Behavior-focused Cyber Security Awareness and Competence Training

Awareness (knowledge) is the know-how of a subject. Whereas, behavior is the way a person conducts themselves in response to an event or external stimulus. The response (behavior) can be a natural reaction or an acquired skill (competence). To develop a strong Cyber Security posture, organizations must invest in Cyber Security Awareness Training that helps employees develop Cyber Security competencies which indirectly influences and motivates positive Cyber Security behavior .

The path from Cyber Security Awareness to Competence to Behavior

Fig 1: The path to Positive Cyber Security Behavior

Experience Behavior-Focused Training

Security Quotient creates custom-made training solutions for organizations using realistic Cyber Risk simulations. These simulations are based on the Learn by Doing principles that inculcates positive Cyber Security behavior. Explore the examples below.

Cyber Security Awareness Risk Simulation Training on USB Juice Jacking
Cyber Security Awareness Risk Simulation Training on Protecting Mobile Devices
Cyber Security Awareness Risk Simulation Training on Phishing

Competence and Behavior

Competence is the ability of an individual to do a task to a high degree of efficiency. This efficiency is achieved through a combination of knowledge and skills. These knowledge and skills are observable and often measurable.

Applying the same concept to Cyber Security, Cyber Security Competence can be defined as the ability of an individual to implement the correct Cyber Security practices while handling valuable information. Examples of such competence are – Using password managers to create extremely strong passwords, Adding Two-Factor Authentication over and above using strong passwords, Giving only the most necessary permissions to apps, Disabling location tracking and configuring other privacy settings on computing devices, Correctly identifying and reporting phishing emails to the help desk etc.

Developing Cyber Security Competence

Cyber Security Competence is acquired or influenced by three factors – Knowledge, Skills and Natural Abilities.

Cyber Security Competence is built by Knowledge, Skills and Natural Ability

Fig 2: Competence is built or influenced by Knowledge, Skills and Natural Ability


Cyber Security Knowledge is acquired through high quality awareness training. The training conveys important background information, cyber security facts, organizational policies, case studies based on security incidents and best practices.


Cyber Security skills are developed using specialized training that uses the time-tested principle of Learning by Doing. The principle of Learning by Doing is highly effective as it uses the concept of Immersion, Analysis, Decision and Outcome. An example of the application of this principle is awareness training using Cyber-Risk Simulations. These simulations recreate real security incidents or events that enables the learner to experience them in an almost real environment. Further, it simulates the learner to make decisions and learn from the outcomes of these decisions.

Natural Ability

Natural abilities are inborn. Examples are innate traits, personal qualities and attributes. In the context of Cyber Security, natural abilities may not hold warrant as Cyber Security skills have to be learned. But, qualities such as diligence and observation skills aid tremendously in enhancing these skills.

Developing Cyber Security Behavior

Cyber Security Behavior is the way in which a person reacts when confronted with a cyber security situation such as an attack, incident. It is also the security controls they practice while performing everyday activities such as sending emails, working with sensitive documents or working with computing devices.

Developing Positive Cyber Security Behavior

Fig 3: Positive behavior develops in a supporting and conducive environment

Awareness and Competence training is fundamental to developing positive Cyber Security Behavior. But, that in itself is not enough. Positive behavior is developed in a conducive environment where the behavior is rewarded. To create such a positive environment, Cyber Security training frameworks must evolve to influence three factors – Beliefs, Attitude and Action.


Beliefs are often personal and must have evolved outside the controls of the organization. But, organizations can influence and create a positive belief in Cyber Security by showing a larger picture. The larger picture must demonstrate;

– The influence of Cyber Security on customer trust and subsequently the growth and success of the organization

– The positive impact of Cyber Security for each employee in terms of enabling them to perform their jobs securely

– Finally, the indirect and positive influence of Cyber Security in their career growth

Organizations must take the effort to showcase the reward of positive Cyber Security behavior. The rewards are – growth for the organization and indirectly, growth for the employee.


Attitude is a preconceived opinion or approach. Often Cyber Security suffers because employees perceive security practices as obstacles that slows down work. Cyber Security practices increases the quantum of time and effort to everyday tasks. Therefore, the challenge is to remove this negative attitude around Cyber Security as an additional burden.

Again, the solution is in showing the larger picture as to how small steps by every employee helps in strengthening the Cyber Security posture of the organization. By consistently repeating and supporting this message, negative attitudes around Cyber Security can be removed.


Cyber Security actions are observable Cyber Security practices. By repeating these actions, the behavior becomes inculcated or second nature.

Training Approach: The Learning by Doing Method


Fig 4: The Learning by Doing method for Behavior Training

Learning is best when it is hands-on. Performing an activity and analyzing the outcomes is a powerful way to learn. Every outcome leads to experience. By acquiring experiences over time, one builds a knowledge base. To drive secure Cyber Security behavior, the learning must follow four principles – Immersion, Analysis, Decision and Outcome.


The learning experience must include risk simulations that re-create Cyber-risk scenarios. This enables the learner to immerse themselves and feel the risk.


Every risk presents an opportunity for analysis. The learner must take a choice to mitigate the risk and make a decision.


Decisions influence the outcome, resulting in a positive or negative Cyber Security event. Decisions may be right or wrong. Nevertheless, they lead to an outcome (experience ), either good or bad.

Outcome (Experience)

If the experience is good, the risk is mitigated, the learner undergoes a positive experience and their confidence is built. As a result the behavior is repeated. If the outcome is bad, the behavior is avoided or substituted with the right behavior.

The path to Cyber Security Culture

When the majority of the workforce in the organization exhibits positive Cyber Security beliefs, attitudes and actions, it can be said that the organization has a positive Cyber Security culture. The path to that destination starts with awareness training, followed by competence training delivered in a positive and conducive environment.

Get started

Book an online demo or arrange a call-back.

Schedule a demo
Pick a slot from our calendar.

Arrange a call-back
Pick a date and time.