Security trainings are not usually at the forefront of the minds of many organizations. At ISE, we not only prioritize security training for our staff, we offer it for other companies, organizations and conferences through IoT Village. As the organizer of IoT Village and a recent doctoral graduate in psychology, I have always found that trainings based in psychological constructs seem few and far between. That left me wondering why this blind spot exists, and what can be done about it to assist organizations in strengthening their security culture with training programs that take advantage of psychological principles.
Creating a strong security culture within a company can seem like a daunting task filled with endless trainings, reviews, and meetings, which can be boring and annoying for the average person. As a leader, it can be hard to even know where to begin when it comes to building a security culture. Building a strong security culture isn’t just about enforcing policies or deploying the latest security tools and features.
People, not systems, are oftentimes the real entry point for attackers, and it is that reason alone that makes incorporating psychology into cybersecurity strategy essential. Psychology provides the theoretical models, behavioral insights, and evidence-based methods needed to influence how employees think, feel, and behave in relation to cyber risk. This blog will cover aspects of human behavior that can be used to your advantage when securing your organization. It will also outline a 90-day plan for your team to implement, along with tips and tricks for success when looking to create a healthy security culture that will stand the test of the rapidly advancing world we live in today.
There is a growing body of interdisciplinary research that emphasizes the fact that it is not just strengthening our technology and technical knowledge that can assist us in addressing cyber-attacks. A variety of studies show that strong security cultures within organizations are multidimensional (Sutton & Thompson, 2025; Troublefield, 2025). Strong cultures are characterized by leadership engagement, clear and consistent communication and expectations, and high-quality and regular trainings that are behavior focused. One study found that “implementing culturally adapted security protocols experience up to 40% higher compliance rates, a 35% improvement in threat detection, and a 45% reduction in response times (Troublefield, 2025)”.
Psychological Constructs: The Levers of Improving Security Behaviors
What are psychological constructs? Well, they are somewhat difficult to define, mainly because many psychological constructs refer to an individual’s beliefs, ideas, and concepts about their experiences in their environment. These constructs are adaptable to new experiences; therefore they can be permanently changed. Essentially, they are mental frameworks that give meaning to complex human traits and help explain human experience. They help us label covarying (in statistics, this looks at two or more variables that change together in a predictable way) behaviors.
There are several psychological constructs that have implications for successful security-focused culture building. How does your team perceive vulnerabilities, both in terms of volume and severity? Do they understand what the impact is? Employees must believe that cyber threats are personally relevant in order for them to act. Second is self-efficacy, which is one’s belief in their own capability to succeed as a specific task or goal. In a cybersecurity context, this is related to the confidence in one’s ability to perform secure behaviors. Self-efficacy can help in predicting whether individuals comply with security policies. Third, social norms shape behavior by signaling what others in the organization do or what is perceived as important. When secure behavior is visible and celebrated, employees are more likely to follow suit. Fourth, habit formation and behavioral cues help formulate secure actions into daily routines. Finally, usability is a core determinant of behavior; when security tools impose excessive cognitive load or are difficult to use, users will routinely circumvent them. The result of this behavior? Unintentionally created vulnerabilities. This insight reinforces that usable security is fundamental to risk reduction.
Now that we have an outline of the psychological constructs that can help us, how do we use them? Below are a few suggestions to guide you in your efforts.
Implementing Behaviorally Designed Prompts
Behavioral prompts or nudges are small, timely notifications that influence decision-making without requiring extensive training or knowledge. This includes things such as pop-up reminders, tooltips when users attempt to share files externally, or instant notifications following phishing simulations. Nudges work because they are reshaping the decision environment by reducing reliance on memory. To implement this, organizations should begin by identifying high-risk decision points and testing different prompt formats to determine which produce measurable behavior change.
Implementing Easy-to-Use Tools
Poorly designed tools are one of the biggest contributors to risky behavior. If your password manager is cumbersome or the MFA requires too many steps, people will find ways around the system. They won’t enroll in MFA, and they’ll store passwords in insecure places. Usability-driven improvements remove friction and increase secure behavior automatically. Improvements should include things such as implementing single sign-on, simplified reporting mechanisms, automatic encryption on highly sensitive data or tools, and restructuring the approval pipelines to remove any bottlenecks.
Implementing Psychology Based Trainings
Trainings should not just be an annual occurrence. Long, one-time sessions will rarely produce meaningful change. Instead, your team should be continuously learning about the threats that they face day to day, many of which they may not even be aware of. Having an in-house training or hiring a third-party organization to host a training for you can greatly increase your teams’ knowledge of social engineering threats and greatly reduce the likelihood of your organization falling victim to an attack. To implement this, research what you are currently doing and evaluate performance of staff against the training results. After, introduce periodic simulations such as phishing tests or other common social engineering-based attacks into the regular workday. Recall the common psychological aspects discussed in our previous blog, as those can help you determine which tactics you want to utilize in your training program. Test the team, then train them after to test on their performance. You’ll want to test again after this to ensure that the message is being delivered as intended. Trainings need to be polished and improved as things in the industry change, and based on how your team is receiving the information. This will help employees practice real-world decision-making, while also immediately reinforcing proper responses to the prompts. It also immediately shows leadership where knowledge gaps exit. This ultimately strengthens learning and builds confidence in your employees in their ability to identify and appropriately respond to threats.
Implementing the Amplification of Positive Social Norms: “Use the Carrot More Than the Stick”
Humans are heavily influenced by the behaviors of those around them and enjoy receiving praise. You may have heard the “carrot on a stick” analogy before, but it essentially highlights how people are motivated through incentives. Essentially, you’re positively reinforcing desired behaviors. When you highlight positive security behaviors, your organization can create healthy social pressure. Publicizing individual security wins in Slack, a company newsletter, town halls, or other forms of communication makes secure behavior more visible, and more desirable. While this is hard to measure, over time these practices will shift employees’ perceptions of what is expected and it will strengthen compliance with company security policies.
Implementing Leadership-Based Role Modeling
Leaders play a critical role in shaping the culture of an organization. When executives are visibly following security protocols, talking openly about risks, and even participate in the same training as their staff, they are signaling to their teams that security is an important aspect of their day-to-day, as well as a shared responsibility that does not just fall on the IT department or another group within the company. Another strategy that leadership can implement is the humanization of cybersecurity and errors, as it reduces stigma and fear. Leadership can share stories of instances in their own cybersecurity knowledge journey in order to demonstrate vulnerability, accountability, and provides a sense of relatability to their staff. When leaders demonstrate those humanistic elements, employees will feel more comfortable reporting issues or asking questions when they are unsure about policy or potential attack scenarios.
Measuring Your Cybersecurity Culture Through Psychological Indicators
Effective security culture measurement needs more than monitoring phishing click rates or the number of training certificates obtained. A thorough approach will incorporate those items but will also include behavioral metrics, self-reported attitudinal indicators, and contextual data. Behavioral metrics includes behaviors such as the adoption of MFA or other secure configurations, reporting rate of suspicious emails, and the usage of password managers. Attitudinal metrics will come from psychological constructs, such as perceived vulnerability, self-efficacy, and perceived norms. This can be measured in trainings or with the occasional survey. Finally, contextual metrics will include qualitative analysis of communicated friction or complaints, workload changes, and perceived usability. Leading indicators will provide leadership with early insight into emerging cultural patterns and can help create a timeline for long term success.
Next Steps: A 90-Day Psychology-Driven Plan
Creating a 90 -day plan could help your organization integrate psychology into cybersecurity practice without overwhelming any one department or team. Break up everything into achievable milestones that sets your team up for success. Below is an example of how to organize and achieve your goals:
Day 0-30:
- Focus on diagnosis and prioritization
- Administer a survey to the entire company based on the previously mentioned psychological constructs (We can help you create this if you need)
- Conduct a behavioral audit
- A behavioral audit examines the human decision-making processes, environmental factors, and psychological drivers that shape everyday actions. This will help you understand how your employees actually behave with cybersecurity (not how policies say they should be behaving).
- Have leadership begin sharing information with the organization, including personal stories, along with new reporting guidelines or procedural changes
Day 31-60:
- Deploy targeted nudges
- Deploy microlearning modules
- Highlight leadership’s usage
- Remove fear tactics wherever they exist
Day 61-90:
- Expand microlearning scenarios. Training is not a one-size fits all, so trainings need to be tailored based on the department at this stage
- Optimize performance through A/B testing
- Begin prioritizing usability improvements
- Share success stories across departments
Cybersecurity is more than just a technical discipline; it’s also a behavioral one. Organizations that integrate psychology into how they strengthen security within their company will ultimately be building a more resilient, adaptive, and engaged workforce. By applying established behavioral models, deploying nudges, improving usability, measuring psychological drivers, and strengthening leadership and team connections, security reams can transform their internal culture into a powerful front line of defense against malicious attackers. When secure behavior becomes easy, organizations significantly reduce their exposure to human-centered threats and create a sustainable model for cybersecurity success. If your team would benefit from guidance on building out a psychology-based security awareness program or is looking for a third-party organization to assist with trainings, reach out to our team of ethical hacking experts to learn more.
