natural and achievable.
This is not about replacing awareness.
It’s about building on it.
Awareness provides the foundation. It introduces the concepts and creates a baseline understanding. But on its own, it doesn’t change how decisions are made in the moment.
Behaviour-led cybersecurity addresses that gap.
It focuses on the conditions, the pressures, and the patterns that shape real decisions, helping people move from knowing what is right… to being able to act on it, consistently, in the environments they actually work in.
The Role of the Five-Domain Model
Once you understand how decisions are actually made at work, the shape of an effective approach to cybersecurity becomes much clearer.
If decisions are driven by context, trust, urgency, and effort—then improving security isn’t about adding more information. It’s about strengthening how people respond within those conditions.
That is the thinking behind the Five-Domain Model.
Rather than treating cybersecurity as a series of isolated topics, the model focuses on the behaviours that influence decisions in real working environments. Each domain is designed to address a specific gap between what people know and what they are able to do in the moment.
The first of these is Contextual Risk Recognition.
Traditional training often relies on obvious warning signs—suspicious links, poor spelling, unusual requests. But as we’ve seen, decisions are rarely made through careful analysis. They are made quickly, based on whether something feels normal.
Contextual Risk Recognition focuses on shifting that initial filter. It helps employees recognise when something sits slightly outside expected patterns, even if it appears familiar on the surface. Instead of asking “Does this look normal?”, the aim is to develop the instinct to pause when something feels just out of place—subtle inconsistencies in timing, tone, or context that might otherwise be overlooked.
This directly addresses the way context shapes decisions, by making risk visible earlier in the process.
The second domain is Verification & Control Discipline.
Trust is essential in any organisation, but as we’ve explored, it also reduces scrutiny. When something appears to come from a recognised source, people are far less likely to question it.
Verification & Control Discipline focuses on embedding simple, repeatable ways to verify requests without disrupting workflow. The goal is not to remove trust, but to balance it with practical checks that feel normal rather than exceptional. This is particularly important in situations where authority or familiarity might otherwise discourage challenge.
In doing so, it addresses the natural tendency to rely on recognition and helps create a culture where verification is part of how work gets done, not something that only happens when something feels obviously wrong.
The third domain is Secure Operational Behaviour.
As we’ve seen, effort plays a significant role in decision-making. When people are busy, they will naturally choose the path that allows them to complete tasks quickly and efficiently.
Secure Operational Behaviour focuses on how everyday actions are carried out across systems, devices, and processes. It looks at how to reduce friction in secure practices, making the right action easier to take in the moment. This might involve reinforcing habits, simplifying processes, or ensuring that secure behaviours align with how work is already being done.
Because if the secure option feels impractical, it won’t be used consistently—no matter how well people understand the risks.
The fourth domain is Incident Judgement & Escalation.
Urgency changes how decisions are made, often reducing the likelihood that something will be questioned or reported. Even when something feels slightly off, the pressure to act quickly can override hesitation.
This domain focuses on helping employees recognise when a situation requires escalation and giving them the confidence to act on that judgement. It also addresses the social and organisational barriers that can prevent escalation—uncertainty, hesitation, or concern about being wrong.
The aim is to ensure that when something doesn’t feel right, people are able to act on that instinct, even under pressure.
The final domain is Professional Cyber Judgement.
This brings the previous domains together.
In reality, decisions are rarely driven by a single factor. Context, trust, urgency, and effort interact in ways that shape behaviour in the moment. Professional Cyber Judgement is about developing the ability to navigate those competing influences and make balanced decisions within real-world conditions.
It is not about perfect decision-making, but about consistency. About building the confidence and capability to respond effectively, even when the situation is unclear or time is limited.
Taken together, the Five-Domain Model reflects a shift in how cybersecurity is approached.
It moves away from the idea that people simply need more awareness, and towards the understanding that behaviour is shaped by environment, pressure, and human decision-making patterns.
Each domain exists to address a specific part of that reality.
To make risk more visible within context.
To balance trust with verification.
To reduce friction in secure behaviour.
To support escalation under pressure.
And ultimately, to strengthen judgement across all of it.
Because if cybersecurity is going to improve in a meaningful way, it has to align with how people actually work—not how we assume they do.
Bringing It Back to Reality
Employees are not failing because they don’t understand cybersecurity.
In most organisations today, awareness is higher than it has ever been. People recognise common threats, understand good security practices, and know that risks exist. The idea that incidents happen simply because employees “don’t know any better” is becoming harder to justify.
What matters is something else.
Decisions are not made in controlled environments. They are made in the middle of a working day, shaped by competing priorities, expectations, and the pressure to keep things moving. In that environment, people rely on patterns, trust what feels familiar, and act in ways that allow them to continue.
Those behaviours are not exceptions.
They are how work gets done.
The challenge is that the same behaviours that support productivity can also be exploited. A well-crafted attack doesn’t need to break those patterns — it only needs to fit within them. It needs to look normal, feel familiar, and allow the decision to be made without interruption.
When that happens, the outcome isn’t carelessness.
It’s a decision that made sense in the moment.
This is why awareness alone will always leave a gap. Not because it isn’t valuable, but because it doesn’t change the conditions in which decisions are made.
If those conditions remain the same, behaviour remains the same.
And if behaviour remains the same, so do the outcomes.
Improving cybersecurity, therefore, isn’t about expecting people to step outside of how they naturally work. It’s about understanding those patterns and designing approaches that operate within them.
Because in the end, cybersecurity isn’t defined by what people know.
It’s defined by what they do when it matters — when time is limited, attention is divided, and the decision doesn’t feel like a security decision at all.
And that’s where it breaks down.
Not when something looks dangerous.
But when it feels routine enough to continue.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
