You Can’t Change Behaviour By Telling People What To Do
Cyber is a bit nerdy. Don't @ me about it. It's just a fact. We all love a bit of Lord of the Rings, Harry Potter, Star Wars, Dungeons & Dragons... you get the picture. Fantasy is kind of our thing. And that's totally cool. Fine. Love that for us.
We love playing dress up and building worlds. We were on site last month with a mega exciting client where we hacked someone on a train.. and recovered from a ransomware attack inside a custom build SOC installation. Trust me when I say, we totally get the whole fantasy thing.
But what's not cool is when we start building fantasies into our working practices. You know... little minor things... like us all believing that if we explain the right behaviours clearly enough, repeat them often enough, and shackle them to policies and procedures, people will magically recall all that wisdom at the exact moment danger appears. Like a cyber-trained wizard.
And it is a very lovely idea. It really is. I mean, it's hugely flattering to institutions. And process. And documentation. And don't we all love process and documentation so much?! It suggests that behaviour can be engineered through expectation alone...like we're all little calm, logical storage devices. Information goes in. Information comes out on demand. Which is... optimistic.
It's also fucking nonsense.
In reality, people are tired, rushed, distracted, half-listening (yes, even to your wonderfully engaging 67 slide presentation about looking very closely at security headers). They're trying to hit deadlines and they're probably hungover or their girlfriend just dumped them. You get the picture. People are busy. They're not always hyper-focused.
It's not that they're stupid or that they're secretly trying to burn the company down. (Maybe keep an eye on that Kevin guy though...). It's not because they don't care about security or consequences. It's just that behaviour doesn't work in the way most cyber training thinks it does. Especially once you leave the classroom. Behaviour doesn't happen in neat, quiet moments. It happens mid-task... under pressure... with other people around. And training almost never practices that part.
The Problem with Instruction
Cyber training is usually built to explain things. And explanation is great. It creates knowledge. But knowledge isn't what drives behaviour. So we show people phishing examples usually so outlandish they're laughable. We explain password rules to people without the real life pressure of "I just need this to fucking work NOW". We tell people to trust their instincts... like scammers come with a warning label?!
And our people listen. They pass quizzes. They prove they understand. They have the knowledge. They're "aware". We all give ourselves a round of applause. We get that nice warm fuzzy feeling of achievement. Then we go back to the real world.
An email comes in that looks almostright, written in the right tone... using the right language. A phone call piles on urgency and authority in a way that feels awkward to challenge. We have to make a decision quickly, with half the information, other priorities competing for brain space, and someone waiting for an answer.
Realistically, in that moment, are we really expecting our people to flip through a mental copy of that awareness slide deck to find the right policy clause? No. The brain goes back to doing what it always does when it's under pressure... it reaches for familiarity, pattern, and instinct. Instruction builds none of those.
And THAT is what we're misunderstanding.
Unfortunately for us, behaviour doesn't live in calm spaces where people have the time to reason through hypothetical situations. Behaviour lives in the noise, interruption, hierarchy, ambiguity, and emotional pressure of daily life. It shows up when we've got zero time spare. When delaying something feels awkward as fuck (for many reasons... socially, professionally...). When social dynamics are in place. And when uncertainty is uncomfortable enough that the brain wants closure more than it wants accuracy.
Under those conditions, the brain isn't hardly going to be performing careful recall. It's just making quick judgements about what feels normal and what feels safe. Which is why people can know all the rules and still break them. They didn't forget the knowledge... it's just the brain didn't match that knowledge with their current context. The current situation didn't feel like the training, so that information must not be the right thing to bring up.
So you see, it's not a failure of intelligence.... it's a failure of rehearsal.
The Importance of Rehearsal
Rehearsal is what really matters. Annual training is a massive compliance cop out, whichever way you look at it. It's there for box ticking, not making meaningful strides towards actual risk reduction. Did you read the Highway Code once and go for your driving test? Did you watch a video about swimming and then jump in the deep end? No. No, you didn't.
In every area of our lives where performance under pressure matters, we make practicing non-negotiable. And yes, the first few times we practice, we're indescribably shit. But we get better. And better. And then we can do it without thinking. Cyber isn't special in this regard.. we all just pretend it is.
Instructions tell us what the rules are, yes. But rehearsal teaches us what to do when things get messy. And messy, really, is the only time is actually matters. Training that relies on recalling information is extremely fragile. Recall is not what you're doing when the shit hits the fan. You're in auto-pilot, doing whatever has stuck in your brain as the best option. Whatever's automatic. Whatever feels normal.
Experience Beats Explanation
If you're actually serious about changing behaviour when it matters, then you need to put the work in long before the incident. Not with more slides. Not with longer policies. But with experiences that look and feel like real life. With experiences that build recognition and familiarity and confidence, so that the RIGHT responses feel normal... not novel.
People need to see manipulation while it's happening. Not have a neatly labelled picture of it happening to someone else. They need to feel the awkward pauses, the pressure, the temptation to comply... and then they need to practice responding in those conditions. They need to practice when it's uncomfortable, not when it's obvious.
Instruction heavy training looks great on paper but continues to fail in reality. Completion rates look great. Your dashboard looks fine and dandy. All your compliance boxes get ticked. And then people continue making the same mistakes. Not because they don't care but because the training wasn't ever built to survive contact with the real world.
Don't get me wrong... instruction isn't useless. It's just not enough. And when it's mistaken for a behaviour change strategy (instead of just being used as a supporting tool), it creates a very comforting illusion of being prepared... without delivering the thing the business really needs.
If behaviour under pressure is the goal, explanation can't be the strategy. Training needs to look like the thing we're asking people to do. It needs rehearsal. Because, as the title says, you don't change behaviour by telling people what to do (wouldn't the justice system be obsolete if you could?!).
No, you change behaviour by helping people recognise the moment and making sure that when it does arise, the right response already feels familiar.
Keywords