The person who crafted that email didn’t breach any network or use sophisticated malware.
They simply exploited a predictable, human trait: haste.
And just like that, the door was opened.
How many times have we read similar scenarios?
And how often have we said we need more training?
But what if the real problem isn’t a lack of rules —
but people’s difficulty in actually following them, when it really matters?
Cybersecurity isn’t (just) a technical issue. It’s a behavioral one.
Some studies show that 82% of cybersecurity incidents can be traced back to human behavior.
And that’s the crux of the matter.
Traditional security awareness programs still focus on:
- what to do and what not to do
- which suspicious emails to avoid
- which passwords to use
But in reality, that’s not enough.
Because people don’t act based on what they know —
they act based on how they feel, what they experience, and the context they’re in.
Knowledge doesn’t protect. Behavior makes the difference. And this is where behavioral science comes into play.
From theory to practice: what behavioral sciences mean for security
Behavioral sciences focus on how people make decisions in real life, especially under less-than-ideal conditions: when they’re under pressure, distracted, tired, or forced to act quickly.
In a business setting, these situations are everyday occurrences. And it’s precisely these factors — stress, urgency, complexity — that increase the likelihood of mistakes.
Behavioral sciences don’t just explain why certain behaviors occur — they help design environments and training paths that make them safer by default (“secure by behavior”).
In cybersecurity, this approach enables us to:
- Anticipate users’ impulsive reactions to emails, requests, or unusual situations
- Build training experiences that encourage adopting correct behaviors even under stress
- Prevent human error by creating positive habits and reducing reliance on memory or goodwill
This isn’t generic “corporate psychology,” but a scientific and strategic application of human behavior to security.
It’s a rapidly growing field, now adopted by the most advanced organizations in cybersecurity to build a risk-aware culture, widespread awareness, and operational resilience — going far beyond mere compliance.
How to build secure behavior: the 5 key principles
- Microlearning and distributed content: People don’t learn everything at once. Short, recurring, and practical training sessions increase retention compared to intensive annual courses.
→ Small doses, high frequency, relevant content. - Spaced repetition over time: The brain forgets. But repeating information at the right moments helps consolidate it.
→ Effective training campaigns are designed to last, not to surprise. - Immediate feedback: Does the person click on a suspicious link? They receive immediate, contextual feedback.
→ That’s when the mind is most receptive. The time between error and learning is crucial. - Positive reinforcement: Rewarding correct actions is more effective than punishing mistakes.
→ Badges, leaderboards, and small recognitions boost engagement. - Realistic context and cognitive biases: Urgent. Internal. Trusted. “Trap” emails often exploit mental shortcuts like authority, urgency, and familiarity.
→ Recognizing and neutralizing these biases is a skill to be trained.
+2 accelerators: personalization and active detection
- Adaptive and personalized training paths: Each user behaves differently. Training everyone the same way reduces effectiveness. Behavior-based programs adjust the difficulty and frequency of simulations according to individual responses: those who make more mistakes receive more support, while those already trained are challenged with new tasks.
- From click to report: turning people into “human sensors.” The goal isn’t just to prevent mistakes, but to develop the ability to recognize and report potential threats.
Well-designed behavioral simulations don’t just test attention — they improve responsiveness and support the company’s SOC in containing real risks.
Our approach: from awareness to concrete change
At the core of our Albert program is exactly this: not just conveying rules, but activating safe and lasting behaviors.
With Albert:
- The content is adaptive and integrated into workflows.
- Simulations are realistic, frequent, and tailored to the role.
- Every mistake is followed by micro-training feedback.
- Every behavior is monitored and measured over time.
The result isn’t just “more knowledge.”
It’s a more mature risk culture, where security isn’t an obligation, but a natural competence.
In 2025, continuing to believe that a one-off course is enough to protect a company is a dangerous illusion.
What’s needed is a new approach. Science. Method.
And above all, we must recognize that people aren’t the problem. They are the solution — if you train them the right way.
