The Behaviour Cycle
Engagement • Culture • Awareness
A behavioural system for real-world security learning
Most of the cyber security industry is deeply and emotionally attached to the word "awareness". It's everywhere. In strategy decks, KPIs, job titles. It gets wheeled out when it's needed, polished up in October for Cyber Awareness Month or for an audit, proudly displayed... and then quietly shoved back in a drawer until the next time someone asks for proof.
Much like a clean desk policy or a seasonal pumpkin, it looks great when it's on show. It just isn't designed to survive everyday reality.
Awareness training. Awareness campaigns. Awareness as a service. Awareness as a virtue. Awareness as box-ticking theatre.
And yet despite all of that, behaviour barely moves. The majority of security incidents are still driven by human behaviour. Which raises an awkward question: if awareness is working, why does nothing actually change?
Why Awareness Keeps Failing
(And why that's not a people problem)
Awareness keeps failing because it's being asked to do a job it was never designed to do on its own. It's being treated as a starting point, when in reality it's an outcome. Most organisations aren't doing awareness wrong - they're doing it too early.
Awareness feels attractive because it looks tangible. It can be assigned, tracked, completed, reported on. You can put it into a slide deck and call it progress. It behaves nicely in governance frameworks. It survives audits. It produces dashboards that glow reassuringly green.
Engagement and culture, on the other hand, are awkward. They're human. They're harder to control, harder to standardise, and much harder to spreadsheet. So they get deprioritised. Or worse, ignored entirely.
And the result? A system that runs backwards. Organisations jump straight to the outcome they want, skip the groundwork required to produce it, and then act surprised when behaviour doesn't change.
Something must be done. Awareness is something. So modules get rolled out. Posters go up. Emails get sent. Completion rates look healthy. Everyone breathes a sigh of relief.
But activity is not impact.
Most awareness programmes optimise for proof of delivery, not proof of behaviour. The success question quietly becomes "did everyone complete the training?" rather than "did anyone do anything differently afterwards?". Attendance replaces action as the proxy for effectiveness.
And when behaviour still doesn't shift, the conclusion is rarely that the system is flawed. Instead, the blame slides gently (and then firmly) onto the people. Staff don't care enough. They're careless. They didn't pay attention. They need more testing. More policing. More reminders.
This is where programmes start doing damage.
Extra phishing simulations become traps rather than learning tools. Failure gets publicised in the name of metrics. Mistakes are logged, tracked, remembered. People learn very quickly what the system is really rewarding: not good judgement, but staying out of trouble.
So reporting drops. Questions stop. Curiosity disappears. People don't become more aware - they become quieter. They learn not to raise their hand. Not to double-check. Not to draw attention to themselves.
This isn't awareness. This is learned silence. And silence is one of the most dangerous states an organisation can be in.
When awareness programmes fail, it's rarely because people don't care. It's because the environment they're operating in makes caring risky, irrelevant or exhausting. You cannot train your way out of a system problem. You have to redesign the system.
It's why we don't start with awareness. And it's why we don't treat behaviour change as a one-way journey. Because humans don't work like that.
Engagement
Where Behaviour Change Actually Begins
Engagement is the most underestimated part of The Behaviour Cycle, and the most important. Its job is not to entertain, gamify, or "make training fun". Its job is to create attention and emotional signal - because without those, behaviour is not negotiable.
If people aren't paying attention, nothing else matters. You can't change behaviour if the brain has already checked out. You can't build culture if people feel bored, patronised, judged, or talked at. And you certainly can't create awareness in an environment where engagement was never earned in the first place.
This is where most security programmes quietly fail. They confuse attendance with engagement, and exposure with impact. They assume that because someone has sat through something, clicked through something, or completed something, learning must have occurred.
It hasn't.
People don't learn because they are told to. They learn when something cuts through. When it feels relevant. When it carries a bit of tension. When it sparks curiosity, discomfort, or surprise. When their brain wakes up and goes, "Hang on... this matters!".
That's not a creative preference. It's biology.
The human brain prioritises emotion, novelty, and relevance. Information that arrives without those signals is filtered out aggressively. Passive learning decays fast. Most of it is gone within days. Click "next" is not learning, it's bureaucracy with a progress bar.
No one remembers slide 63 of a deck. Everyone remembers the moment something felt real.
Attackers understand this instinctively. Social engineering works precisely because it triggers attention, urgency, and emotion. Most awareness programmes, meanwhile, rely on delivery methods that are almost perfectly designed to be ignored.
Engagement flips that dynamic. When people are genuinely engaged, defensiveness drops. Curiosity increases. Conversations start Assumptions get challenges. Behaviour suddenly becomes negotiable.
This is why immersive, experiential learning works so reliably. It doesn't ask people to care - it gives them a reason to. It creates shared moments under mild pressure, where decisions matter just enough to be remembered. Not because someone said they should be, but because their brain decided it was worth holding onto.
Engagement is not a "nice to have". It's the price of entry. Without it, everything else is in the system is just expensive noise. You can have the best policies in the world, the cleanest guidance, the most beautifully written comms - and none of it will land if no one is truly paying attention.
But engagement on its own doesn't last. A powerful moment without reinforcement fades. That's why engagement is the first stage in the cycle. Engagement lights the match. What happens next depends entirely on culture.
Culture
Where Behaviour is Normalised
If engagement creates the spark, culture determines whether anything actually burns... or whether it fizzles out, smoulders awkwardly, and disappears the moment the session ends.
Culture is the most misunderstood part of security learning, largely because it's the least visible. It doesn't live in policies, posters, or slogans. It shows up in what people do when nobody is watching. In what feels normal. In what feels risky. In what gets repeated, what gets challenged, and what gets quietly ignored.
Most programmes talk about culture as if it's something you can announce. It isn't. Culture is formed between moments, not during them. It's shaped in conversations after a session, in reactions to mistakes, in how leaders respond when something goes wrong, and in whether curiosity is rewarded or punished.
This is where many organisations unintentionally sabotage themselves.
Fear-led messaging. Punitive phishing tests. Public failure dashboards dressed up as metrics. Language that frames mistakes as weakness rather than signals. All of it sends a very clear message, whether intended or not: don't get caught.
People learn fast. If reporting feels risky, they stop reporting. If asking questions feels embarrassing, they stop asking. if security feels like the team that catches you out rather than backs you up, silence becomes the safest option.
Silence, unfortunately, looks like compliance right up until the moment it becomes an incident.
Blame culture doesn't create awareness. It destroys psychological safety. And without psychological safety, learning doesn't compound - it decays. People don't get better at making decisions, they get better at hiding mistakes.
Behavioural science has been unambiguous on this for years: social norms influence behaviour far more powerfully than formal rules. People don't follow policies. They follow people. They take cues from what's tolerated, what's rewarded, and what gets quietly brushed under the carpet.
Culture is reinforcement. It's what turns a powerful moment of engagement into a shared expectation of "this is how we do things around here". It's what makes pausing before clicking feel normal. It's what makes double-checking a request feel sensible rather than socially awkward. It's what makes challenging something odd feel responsible, not rude.
And crucially, culture isn't built through fear. It's built through relevance, repetition, and belonging. Through shared language. Through repeated signals that curiosity is welcome, mistakes are surfaced early, and security is something you do with people, not to them.
Without cultural reinforcement, engagement fades and awareness never stabilises. You might get a good session. You might even get a memorable moment. But without a supportive environment to carry it forward, behaviour slips back to default under pressure.
Culture is what stops that slide.
It's the part of The Behaviour Cycle that most organisations skip because it feels intangible, slow, and difficult to control. But it's also the part that determines whether anything you do actually lasts. Culture is where behaviour becomes normal. And once behaviour is normalised, awareness finally has something solid to stand on.
Awareness
What Behaviour Looks Like When the System Is Working
Awareness is the most talked-about part of security learning, and the least well understood. That's because it's usually treated as an activity - something you deliver, roll out, or complete - rather than what it actually is: the visible result of a system doing its job.
Awareness is not the starting point. It's the outcome.
When engagement has captured attention and culture has reinforced shared norms, awareness begins to show up naturally. Not in quiz scores or completion rates, but in behaviour. In the small unremarkable moments where someone pauses, questions, or checks - without being prompted, watched, or rewarded.
Real awareness isn't loud. It's quiet and consistent.
It's the email that gets reported because something feels slightly off. The link that doesn't get clicked because someone hesitates for half a second longer than usual. The request that gets verified instead of actioned immediately. The conversation with the security team that starts early, before a situation escalates.
None of that comes from memorising facts. It comes from pattern recognition, confidence, and judgment under pressure. From people knowing not just what to do, but feeling able to do it.
This is why awareness can't be faked.
You can mandate training. You can assign modules. You can test recall. But you cannot force awareness into existence if the environment around it undermines it. If people don't feel safe asking questions, they won't. If reporting feels risky, it won't happen. If security feels punitive, awareness retreats underground.
Awareness lives in ambiguity. In moments where the answer isn't obvious. In situations where there's no policy to hand and no time to check a slide deck. It shows up when people are busy, distracted, or under pressure - which is precisely when it matters most.
It's also why awareness doesn't move in a straight line. It strengthens through repetition and feedback. Each good decision reinforces the next. Each safe interaction with the system builds confidence. Awareness feeds back into engagement, sparking new conversations, new questions, and new shared stories.
The cycle continues.
When awareness exists in this way, measurement changes too. You stop obsessing over attendance and start paying attention to signals that actually matter. Earlier reporting. Better questions. Faster escalation. Fewer nasty surprises.
Awareness stops being something you chase because you can see it happening.
This is why we don't sell awareness as a product, a campaign, or a deliverable. We design for it as an outcome. Because when you get the system right, when engagement earns attention and culture makes good behaviour normal, awareness becomes the natural by-product.
Engagement sparks it.
Culture sustains it.
Awareness proves it.
That's The Behaviour Cycle. Not a framework. Not a philosophy. Just a clear-eyed understanding of how humans actually change behaviour - and why doing it in the wrong order has never worked.
Designing Awareness as an Outcome
Not a Campaign
The Behaviour Cycle isn't a framework you "implement" or a message you roll out. It's a way of designing environments where the right behaviour becomes the easiest behaviour.
It forces a more honest question than most security programmes ever ask. Not "what do people need to know?" but "what conditions need to exist for people to act well under pressure?"
When you design for engagement, people pay attention because something feels real. When you reinforce that engagement through culture, good behaviour stops feeling exceptional and starts feeling normal. And when those two things are in place, awareness emerges naturally - not as knowledge recall, but as judgement, confidence, and instinct.
This is why we don't treat awareness as a deliverable. You can't mandate it. You can't poster it into existence. You can't measure it into being. You earn it by getting the system right.
Most organisations don't fail at awareness because their people don't care. They fail because the environment makes caring difficult, risky, or irrelevant. They run the system backwards, optimise for audit instead of behaviour, and then blame humans for responding exactly as humans always do.
The Behaviour Cycle flips that logic.
It accepts that behaviour change isn’t linear. It loops. Each decision reinforces the next. Each safe interaction builds confidence. Each shared moment becomes part of how things are done around here. Engagement feeds culture. Culture produces awareness. Awareness fuels further engagement.
That’s why everything we do maps back to this cycle. Our experiences, our products, our content, our conversations. They all exist to serve a specific behavioural job within it.
This page isn’t a manifesto. It’s a reference point.
If you understand The Behaviour Cycle, you understand our approach.
And if you design your security programme around it, you stop chasing awareness, because you can finally see it happening.
Where does your organisation break the cycle?
Take the Behaviour Cycle Check.
A quick way to see which stage is holding you back.
Takes ~3 minutes. Opens in a new tab.