Our Approach
The
Behaviour
Cycle
A design system for the only security
outcome that actually matters.
Human risk isn't a people
problem.
It's a design problem.
When someone clicks a phishing link or bypasses a control, the instinct is to blame the person. But the person did exactly what the environment designed them to do. The failure wasn't human. The failure was architectural.
The System
Engagement
Create attention and
emotional signal
Culture
Normalise the right
behaviour
Instinct
Make good decisions
automatic
Awareness
Not a programme. Not a campaign. Not a module with a certificate at the end. Awareness is the state that results when the system is working. You can't deliver it. You can only design the conditions that make it inevitable.
The industry has been running the system backwards.
Most programmes optimise for proof of
delivery. Not proof of
behaviour.
Most security programmes are built on a flawed assumption: that if you tell people the right things often enough, they will eventually do the right things. So the industry keeps telling. More modules. More posters. More phishing tests. More October campaigns. More completion certificates that prove attendance and nothing else.
And behaviour barely moves.
The problem isn't the people. The problem is the sequence. Security programmes almost universally start in the wrong place, skip the conditions that make behaviour change possible, and then measure the wrong things to prove it worked.
Something must be done. Awareness is something. Modules get rolled out. Posters go up. The success question shifts from "did anyone do anything differently?" to "did everyone click through?" And when behaviour still doesn't shift, the blame slides onto the people. They didn't pay attention. They don't care enough.
This is where programmes stop being ineffective and start being actively harmful. Phishing simulations become traps. Reporting drops. Questions stop. People don't become more aware. They become quieter. And silence is one of the most dangerous states an organisation can be in.
Most security programmes fail at the same stage. Few know which one.
Which stage are you skipping? Take the Behaviour Cycle Check.
Nothing else in this cycle functions without engagement. Not culture. Not instinct. Not awareness. If people aren't paying attention, the rest of the system is expensive noise.
Engagement is not about making training fun. It's not gamification, it's not novelty for its own sake, and it is absolutely not a branded eLearning module with a character called Cyber Sam. Engagement is the creation of genuine attention and emotional signal. Because without those two things, the brain doesn't bother encoding what it's being shown. Information arrives. Information is filtered out. Nothing changes.
This is biology, not opinion.
The brain prioritises emotion, novelty, and relevance. Information that arrives without those signals gets deprioritised aggressively. Passive learning decays fast. Most of it is gone within 48 hours. Clicking next is not learning. It's compliance theatre with a progress bar.
Attackers understand this completely. Social engineering works because it triggers attention, urgency, and emotion with surgical precision. It hijacks the exact mechanisms that make humans responsive, creative, and social. Most security programmes rely on delivery methods that are almost perfectly designed to be disregarded. The irony does not improve with time.
Engagement flips the dynamic. When people are genuinely engaged, defensiveness drops, curiosity increases, and behaviour becomes negotiable in a way it simply cannot be when someone is waiting for a module to end so they can get back to their actual job.
This is why experiential learning works. Not because it's more enjoyable, though it often is, but because it creates conditions the brain treats as real. Shared pressure. Decisions that matter just enough to be remembered. Moments the brain files under worth holding onto rather than safe to discard.
Engagement earns attention. Attention is what makes everything that follows possible.
Culture is where most security programmes abandon ship. Not because culture is unimportant. Because it's difficult. It resists standardisation. It can't be assigned, completed, or reported on in a quarterly dashboard. You can't buy it from a vendor or implement it in a two-day rollout. So it gets deprioritised. Or worse, confused with communication. A poster goes up. An email gets sent. Someone calls it a culture campaign.
Culture is not communication. Culture is what people do when nobody is watching.
It lives in how leaders respond when something goes wrong. In whether reporting a near miss is welcomed or noted with a frown. In whether the security team is known as the people who help or the people who catch you out. In whether curiosity is treated as an asset or a nuisance. In whether mistakes are treated as data or evidence of personal failure.
These signals are transmitted constantly, whether the organisation intends to transmit them or not. And people read them with extraordinary accuracy. If the environment punishes visibility and rewards staying quiet, people will be quiet. They will stop reporting. Stop asking questions. Stop flagging the things that feel slightly wrong.
This is where programmes start causing damage rather than reducing it. Fear-based messaging doesn't create security culture. It creates performance. People perform compliance for as long as compliance is being observed. The moment pressure drops, behaviour snaps back to default.
Behavioural science has been clear on this for decades. Social norms influence behaviour far more powerfully than rules. People don't follow policies. They follow people. They take cues from what's tolerated, what's celebrated, and what gets normalised without comment.
Culture turns a moment of engagement into a shared expectation. It's what makes pausing before clicking feel normal rather than paranoid.
Instinct is the stage nobody in this industry talks about. Partly because it's hard to measure. Partly because most programmes never get close to it. Partly because the conversation has been so consumed by awareness for so long that nobody has stopped to ask what comes after.
What comes after is behaviour that no longer requires effort.
Not rules followed under observation. Not training recalled under pressure. Not a mental checklist run through before clicking a link. Instinct is what happens when the right behaviour has been repeated often enough, in enough different conditions, with enough cultural reinforcement, that it stops being a decision at all. It becomes reflex.
Drivers don't think about checking their mirrors. Surgeons don't deliberate over sterile techniques mid-procedure.
The behaviour is so deeply embedded it runs without instruction, including under pressure, including when tired, including when distracted. This is what genuine security behaviour looks like when a programme has actually worked. Not vigilance as a conscious act. Vigilance as a default state.
Instinct isn't trained into people. It's built through the compounding of everything that comes before it. Engagement creates the emotional signal strong enough to make something worth encoding. Culture normalises the behaviour until it feels like the obvious thing rather than the cautious thing. And instinct emerges when both have been working long enough that the scaffolding falls away and the behaviour remains.
Attackers don't wait for people to be alert and prepared. They engineer the opposite. Urgency. Distraction. Fatigue. Social pressure. These are the method. They are specifically designed to overwhelm conscious processing. Instinct is the only defence that functions when conscious processing isn't available. Which is most of the time. For most people. In most organisations.
When instinct exists, security stops being a department and starts being a disposition.
Instinct doesn't happen by accident. It happens when the stages before it are working. Find out which one isn't with our Behaviour Cycle Check.
The Outcome
Awareness is the result.
The industry has spent twenty years trying to manufacture an outcome by skipping the conditions that produce it. Awareness isn't a programme. It isn't a campaign. It isn't a module or a metric or a month in October.
It's what happens inside someone's head when engagement and culture have done their jobs. You can't deliver awareness. You can only design the environment that makes it inevitable.
Real awareness shows up in the small, unremarkable moments. Not in quiz scores or completion rates. In behaviour. In the pause before clicking. The question asked before acting. The report made before a situation escalates. Quiet, consistent, and entirely invisible on a dashboard. Which is exactly how you know it's real.
What awareness looks like
Reporting
The email that gets reported because something felt slightly off, before anyone could explain exactly why.
Hesitation
The link that doesn't get clicked because someone hesitated half a second longer than usual.
Verification
The request that gets verified instead of actioned immediately, without needing a policy to say so.
Escalation
The conversation with the security team that starts early, before a situation has a chance to escalate.
Measurement
Fewer nasty surprises. Earlier escalation. Better questions. These are the metrics that matter.
Design the conditions.
Awareness follows.
Human risk isn't a people problem. Never was. It's a design problem. And design can be fixed. The Behaviour Cycle is how you fix it - three levers, deliberately sequenced, producing the one outcome the industry has been chasing for twenty years.
Engagement
Earns the attention
Culture
Makes it normal
Instinct
Makes it automatic
Awareness
is what you get
Takes 3 minutes.