Why behaviour changes through experience, not information.
Available on
Audible & Amazon
Author
Rory Sutherland
Behaviour Stage
Engagement
Overview
Alchemy challenges the idea that progress comes from logic, data, and efficiency alone. Rory Sutherland argues that humans don’t make decisions rationally... we respond to emotion, context, perception, and stories. The book explores how reframing a problem can be more powerful than optimising it, showing that small psychological shifts often outperform expensive, complex solutions. In short, how something feels can matter more than how it technically works.
For security awareness and behaviour change, this insight is critical. Most training fails because it assumes people behave like spreadsheets, when in reality they act under pressure, distraction, and social cues. Alchemy validates experiential approaches... immersive scenarios, storytelling, and moments of tension... as more effective ways to influence behaviour. It provides the behavioural backbone for designing experiences that people remember, talk about, and actually change how they act when it matters.
Why this matters for security behaviour
Alchemy matters for security behaviour because it exposes the flaw at the heart of most awareness programmes: the assumption that people change behaviour when they’re given more information. In reality, security incidents happen under pressure, distraction, and social influence... exactly the conditions where rational thinking breaks down.
By prioritising emotion, perception, and context over rules and policies, Alchemy reinforces the need for experiential, story-driven training that mirrors real-world decision-making. It explains why immersive experiences, simulated attacks, and moments of consequence are far more effective at shaping secure behaviour than checklists, slides, or compliance-led training ever will be.
Key Takeaways
- Behaviour changes through experience, not instruction
People don't act securely because they know the rules - they act securely because something has reshaped how risk feels in the moment.
- Perception changes security outcomes
If security feels abstract, boring, or low-stakes, it will be ignored. Making threats feel real, immediate, and personal changes behaviour far more effectively that policies.
- Humans are not rational
Most security incidents happen when people are rushed, distracted, or socially influenced - exactly when logic and training manuals fail.
- Small psychological nudges outperform big technical fixes
People remember stories, tension, and consequence - not bullet points. Training that creates a narrative is more likely to stick.
- Unconventional ideas often deliver the biggest impact
Playful, immersive, or "non-traditional" approaches may look inefficient, but they are often the most effective at driving real behaviour change.