Security Behavior Change

The Disconnect Between Understanding and Behavior: How to Accurately Measure and Change Behavior

Masha Sedova

Published on 12 December 2019

The Disconnect Between Understanding and Behavior: How to Accurately Measure and Change Behavior

Survey after survey indicate that the general public’s understanding of simple cybersecurity hygiene concepts, such as using strong passwords, are fairly good. Pew Research Center found that the majority of people know what a strong password is. Yet, their behaviors show otherwise. This presents critical challenges if you want to accurately measure your security culture in order to reduce business and operational risk.

Common practices to measure employee behavior currently includes training completion, phishing metrics and surveys. This is not a comprehensive approach to truly understanding your company’s security posture. For example, if a doctor only chose a few behaviors to fully determine the health of an individual it could be detrimental to their health. A security awareness program is no different. In order to understand the strengths and weaknesses of an individual we have to take all of their security behaviors into account - beyond the basics. Surveys can be a good tool to measure perceptions and knowledge of a concept but not actual behavior - it’s their behavior that strengthens or weakens your cybersecurity posture.

More often than not, what people say they do and what they actually do are very different. There is a reason why insurance companies use metrics such as age, driving history and tracking driving habits to determine true behavior. Allstate conducted a study and found that most people considered themselves “excellent” or “very good” drivers, yet behaviors show otherwise. There are several reasons why this happens - people are unaware of their actions, they are afraid of the consequences or they simply guessed the answer. If insurance companies charged rates based on driver’s perspectives and self-assessment surveys our experiences on the road would be completely different.

If you want to accurately assess which employees are top performers and who are your stragglers you must establish impactful baseline metrics for all of the behaviors you want to influence. This information will inform how your behavior change program is working and how to improve it.

Here are a handful of ways to collect measurements on your key security behaviors:

  • Use existing data streams to collect:
    • Incident response metrics
    • Vulnerability metrics
    • Patching of systems
    • Phishing click-through
    • Reporting rates
  • Point in time assessment such as floor sweeps, printer checks, whiteboards checks, unlocked computers
  • A/B testing: A method of comparing two groups against each other to determine which one performs better.


The A/B approach is particularly impactful in testing the effectiveness of training of a specific topic.  If the training focuses on phishing and reporting, you should find that alumni of training are outperforming non-participants on the target behavior.  For example, with Hacker’s Mind, our security behavior change training,  companies typically see:

  • 40% fewer user-generated incidents
  • 50% less successful phishing attacks
  • 82% more employee reporting


Measure your ongoing impact and adjust accordingly

Decide on a regular interval at which you’ll measure how these metrics change and (hopefully) improve over time. Whether monthly, quarterly, or semi-annually, keep measurements at consistent intervals.

A quicker and more efficient way to measure and improve your cybersecurity culture over time is by using the Elevate Security Platform. Here’s how we do it:

Measure behavior over time

We’d love to talk with you about powering a positive security culture for your organization.

We’d love to talk with you about powering a positive security culture for your organization. https://elevatesecurity.com/get-demo