The Behaviour
Formula
The formula for the only security outcome that actually matters.
Human risk isn't a people problem.
It's a design problem.
When someone clicks a phishing link or bypasses a control, the instinct is to blame the person. But the person did exactly what the environment designed them to do. The failure wasn't human. The failure was architectural.
So what do you do about a design problem? You stop running campaigns... and you start solving the formula.
Two inputs in sequence. One multiplier. One output.
Engagement earns attention. Awareness lands because attention exists. Culture multiplies whatever the first two produce... and instinctive behaviour is what comes out the other side.
Notice culture isn't inside the bracket? That's the whole point. Weak engagement starves awareness. Weak awareness leaves nothing to embed. But culture is the only term that can take everything you've built and multiply it by zero.
Not a loop. Not a maturity model. A formula. And formulas can be solved.
The industry has been solving for the wrong variable
The industry's answer to human risk has been the same for twenty years. Modules, posters, phishing tests, October campaigns. Push the knowledge out, prove it was delivered, and hope behaviour follows.
It doesn't. 96% of employees who took a risky action knew it was risky when they took it. The knowledge is already there. The behaviour isn't. So why does the industry keep buying more knowledge?
Because something must be done, and awareness is something. Modules get rolled out. Posters go up. The success question shifts from "did anyone do anything differently?" to "did everyone click through?" And when behaviour still doesn't move, the blame slides onto the people. They didn't pay attention. They don't care enough.
This is where programmes stop being ineffective and start being actively harmful. Phishing simulations become traps. Reporting drops. Questions stop. People don't become more aware... they become quieter. And silence is one of the most dangerous states an organisation can be in.
The problem isn't the people. The problem is the formula. Awareness was never the outcome... it's a term in the equation. Solve it in the wrong order, or multiply it by a hostile culture, and the output doesn't change. No matter how much you spend on the inputs.
"96% of people who took the risky action knew it was risky. The knowledge gap is closed. So what's actually missing?"
Engagement
Nothing in this formula works without engagement. Not awareness. Not culture. Not instinct. If people aren't paying attention, everything downstream is expensive noise.
Engagement is not about making training fun. It's not gamification, it's not novelty for its own sake, and it is absolutely not a branded eLearning module with a character called Cyber Sam. Engagement is the creation of genuine attention and emotional signal. Because without those two things, the brain doesn't bother encoding what it's being shown. Information arrives. Information is filtered out. Nothing changes.
This is biology, not opinion.
The brain prioritises emotion, novelty, and relevance. Information that arrives without those signals gets deprioritised aggressively. Passive learning decays fast... most of it is gone within 48 hours. Clicking next is not learning. It's compliance theatre with a progress bar.
Attackers understand this completely. Social engineering works because it triggers attention, urgency, and emotion with surgical precision. The delivery methods being used are almost perfectly designed to be disregarded. The irony does not improve with time.
This is why experiential learning works. Not because it's more enjoyable, though it often is, but because it creates conditions the brain treats as real. Shared pressure. Decisions that matter just enough to be remembered.
Engagement earns attention. Attention is what makes the next term possible.
Awareness
Here's something you might not expect from us: awareness matters. People genuinely do need to know what good looks like. What a pretexting call sounds like. Why the urgent invoice that arrived at 4:58pm deserves a second look.
The industry's mistake was never caring about awareness. It was treating awareness as the destination... the thing you deliver, measure, and declare done.
Awareness is a payload. And a payload needs a delivery mechanism that works. Deliver knowledge to people who aren't paying attention and it evaporates: up to 90% of passive training is forgotten within a week. Deliver the same knowledge inside an experience the brain has already decided is worth keeping, and it sticks.
Awareness doesn't fail because people can't learn. It fails because it's almost always delivered without engagement. The bracket runs in one direction: attention first, knowledge second. No exceptions.
Engagement creates the conditions. Awareness fills them.
Culture
Notice culture sits outside the bracket? That's deliberate. Culture isn't a stage you complete. It's the number everything else gets multiplied by.
Culture is what people do when nobody is watching. It lives in how leaders respond when something goes wrong. In whether reporting a near miss is welcomed or noted with a frown. In whether the security team is known as the people who help or the people who catch you out. In whether mistakes are treated as data or evidence of personal failure.
These signals are transmitted constantly, whether the organisation intends to transmit them or not. And people read them with extraordinary accuracy.
If the environment punishes visibility and rewards staying quiet, people will be quiet. They will stop reporting. Stop asking questions. Stop flagging the things that feel slightly wrong.
Fear-based messaging doesn't create security culture. It creates performance. People perform compliance for as long as compliance is being observed... and the moment pressure drops, behaviour snaps back to default.
This is why culture is the multiplier and not an input. The best engagement and the sharpest awareness programme in the world, multiplied by a culture of fear, equals zero. Not reduced. Zero.
Culture multiplies everything inside the bracket. Or it zeroes it.
Multiply by your culture
Say your engagement and awareness are genuinely good. Now drag the culture multiplier and watch what happens to the only number that matters.
A healthy culture pays out everything the bracket earns.
Instinctive
Behaviour
What does a security programme look like when it's actually worked? Not rules followed under observation. Not training recalled under pressure. Not a mental checklist run through before clicking a link.
Behaviour that no longer requires effort.
Drivers don't think about checking their mirrors. Surgeons don't deliberate over sterile technique mid-procedure. The behaviour is so deeply embedded it runs without instruction... under pressure, when tired, when distracted.
Instinct isn't trained into people. It's produced. Engagement creates the emotional signal strong enough to make something worth encoding. Awareness gives that signal its content. Culture multiplies the result until the right behaviour feels like the obvious thing rather than the cautious thing.
Attackers don't wait for people to be alert and prepared. They engineer the opposite. Urgency. Distraction. Fatigue. Social pressure. These are specifically designed to overwhelm conscious processing. Instinct is the only defence that functions when conscious processing isn't available. Which is most of the time. For most people. In most organisations.
When instinct exists, security stops being a department and starts being a disposition.
Not quiz scores. Behaviour.
Reporting
The email that gets reported because something felt slightly off, before anyone could explain exactly why.
Hesitation
The link that doesn't get clicked because someone hesitated half a second longer than usual.
Verification
The request that gets verified instead of actioned immediately, without needing a policy to say so.
Escalation
The conversation with the security team that starts early, before a situation has a chance to escalate.
"Quiet, consistent, and entirely invisible on a completion dashboard... which is exactly how you know it's real."
Design the conditions.
Instinct follows.
Human risk isn't a people problem. Never was. It's a design problem. And design can be fixed. Twenty years of awareness training has been solving for one term and ignoring the rest... the organisations that get this right won't be the ones with the best content. They'll be the ones with the healthiest formula.
Takes 3 minutes.