Executive Summary

Cybersecurity has become a routine concern for organisations of every size. Ransomware, data breaches, online fraud and social engineering are now widely discussed, and most employees understand that businesses are often targeted through emails, messages, calls, shared documents and familiar digital systems.

In response, many organisations have introduced cybersecurity awareness training to help employees recognise threats and follow security policies during everyday work. These programmes usually explain how attacks happen, show examples of malicious messages, and encourage employees to stay alert when something unexpected appears.

The assumption behind this approach has always been straightforward: if employees are aware of cyber threats, they will avoid them.

That assumption is understandable, but it does not fully reflect how cyber incidents happen in real working conditions. Phishing attacks still succeed, fraudulent requests are still approved, and sensitive information is still shared in response to convincing communications. In many cases, the people involved have already completed cybersecurity awareness training and understand the risks in principle.

This suggests that the challenge organisations face is not simply a lack of knowledge.

As explored in Where Awareness Fails: Why Cybersecurity Training Isn’t Stopping Breaches, cyber incidents frequently begin during normal business activity. Someone is trying to complete a task, respond to a colleague, process a request, resolve a problem or keep work moving. The decision is made quickly, often under pressure, using the information available at the time. The action may feel reasonable because it appears to fit the workflow, the relationship, the system or the urgency of the moment.

Under these conditions, cybersecurity risk is often behavioural rather than informational. Employees may understand cyber threats in theory, yet still make unsafe decisions when the situation feels legitimate, familiar or difficult to question.

This paper builds on that foundation by examining what must change.

Rather than focusing mainly on increasing awareness, organisations need to develop the behavioural capabilities employees rely on when making decisions in real working environments. These capabilities include recognising contextual risk, verifying unusual or high-impact requests, maintaining secure operational habits, and escalating uncertainty before a situation develops into an incident.

To support this shift, the paper introduces the Cyber Rebels Five-Domain Model, a behaviour-focused framework designed to strengthen cybersecurity decision-making across the workforce. The model identifies five areas of behavioural capability that underpin secure organisational behaviour:

Contextual Risk Recognition
Verification and Control Discipline
Secure Operational Behaviour
Incident Judgement and Escalation
Professional Cyber Judgement

Together, these domains provide a structured way to develop the judgement, habits and professional responsibility required to manage cyber risk inside everyday organisational activity.

By examining the limitations of traditional awareness training and showing how attackers exploit ordinary decision-making conditions, this paper explains why behaviour-led cybersecurity training is a necessary next step for organisations that want to improve real-world cyber resilience.

Organisations that strengthen the behavioural dimension of cybersecurity are better placed to recognise, interrupt and respond to modern cyber threats before reasonable decisions become organisational exposure.

1. The Promise of Cybersecurity Awareness Training

Over the past two decades, cybersecurity awareness training has become one of the most widely adopted ways to address human-related cyber risk. As organisations recognised that everyday actions could unintentionally expose systems and data, training programmes were introduced to educate staff about common threats such as phishing emails, malicious attachments, password misuse and social engineering.

Regulators and industry frameworks have reinforced this approach. Standards such as ISO 27001, the NIST Cybersecurity Framework and the UK government’s Cyber Essentials scheme all emphasise the importance of awareness, policy understanding and secure working practices as part of a wider cybersecurity strategy. In many sectors, organisations are expected to show that employees receive regular training and understand their responsibilities when handling systems, information and communications.

As a result, awareness training has become embedded in organisational security practice across the public and private sectors.

At its core, cybersecurity awareness training was built on a simple and compelling promise: improving employees’ understanding of cyber threats should reduce the likelihood of successful attacks.

The logic appears sound. If employees can recognise common attack techniques, such as phishing emails, fraudulent requests or suspicious links, they should be less likely to act on them. By increasing knowledge of cyber risk and reinforcing organisational policies, awareness programmes aim to encourage safer behaviour across the workforce.

Typically, these programmes introduce employees to common cyber threats and expected security practices. Staff may be shown examples of suspicious emails, taught how to create stronger passwords, and reminded how to report unusual activity. The intention is clear and well-founded.

Human behaviour has long been recognised as an important factor in cybersecurity incidents. Many attacks involve some form of interaction with a person, whether through phishing, credential misuse, information sharing or approval of a fraudulent request. Awareness training was introduced to reduce these risks by helping employees understand what attackers do and how they should respond.

In principle, if employees understand how cyber attacks work, recognise warning signs and follow security procedures, fewer attacks should succeed.

In many respects, awareness training has achieved part of this objective. Across most organisations today, employees are far more familiar with common cyber threats than they were a decade ago. Terms such as phishing, ransomware and social engineering are widely recognised, and most employees understand the importance of basic practices such as strong passwords, secure handling of information and reporting suspicious communications.

For many organisations, awareness training also offers a practical and scalable way to communicate expectations. It supports compliance, creates a shared baseline of understanding, and gives leaders confidence that cybersecurity is being addressed across the workforce.

However, while awareness training has improved knowledge, the persistence of human-enabled incidents suggests that knowledge alone does not reliably change behaviour in the moments where it matters most.

If employees already understand what cyber threats look like, why do attacks that rely on human interaction continue to succeed?

2. The Reality: Breaches Continue Despite Training

Despite the widespread adoption of cybersecurity awareness programmes, incidents involving human decision-making remain common.

Across the public and private sectors, organisations invest time and resources into cybersecurity education. Employees complete awareness modules, take part in internal campaigns, and acknowledge organisational security policies. In many workplaces, these programmes are now part of onboarding, annual compliance cycles and wider risk management activity.

Yet the continued frequency of cyber incidents suggests that awareness training alone has not solved the decision-making layer of cybersecurity risk.

Data from the UK Government’s Cyber Security Breaches Survey illustrates the scale of the issue. The 2025 survey found that 43% of UK businesses and 30% of charities experienced a cybersecurity breach or attack in the previous 12 months. Among organisations that identified an attack, phishing was by far the most common threat, affecting approximately 84% of those businesses.

These figures show that attacks targeting everyday communication and decision-making remain widespread, even as awareness activity has become routine.

Industry research also continues to highlight the central role of human interaction in successful cyber attacks. Many breaches involve someone responding to a message, reusing compromised credentials, approving a request, sharing information, or interacting with a system in a way that gives the attacker an opportunity to progress.

This does not mean employees lack awareness of cyber threats. In many incidents, the people involved have already received training and understand the policies designed to protect their organisation.

Yet incidents still occur.

Recent high-profile cyber incidents in the United Kingdom illustrate how attackers continue to exploit human decision-making rather than relying only on technical weakness.

In 2025, Marks & Spencer experienced a major cyberattack that disrupted online operations and forced the retailer to suspend digital ordering systems while investigations and recovery work took place. The incident caused significant operational disruption and highlighted the impact cyber attacks can have on major organisations. Public reporting suggested that social engineering played a role in the attackers gaining access before ransomware activity followed, showing how human interaction can become the first step in a wider compromise.

Large enterprises are not the only organisations affected. A widely cited example from the UK logistics sector involved Knights of Old, a Northamptonshire-based transport company that collapsed following a ransomware attack in 2023. The breach reportedly began with a compromised employee password, which allowed attackers to access internal systems. The disruption that followed ultimately forced the company into administration, with hundreds of jobs lost.

These incidents point to an important pattern. Attackers do not always need to defeat advanced security technology if they can influence a person’s decision at the right moment.

Phishing emails, fraudulent messages and social engineering attacks are designed to exploit ordinary working conditions. They create urgency, impersonate authority, mimic familiar processes, or present themselves as legitimate operational requests. Their purpose is not simply to trick someone who knows nothing about cybersecurity. It is to make the risky action feel like the reasonable action inside the situation.

Under these conditions, employees may make decisions that conflict with what they learned during training.

This does not make them careless or negligent. It reflects the reality that decisions at work are shaped by time pressure, workload, organisational expectations, responsibility, trust and competing priorities. A person may understand the risk in theory and still act quickly when the request feels legitimate, urgent and aligned with their role.

This pattern highlights a fundamental limitation of traditional cybersecurity awareness training. Increasing knowledge about cyber threats does not automatically translate into secure behaviour when employees face real-world situations involving urgency, ambiguity and operational pressure.

To understand why this gap exists, it is necessary to examine how people actually make decisions inside everyday work.

3. The Core Problem: Cybersecurity Is Not a Knowledge Problem

Traditional cybersecurity awareness training is built on a simple assumption: if employees understand cyber risks and know the correct procedures, they will behave securely when they face a threat.

This assumption appears logical. Education is often used to influence behaviour across organisational life, from health and safety to compliance and professional standards. By increasing knowledge and reinforcing policy, organisations expect people to adopt safer practices.

Cybersecurity decision-making, however, is more complex.

Knowing the correct behaviour does not mean that behaviour will happen in practice. Decisions are shaped by a wide range of factors that operate in real time, often under conditions that are very different from the controlled environments where training takes place.

Employees rarely encounter cyber threats in calm, clearly labelled situations. They encounter them in the middle of normal working activity. Emails arrive while staff are handling several tasks. Requests appear inside busy communication channels. Messages often resemble legitimate instructions from colleagues, suppliers, clients, managers or systems.

In those moments, people are not usually analysing a cybersecurity scenario. They are trying to complete their work.

Cyber attackers understand this dynamic well.

Modern social engineering attacks are designed to exploit cognitive shortcuts and workplace pressure. Rather than relying only on technical compromise, attackers manipulate urgency, authority, trust, familiarity and convenience to influence behaviour.

A message may claim that a payment must be processed immediately to avoid supplier disruption. An email may appear to come from a senior leader requesting confidential information. A link may sit inside what looks like a routine system notification. A shared document may arrive in a thread that appears to fit an ongoing project.

In each case, the attack attempts to trigger a quick response before the recipient has time to question whether the request should be verified.

These techniques exploit normal human behaviour. People tend to respond quickly to authority, prioritise urgent tasks, and rely on familiar patterns when interpreting information. In a busy work environment, those responses often help the organisation function. They keep work moving, support colleagues and reduce delay.

The same responses can also be manipulated.

Operational context strengthens this challenge. Employees are often valued for efficiency, responsiveness and productivity. They may feel pressure to resolve requests quickly, avoid holding up colleagues, or maintain a good service experience. Security checks that appear to slow down work can feel like obstacles rather than protective controls, especially when nothing about the situation feels obviously wrong.

As a result, people may bypass verification steps or act on incomplete information to maintain progress.

These behaviours are not necessarily irrational. In many cases, they are rational decisions made within competing organisational priorities.

The problem, therefore, is not simply that employees are unaware of cyber threats. In many organisations, staff can correctly identify phishing emails in training exercises and explain relevant security policies.

The difficulty arises when they must apply that knowledge in complex, ambiguous situations where several pressures are operating at once.

In those moments, knowledge alone is rarely enough.

Employees need to recognise when a situation carries cyber risk, pause long enough to evaluate the request, apply verification practices consistently, and escalate concerns when something feels uncertain. These actions require behavioural capability, not just awareness.

Traditional awareness training often fails to develop these capabilities because it focuses mainly on information delivery. Employees are taught what threats look like, but they are not always helped to navigate the conditions in which those threats appear: pressure, familiarity, authority, workflow demand and uncertainty.

As a result, organisations may increase cybersecurity knowledge without significantly improving real-world security behaviour.

This gap between knowledge and behaviour is one of the most important challenges in modern cybersecurity strategy.

If organisations want to reduce human-related cyber risk, training must evolve beyond awareness and begin developing the behavioural skills required to make secure decisions in real operational environments.

4. The Gap in Current Cybersecurity Training

One of the most significant weaknesses in traditional cybersecurity awareness programmes lies not only in how training is delivered, but also in how success is measured.

In many organisations, the effectiveness of cybersecurity training is evaluated through simple, trackable indicators. Security teams may measure completion rates, quiz scores and employee acknowledgement of policies. If employees complete their training and pass a knowledge-based assessment, the programme is often considered successful from a governance or compliance perspective.

These metrics are useful. They show that training has been delivered, that employees have engaged with the material, and that the organisation can evidence its activity.

What they do not show is how people behave when they face a real decision under pressure.

An employee may know the warning signs of a suspicious email but still act on a message that appears to come from a trusted colleague during a busy day. A manager may understand the need for verification but still approve a request that feels urgent and operationally important. A team member may know they should report uncertainty but hesitate because they do not want to raise a false alarm.

The gap is not between training and memory. It is between training and real-world action.

Controlled testing can provide some insight into recognition, but it does not fully replicate the conditions in which attacks occur. Real attacks arrive mixed in with legitimate communication. They appear during live work, often when the person is focused on a task, managing competing demands, or responding to someone they believe they can trust. The behavioural pressures influencing the decision are stronger than those present in a controlled training exercise.

This is why awareness can fade as an active influence. Immediately after training, people may be more alert to suspicious messages and more likely to identify obvious risks. Over time, as the pressure of daily work returns, the habits and assumptions of the workplace often become stronger than the memory of the training.

High completion rates can therefore create a misleading sense of readiness. A workforce may appear well prepared because people have completed modules, answered questions correctly and acknowledged policies. In practice, those same people may still struggle to apply the knowledge when the situation is ambiguous, urgent or socially difficult to question.

Incident reporting shows this gap clearly. Many organisations encourage employees to report suspicious activity, yet underreporting remains common. People may hesitate because they are unsure whether something truly represents a threat, because they do not want to waste the security team’s time, or because they worry about appearing wrong.

That hesitation is not a knowledge issue. It is a judgement and confidence issue.

Traditional awareness programmes rarely address this properly. They may tell employees to report suspicious activity, but they do not always help them build the confidence to escalate uncertainty before they have complete proof that something is wrong.

The result is a paradox inside many organisations. Training metrics suggest employees are informed, while operational evidence shows that unsafe decisions and missed warning signs continue to occur.

In other words, organisations are often measuring knowledge rather than behaviour.

This distinction matters. Knowledge-based metrics can provide reassurance that training has been delivered and understood. They cannot, on their own, confirm that employees have developed the behavioural capabilities required to recognise risk, verify requests and respond appropriately in live situations.

Until organisations begin developing and evaluating real security behaviour, the gap between training outcomes and operational reality is likely to persist.

Recognising this gap is the first step towards a more effective approach to cybersecurity training.

5. The Shift Toward Behaviour-Led Cybersecurity Training

As organisations recognise the limits of traditional awareness programmes, a shift is emerging within cybersecurity. Rather than focusing only on increasing employee knowledge, security leaders are beginning to examine how people actually behave when cyber risk appears inside normal work.

This shift reflects a broader understanding that cybersecurity is a human decision-making challenge as well as a technical one. Firewalls, endpoint protection, identity tools and monitoring systems remain essential, but the actions taken by employees often determine whether a threat is interrupted or allowed to progress.

Attackers understand this and have adapted their methods accordingly. Modern cyber attacks increasingly rely on social engineering techniques that exploit behaviour rather than attempting to bypass technical controls directly. By manipulating urgency, authority, curiosity, trust or familiarity, attackers influence people to take actions that open a route into the organisation.

Artificial intelligence is accelerating this trend. AI tools allow attackers to generate convincing emails, fake websites and impersonation messages that closely resemble legitimate business communication. What once required more time, research and skill can now be produced quickly and at scale.

Messages can imitate a company’s tone, branding and communication style. Fraudulent websites can replicate familiar login pages with a high level of accuracy. Reconnaissance tasks, such as gathering publicly available information about employees, suppliers or organisational structures, can be automated far more easily than before.

As a result, the difference between legitimate communication and malicious deception is becoming harder to judge by appearance alone.

This exposes the limits of traditional awareness-led advice. Teaching employees to look for obvious warning signs such as poor grammar, unusual formatting or suspicious domain names is no longer enough when attackers can produce messages that appear polished, relevant and familiar.

In this environment, effective cybersecurity behaviour depends less on spotting obvious signs of attack and more on applying disciplined verification and sound judgement before taking action.

Behaviour-led cybersecurity training responds to this challenge by focusing on the capabilities that allow people to act securely even when a request appears convincing.

Instead of relying only on awareness of threat indicators, behaviour-led training develops the habits and decision-making processes that help employees pause, question unexpected requests, verify identity or instruction, and escalate concerns when something does not feel right.

In practical terms, this means strengthening the behaviours that shape how employees respond to potentially risky situations inside their daily work.

This shift also aligns with a wider move towards human-centred security. Rather than assuming people will always behave perfectly if given the right instructions, organisations are beginning to design systems, processes and training around realistic human behaviour.

Behaviour-led cybersecurity training is a natural extension of that thinking. It does not discard awareness. It builds on it by helping people apply judgement in the conditions where decisions are actually made.

Employees learn not only what cyber threats look like, but how to recognise risky situations, pause before acting, and apply verification habits within their real workflows.

Over time, these behaviours can become part of organisational culture, strengthening the human layer of cybersecurity defence.

To support this shift, organisations need a structured way to define the behavioural capabilities required for secure decision-making.

The Cyber Rebels Five-Domain Model was developed to provide that structure by identifying the key areas of behavioural competence organisations need to build if they want a more resilient cybersecurity culture.

6. The Cyber Rebels Five-Domain Model

If cybersecurity failures are often decision-making failures rather than knowledge failures, improving organisational resilience requires a framework that focuses on how employees recognise risk, make decisions and respond to uncertainty.

To address this challenge, Cyber Rebels developed the Five-Domain Model, a behavioural framework designed to strengthen the human layer of cybersecurity defence. Rather than focusing only on awareness of threats, the model identifies the practical capabilities employees need in order to operate securely within modern work environments.

Each domain represents a critical part of secure decision-making. Together, the five domains create a structured approach to developing behavioural cybersecurity capability across an organisation.

Importantly, the model does not treat employees as the problem. It recognises that with the right training, support and culture, employees can become an effective layer of cyber defence.

Contextual Risk Recognition

The first domain focuses on the ability to recognise when a situation may involve cyber risk, even when it appears legitimate.

Many cyber attacks succeed because malicious activity is disguised inside normal business operations. Phishing emails resemble legitimate communications. Fraudulent requests appear to come from trusted colleagues, suppliers or systems. Login prompts, shared files and payment changes can all appear within workflows that already feel familiar.

If employees do not recognise that the situation may carry risk, they are unlikely to apply caution or verification.

Contextual Risk Recognition develops the ability to interpret the circumstances around a request, rather than relying only on obvious technical indicators.

For example, an employee in finance may receive an urgent email requesting a change to supplier payment details. The message appears legitimate and includes correct branding. Traditional awareness training might encourage the employee to look for spelling errors, suspicious formatting or unusual sender details. A behaviour-led approach goes further by encouraging the employee to consider the context.

Is this type of request normally made by email?
Does it match the organisation’s usual financial process?
Is the urgency appropriate, or is it pushing the person around normal controls?

By recognising that the situation itself may carry risk, the employee is more likely to verify before acting.

This does not make people suspicious of every request. It helps them notice when something fits too easily into the work they are already doing.

Verification and Control Discipline

Once risk is recognised, the next critical behaviour is verification.

Verification and Control Discipline focuses on building consistent habits around confirming requests before acting on them. Many successful attacks rely on bypassing verification by creating urgency, invoking authority or exploiting trust relationships.

For example, attackers carrying out business email compromise often impersonate senior leaders or trusted suppliers. The message may ask an employee to process a payment quickly, share sensitive information or change account details. If the recipient acts immediately, the attack can progress.

Verification discipline encourages employees to pause and confirm the legitimacy of the request through an independent route. This might involve calling a known contact, using a separate communication channel, checking the request against an established procedure, or following the organisation’s approval process for financial or data-related actions.

By embedding verification habits into everyday workflows, organisations create behavioural barriers that attackers must overcome. Even convincing messages become less effective when employees consistently verify unexpected or high-impact requests before acting.

In this way, verification discipline disrupts many of the social engineering techniques used by cybercriminals.

Secure Operational Behaviour

The third domain focuses on integrating secure behaviour into daily working practices.

Cybersecurity policies often describe the correct way to handle data, manage passwords or use organisational systems. In practice, people may bypass those procedures when they appear to slow work down or conflict with operational priorities.

Secure Operational Behaviour focuses on making secure practice part of normal work, rather than something separate or exceptional.

This includes habits such as locking devices when stepping away, using password managers rather than reusing credentials, storing sensitive information in approved systems, and avoiding informal workarounds that move data outside controlled environments.

These behaviours may appear simple, but they reduce the opportunities attackers can exploit.

They also make unusual activity easier to notice. When secure operational practices are normal, a request for credentials, an instruction to bypass process, or a demand to move information into an unapproved system stands out more clearly.

By embedding secure practices into everyday operations, organisations reduce the space where inconsistent behaviour can be manipulated.

Incident Judgement and Escalation

Even in well-managed environments, employees will occasionally encounter situations that feel suspicious but unclear. In these moments, judgement and escalation become critical.

Incident Judgement and Escalation focuses on helping employees recognise potential incidents and feel confident reporting concerns early.

Traditional training often tells employees to report suspicious emails or unusual activity. The difficulty is that many people hesitate because they are not sure whether something is genuinely risky. They may worry about being wrong, wasting time, or creating unnecessary work for others.

Behaviour-led training addresses this barrier by positioning early reporting as responsible professional behaviour, not an inconvenience.

For example, if an employee receives a message requesting login credentials, the most useful response may not be to analyse it alone. It may be to report it quickly so the organisation can identify whether other people have received similar messages.

Early escalation gives security teams a better chance to spot wider patterns, contain risk and protect other employees before the attack progresses.

When escalation becomes normal, organisations gain earlier warning of potential threats.

Professional Cyber Judgement

The final domain focuses on culture, responsibility and professional judgement.

Cybersecurity is often viewed as the responsibility of IT or security specialists. Yet modern organisations depend on employees across every role interacting with systems, data, documents, platforms and communications. Cybersecurity decisions are now part of everyday professional activity.

Professional Cyber Judgement encourages employees to view cybersecurity as part of their role, not as a separate set of rules imposed by someone else.

In practice, this means creating a culture where people feel able to question unusual requests, protect sensitive information, verify before acting and support security processes without feeling that they are obstructing work.

For example, an employee who receives an unusual request from a colleague should feel comfortable asking a clarifying question. A manager should support a team member who pauses to verify a payment change. Staff should feel that reporting uncertainty is part of responsible work, not a sign that they have failed to understand the situation.

When cybersecurity becomes part of professional judgement, employees begin to see themselves as active participants in organisational defence.

Building Behavioural Cyber Resilience

Individually, each of the five domains addresses a specific aspect of cybersecurity behaviour. Together, they form a comprehensive framework for strengthening how employees recognise, evaluate and respond to cyber risk.

By developing contextual awareness, verification discipline, secure operational behaviour, escalation confidence and professional responsibility, organisations can strengthen the human layer of their cybersecurity strategy.

The Five-Domain Model provides a practical structure for moving beyond awareness-based training and towards behavioural cybersecurity capability.

7. What Behaviour-Led Training Looks Like in Practice

If traditional cybersecurity awareness training focuses mainly on increasing knowledge, behaviour-led cybersecurity training focuses on changing how employees think and act when cyber risk appears inside normal work.

This difference changes how training is designed and delivered.

Awareness-based training often follows an information-delivery model. Employees are presented with examples of cyber threats, explanations of policies and lists of warning signs that may indicate malicious activity. Learning may be delivered through slides, videos or online modules, followed by questions that test whether the participant remembers the information.

Behaviour-led cybersecurity training takes a different approach. Rather than asking employees to memorise indicators, it develops the judgement and habits required to respond securely in realistic situations.

Participants work through scenarios that reflect the kinds of decisions they encounter in their roles. Instead of being told the correct answer at the start, they are asked to interpret the situation, question assumptions and decide how they would respond.

For example, a training exercise may present a realistic message from what appears to be a senior colleague requesting urgent action. The message may contain no obvious signs of fraud. Participants are asked whether they would act on the request, what questions they would ask, and how they would verify the instruction.

Through guided discussion, participants explore why the request feels legitimate and where risk may sit inside that legitimacy.

This approach serves two important purposes. First, it exposes employees to the ambiguous situations attackers often create. Second, it helps people develop the habit of pausing, evaluating context and applying verification before acting.

A key behavioural principle within behaviour-led training is “Pause and Verify”. Many successful cyber attacks rely on triggering an immediate response. Messages are designed to create urgency, appear to come from authority, or resemble routine operational requests so that people act before questioning the situation.

“Pause and Verify” introduces a deliberate interruption to that automatic response. Employees are encouraged to pause when they encounter unexpected or unusual requests, especially when the request involves sensitive information, financial transactions, access, credentials or urgent action. That pause creates enough space to evaluate the context and apply verification.

Verification may involve confirming instructions through another communication channel, checking the request against established procedures, or seeking clarification from a colleague or manager. By embedding the habit of pausing and verifying before acting, organisations introduce a behavioural safeguard that can disrupt many forms of social engineering.

Behaviour-led training therefore shifts the emphasis from spotting obvious threats to managing uncertainty.

Another key feature is decision-making under realistic operational pressure. Employees rarely encounter cyber threats in isolation. Suspicious messages arrive alongside legitimate communication. Fraudulent requests often mimic normal processes. Attackers deliberately design messages that blend into everyday workflows.

Training exercises should reflect these conditions. Participants may analyse communication chains, evaluate conflicting information, or discuss how urgency, hierarchy and workload influence decisions.

By examining these pressures openly, employees gain a clearer understanding of how attackers manipulate normal working environments.

Behaviour-led training also places strong emphasis on verification practices. Rather than simply warning employees about suspicious messages, sessions focus on developing clear habits for confirming requests and instructions before acting.

Participants discuss practical techniques such as using known contact routes, checking unexpected instructions against procedures, recognising when a request deviates from normal patterns, and understanding when delay is appropriate because the action carries higher impact.

These behaviours become especially important in an era where artificial intelligence can help attackers generate convincing communications. When fraudulent emails or websites closely resemble legitimate systems, visual indicators alone are often not enough. Verification discipline becomes essential.

In addition to developing recognition and verification skills, behaviour-led training strengthens incident response behaviour across the workforce. Employees learn not only how to identify suspicious activity, but how and when to escalate uncertainty.

Training discussions should address the psychological barriers that prevent reporting, including fear of embarrassment, uncertainty about whether something is serious, or concern about interrupting others. By normalising escalation as responsible behaviour, organisations can improve early detection of potential attacks.

Importantly, behaviour-led training is interactive and discussion-driven rather than passive. Participants are encouraged to share experience, challenge assumptions and explore how cybersecurity decisions appear inside their specific roles.

This collaborative approach reinforces the idea that cybersecurity is not solely the responsibility of technical teams. It is a shared organisational capability.

Over time, repeated exposure to these exercises helps reinforce behavioural patterns that improve resilience. Employees become more comfortable questioning unusual requests, verifying unexpected instructions and reporting suspicious activity.

Rather than simply remembering information from a training module, they develop habits that influence how they behave in everyday situations.

In this way, behaviour-led cybersecurity training aims to produce lasting behavioural change rather than temporary increases in awareness.

8. Implications for Organisations

If cybersecurity failures frequently result from decision-making under pressure rather than a lack of awareness, organisations need to reconsider how they approach the human dimension of cybersecurity.

For many years, cybersecurity has often been treated as a technical issue managed mainly by IT departments or specialist security teams. Organisations invest in firewalls, endpoint protection, network monitoring and identity management tools designed to protect digital infrastructure from attack.

These technologies are essential, but they address only part of the problem.

Many modern attacks do not begin with attackers defeating sophisticated technical controls. They begin with normal business activity: an employee receiving an email, responding to a message, approving a request or interacting with a system as part of their work.

In other words, cybersecurity failures frequently occur inside ordinary operational processes rather than at the edge of technical infrastructure.

This has significant implications for how organisations design their cybersecurity strategy.

Cybersecurity Is Not Just an IT Responsibility

If employees across the organisation interact with systems, data and communications, cybersecurity cannot be treated solely as a technical responsibility.

Finance teams may receive fraudulent payment requests. HR departments handle sensitive personal information that attackers may try to obtain. Customer service staff communicate with external parties who may attempt impersonation. Senior leaders may be targeted through highly tailored social engineering.

In each case, the initial point of attack is a human interaction within normal work.

Modern cybersecurity operates across several layers of responsibility. Technical teams remain responsible for implementing and maintaining controls such as endpoint protection, identity management and monitoring. Governance and compliance functions oversee policies, obligations and evidence that the organisation is taking reasonable steps to manage risk.

But the effectiveness of both technical and compliance controls ultimately depends on how employees behave when interacting with systems, communication and data.

This introduces a third and often overlooked layer of defence: behavioural controls.

Behavioural controls exist in the everyday decisions employees make when responding to emails, approving requests, handling information or using digital systems. These decisions determine whether procedures are followed, whether suspicious activity is recognised, and whether potential incidents are escalated.

In practical terms, cybersecurity can therefore be understood as a shared organisational capability.

IT manages the technical controls that protect infrastructure. HR, governance and leadership functions support policy, compliance and accountability. The wider workforce provides behavioural controls through everyday decision-making.

When this behavioural layer is weak, even well-designed technical systems can be bypassed. When employees develop strong verification habits, risk recognition skills and escalation confidence, they become an active defensive capability rather than a passive point of exposure.

This means cybersecurity must be treated as an organisational capability, not only as a specialist technical function. Every employee who interacts with digital systems plays a role in protecting the organisation.

Training programmes must therefore be designed not only for IT professionals, but for the wider workforce whose everyday decisions influence cybersecurity outcomes.

Moving Beyond Compliance-Based Training

Another implication concerns how organisations approach cybersecurity education.

Many awareness programmes are delivered primarily to satisfy regulatory or compliance requirements. Employees complete training modules, pass knowledge-based assessments and acknowledge policies.

These activities show that training has been delivered, but they do not necessarily show that employees can respond securely in real-world situations.

If the objective is to reduce cyber risk, training must focus on developing behavioural capabilities such as recognising unusual requests, verifying instructions, questioning unexpected activity and escalating potential incidents.

This requires training that reflects real operational conditions rather than simply delivering theoretical knowledge.

Measuring Behaviour Rather Than Training Completion

Organisations must also reconsider how they measure the effectiveness of cybersecurity initiatives.

Completion rates and assessment scores provide limited insight into how employees behave when confronted with real threats. Someone may correctly identify indicators during a quiz but still respond to a convincing social engineering message during a busy workday.

More meaningful indicators include behavioural signals such as how often suspicious communications are reported, how consistently verification procedures are followed, how quickly potential incidents are escalated, and whether teams feel confident pausing when a request carries risk.

These indicators provide a clearer picture of how the workforce contributes to organisational security.

Embedding Security Into Everyday Work

For behaviour-led cybersecurity to succeed, secure behaviour must be embedded into everyday operational processes.

People are more likely to follow secure practices when those practices align with how work is actually performed. Clear verification procedures, accessible escalation channels and practical guidance on handling unusual requests help employees respond appropriately without feeling that security is separate from the job.

When security behaviours are integrated into normal workflows, they become part of professional practice rather than additional tasks imposed by technical teams.

The Workforce as a Security Control

Finally, organisations should recognise that employees are not simply potential sources of cyber risk. With the right support, they represent one of the most powerful security controls available.

Employees are often the first people to encounter suspicious messages, fraudulent requests or unusual activity. If they have the behavioural capability to recognise and question those interactions, attacks can be interrupted before technical monitoring systems detect malicious activity.

Developing this capability transforms the workforce from a possible route of compromise into an active defensive layer within the organisation’s cybersecurity strategy.

As attackers continue to exploit human behaviour, organisations that strengthen this behavioural layer will be better placed to recognise and disrupt attacks early.

Conclusion

For more than a decade, cybersecurity awareness training has been promoted as a solution to the human dimension of cyber risk. Organisations have invested significant time and resources into programmes designed to educate employees about phishing, password security and safe online behaviour.

These efforts have played an important role in raising awareness across the workforce. Employees today are generally far more familiar with common cyber threats than they were in the early days of corporate security training.

However, the persistence of human-enabled incidents shows that awareness alone is not enough.

Employees encounter cyber threats not in controlled training environments, but inside complex, fast-moving working conditions. They are expected to make decisions while balancing operational priorities, responding to urgent requests and navigating incomplete or ambiguous information. Attackers deliberately exploit these pressures, designing social engineering campaigns that mimic legitimate communications and blend into normal business activity.

Under these conditions, cybersecurity incidents are rarely the result of employees lacking basic knowledge. More often, they occur because people are placed in situations where judgement, verification discipline and escalation confidence determine the outcome.

This distinction is critical.

If organisations continue to treat cybersecurity training mainly as a knowledge-transfer exercise, they risk addressing the visible symptoms of cyber risk rather than the behavioural conditions that allow it to form.

Reducing human-related cyber risk requires a different approach: one that recognises cybersecurity as a behavioural capability embedded inside everyday organisational activity.

Behaviour-led cybersecurity training represents this next stage of maturity.

Rather than focusing only on teaching employees what cyber threats look like, behaviour-led training develops the practical decision-making skills needed to manage cyber risk in real working environments. It emphasises contextual awareness, verification habits, operational discipline and the confidence to escalate concerns when something appears unusual.

The Cyber Rebels Five-Domain Model provides a structured framework for developing these capabilities across the workforce. By strengthening contextual risk recognition, verification practices, secure operational behaviour, incident judgement and professional cyber responsibility, organisations can help employees become active participants in organisational defence.

As cyber threats evolve, and as technologies such as artificial intelligence make deception easier to personalise and scale, the ability of employees to exercise sound judgement will become even more important.

Technical controls will remain essential, and compliance frameworks will continue to guide organisational policy. But the effectiveness of these measures will still depend on how people behave when they encounter uncertainty, urgency and manipulation in the flow of work.

The future of cybersecurity training therefore lies not in increasing awareness alone, but in developing the behavioural capabilities that allow individuals and organisations to respond securely when real work and real risk intersect.

Organisations that recognise and invest in this behavioural dimension of cybersecurity will be better placed to detect, disrupt and withstand modern cyber attacks.

Cite this work:

Cite this work: Longhurst, A. (2026) ‘Beyond Awareness: Why Cybersecurity Training Must Become Behaviour-Led’. Cyber Rebels.
Available at: https://doi.org/10.5281/zenodo.19039889.

Published research available via DOI.