Skip to content

Empowering Your People Using Behavior-Driven Security Awareness Training


“People power” is not just a throwaway phrase. It is a mantra for protecting an entire organization against ever-increasing cyber threats. Empowering employees with the knowledge to help your company protect itself against human-centric cyber-threats will be one of your most cost-effective cybersecurity measures.

Why use “people power”? Cybercriminals have been building a threat landscape that uses human beings as tools in their armory. Social engineering manipulates people into performing actions on behalf of the cybercriminal and the fraudster. This trickery plays with human behavior, using tactics such as email phishing to initiate an attack that might result in ransomware, Business Email Compromise (BEC), or many other damaging cyber-attack techniques.

The human – our employees – are the cybercriminal's target of choice as research has found out:

  • A Symantec report says in 96% of cases a data breach starts with a phishing email.
  • Stanford University researchers describe how employees are socially engineered and psychological tricks to manipulate behavior.
  • Social engineering-based cyber-attacks increased by 270% in 2021.
  • Phishing is consistently the number one attack vector; in 2021, phishing increased by 161%.
  • IC3 said that in 2020, BEC crimes caused over $1.8 billion worth of damage to U.S. firms and caused the “most financial damage”.
  • Human error is the cause of 95% of cyber-attacks and the average cost of an attack is $3.33 million.

By educating employees about the tricks used to manipulate behavior, an organization can turn the human-centric cyber-threat on its head and make your employees your strongest defence.

This paper will look at how to fight back against human-centric cyber-attacks by using behavior-driven security awareness training.

Part One: What is Behavior-Driven Security Awareness Training?

  • Uses a deep understanding of what makes human beings ‘tick’ - our behavior

  • Reduces cyber-threats associated with human error

  • Ensures that both malicious and accidental cyber-threats are prevented

  • Takes traditional security awareness training to a new level of effectiveness

Digital systems and human-computer interfaces are often designed with human behavior in mind. For example, the ‘urge to click’ is something that software designers have long understood, creating user journeys that are intuitive by reducing the number of clicks a user must perform. These same learned digital behaviors, as well as the same inherent behaviors such as fear responses, are used by fraudsters when they create cyber-attacks based on social engineering and email phishing.

Security awareness training (SAT) is a concept that uses education to train users (typically employees) about the tricks used by fraudsters and provides simple best practice guidance to help minimise our human error. Traditional security awareness training is often classroom-based or uses online quizzes and similar techniques to take users through typical scams and social engineering scenarios. Security awareness training typically covers a myriad of security-related areas such as:

  • Phishing attacks
  • Password hygiene and multi-factor authentication
  • Internet and email security
  • Mobile device security
  • Remote working security
  • Public Wi-Fi
  • Social engineering scams
  • Social media security
  • Data protection

Behavior-driven security awareness training takes the principles of traditional SAT and applies the science of psychology. Research into human behavior provides an insight into how companies can work with employees to help prevent poor security behaviors. This research merges tools, methods, and theories in psychology with engineering to better understand how humans interact with software systems. Using know-how about the intersection of humans and technology, the discipline of “behavior-driven security awareness training” has emerged. This provides empirical methods to reduce the number of human errors that lead to cyber-attack success.

Cyber Security Training Techniques

A human-centric, behavior-driven, approach to cybersecurity risk management is based on three pillars:

  • Knowledge
  • Awareness
  • Understanding

These three pieces of the security awareness puzzle are used to create human-centric, behavior-driven awareness programs. Behavior-driven security awareness training is based on key training techniques:

Pillar One: Knowledge

The thing that sets behavior-driven security awareness training apart from more traditional SAT is the creation of a baseline of security behaviors. This is done at an employee-level. Employee behavior is assessed, and the most appropriate training program is then delivered based on this knowledge. By using a security awareness program based on the unique strengths and weaknesses of an employee, an SAT program can be made effective and tailored.

Pillar Two: Awareness

The baseline of security behavior established in pillar two provides the intelligence to be able to generate individualized and effective training programs. These SAT sessions use techniques such as phishing simulations and short, relevant training packages to educate employees about the full remit of social engineering and tactics of human-centric cyber-attacks:

Phishing Simulations

Phishing emails use psychological tricks to manipulate human behavior. These tricks take many forms, each manipulating aspects of human behavior to trick users into responding in the way the cybercriminals want.

Phishing simulations use the same type of behavioral tricks to generate simulated phishing emails. These emails typically reflect current or emerging phishing campaigns that are likely to target an organization or sector. The simulated phishing emails include clickable links and downloadable attachments in the same way that real phishing emails do. If an employee engages with the simulated phishing email, that interaction will be recorded for analysis. The metrics from a simulated phishing exercise allow an organization to further tailor phishing messages and to follow up on higher-risk employees who need more intensive training.

Advanced phishing simulation platforms, such as SafeTitan, can be used to set up simulated Business Email Compromise (BEC) campaigns by impersonating internal email addresses.


People learn well when they enjoy what they are doing. Boring, repetitive videos and classroom learning leads to bored learners who do not remember important lessons. This is borne out by research into Game-based Learning Theory. The theory talks about ‘experiential’ learning or learning through experiences, such as games. Having interactive and engaging security awareness training programs helps to cement learning and build memories. Gamification of security awareness training comes in the form of interactive videos and fun quizzes that are human-centric and make learning fun. 

SafeTitan couples gamified security awareness training with short and informed testing. The tests can develop a profile of the employee and their specific knowledge level and learning requirements. The metrics from the tests are then used to further modify the training program to optimize learning.

Pillar Three: Understanding

Reporting and metrics are important factors in determining the level of understanding of employees. Understanding translates to the likelihood that an employee will develop good security behavior from the training.

Security behavior must be tracked over time to assess changing and improving behaviors. By creating personalised campaigns that combine simulated phishing with cyber-knowledge quizzes and other cybersecurity education (eLearning, animations, videos, gamified content), positive security behavior can develop. However, to improve behavior, the employee’s understanding must be augmented with real-time training. 

Importance of Real-time Training

Real-time security awareness training engages an employee directly with relevant, timely best practice know-how, feedback, and wider learning opportunities, at the very time they need it most. By using real-time feedback to employees during training sessions, the employee can quickly learn lessons and understand what behaviors are expected of them in the face of many different risks.

Real time training platforms, such as SafeTitan automatically respond to an employee as they take part in phishing simulations or other training elements, such as interactive videos. For example, if an employee shows risky behavior, the platform will recognize this and instantly respond with relevant and timely know-how about stronger behaviors.

Metrics and Behavior-driven Security Awareness Training

Metrics show the change in behavior over time and can be used to demonstrate a Return on Investment (ROI) to senior management and the Board.  This change in behavior should map to a reduction in successful cyber-attacks and accidental insider events.

Being able to clearly report and demonstrate that behavior-driven security awareness training is working will assist in developing your business case for continued and increased investment in your human cyber risk management.

       Sign up for a FREE Demo of SafeTitan to learn how behavior-driven security awareness training works to prevent phishing campaigns.    

        Book Free Demo

Part Two: How do BEC and Phishing Work and how can they be Stopped?

  • BEC is one of the most financially damaging cybercrimes

  • BEC is on the increase

  • Phishing is the weapon of choice to manipulate employees and install malware

  • Phishing leads to credential theft and increased risk of malware infection, including ransomware

Understanding why behavior-driven security awareness training is needed begins with a look at two of the most prevalent cybersecurity attack types, Business Email Compromise (BEC) and phishing:

Business Email Compromise (BEC)

According to the ENISA Threat Landscape 2021, “Business Email Compromise (BEC) has increased, has grown in sophistication and become more targeted.” This comes as no surprise when you look at the Verizon Data Breach Investigations Report (DBIR) which found that 86% of cybercrime is financially motivated.

BEC fraudsters steal big bucks when successfully carried out. The FBI describes BEC as “one of the most financially damaging online crimes.”

BEC works by tricking targeted individuals into moving money to a fraudster’s account. BEC scams come in several forms, but they all work to extract money from a company through pretense and psychological tricks.

Typical Steps of a BEC Scam

Intelligence Gathering

The fraudster(s) use various techniques to find out as much about a target company as possible. The fraudsters need to know the company hierarchy, how payments are made, the suppliers and clients for the company, etc. This step leads to the next part of the scam:

Taking Over or Impersonating an Email Account

In BEC scams, an email account of an executive of the target company is either compromised or spoofed. A spoofed email will be made to look very similar to a CXOs email account. For example, may be changed to something like

Either way, the fraudster will use a phishing email to contact a person who can help to facilitate a wire transfer. This is an important step in the BEC attack as it uses social engineering tactics to make the employee, usually in accounts payable, transfer significant amounts of money into criminal accounts.

Tricking Employees into Moving Money

BEC scammers use several techniques to initiate a wire transfer. For example, if an email account was compromised, fraudsters can watch for any money requests and invoice payments. They can then intercept an invoice and change the account payable details to reflect the fraudster's bank account. Alternatively, a spoof email will be created to socially engineer the recipient into making a wire transfer to the fraudster’s bank account.


Phishing comes in many forms: cybercriminals use emails, mobile messaging systems, and social media to deliver a phishing scam.

An ENISA report into the threat landscape highlights 88% of organizations have experienced spear-phishing attacks and 86% BEC attacks. The report also points out that Phishing-as-a-Service (PaaS) is on the rise. PaaS provides the cybercriminal community with an easy-to-use, packaged, phishing campaign used to spread malware far and wide. The result is that “99% of emails distributing malware required human intervention”.

Phishing also steals login credentials. Credential theft is now the biggest threat to businesses across the world. Once stolen, login credentials can be used to escalate the privileges of the hacker across the network allowing them to steal data and/or install malware, including ransomware.

Phishing, as a technique, has been honed by cybercriminals over many years. Phishing attacks typically use the following techniques to influence our behaviors:

Urgency: use of language to make an employee believe that a request is urgent and will result in something bad happening if not acted upon immediately.

Fear of missing out (FOMO): research shows humans do not like to miss out on things. FOMO is used in email phishing campaigns to encourage certain behaviors such as clicking a malicious link – examples include offers that are good to be true often timed at different times of the year like Black Friday and Cyber Monday,.

Authority: the use of authority is increasingly used in attacks such as Business Email Compromise (BEC) and spear-phishing attacks. Fraudsters spoof C-Level email accounts, pretending to be an authority figure in an organization to force poor security behaviors.

Phishing fraudsters also use other tricks to mask the malicious nature of their intent. For example, the APWG has found that phishing sites, the websites that a user will be taken to if they click on a malicious link, now overwhelmingly use a signal that they are ‘secure’. This signal is HTTPS in the URL of the website, an indicator that a site has been checked as safe to use and a digital certificate issued to the site owners.

Both BEC fraud and phishing are now so sophisticated that it is difficult to detect unless an individual is trained to do so.

A combination of individualized behavior-driven security awareness training with email protection tools prevents the success of even the most sophisticated of phishing campaigns.

       Sign up for a FREE Demo of SafeTitan to learn how behavior-driven security awareness training works to prevent phishing campaigns.    

        Book Free Demo

Part Three: Realizing the Benefits of Behavior-driven Security Awareness Training

Building a behavior-driven security awareness training needs to have certain features for success:


Contextual learning allows an individual to create mind maps connected to educational materials. For example, simulated phishing campaigns create the context of a real phishing attack and help to cement learning, skills and know-how for the future.

Real-time Behavior Tracking

Feedback is a vital aspect of learning and understanding. By having real-time, customizable, and automated alerts, a behavior-driven security awareness can provide important information to learners. For example, learners who click a phishing link during a simulated phishing exercise will be shown why this is the wrong thing to do and what could happen in real-life if they continued with this behavior.

Track Behavior Over Time

Monitoring behavior over time and during security training exercises provides feedback to optimize security awareness programs. Behavior tracking on a per-user basis allows the optimization and tailoring of training for each employee. Real-time alerts show behavior change over time; the alerts being less frequent as a sign that security behavior has improved.

Automation and Integration of Security Awareness Training Programs

A security awareness training program can improve effectiveness by automating certain tasks. These will include sending out training-related documents, such as security policy reminders and compliance standards when staff are seen to be demonstrating risky behaviors.

The integration of different training tools helps to make the awareness training more engaging, relevant, and integrated.

Provide an ROI to Management

Every organization must demonstrate that a chosen security measure is working. A behavior-driven security awareness training must be able to provide metrics in a form that demonstrates improvement in security behavior. SafeTitan provides enterprise-level reports that are easy to understand and that give an at-a-glance view of the awareness training program’s success.

       Sign up for a FREE Demo of SafeTitan to learn how behavior-driven security awareness training works to educate employees.    

        Book Free Demo

Quick Tips for Running Successful SAT

SafeTitan reduces staff susceptibility to phishing by up to 92% - here’s how:

Tip 1: Use contextual training exercises such as phishing simulations and short, relevant, interactive, fun videos, animations, quizzes and eLearning.

Tip 2: Ensure that a phishing simulation platform can spoof internal email addresses to train staff on sophisticated BEC threats. Also to have the flexibility to deliver Smishing texts to mobiles as well as phishing emails.

Tip 3: Send out real-time alerts to employees when they demonstrate poor security behavior.

Tip 4: Automate the training program so that it sends out policy and compliance reminders and reduces significant man-hours spent on designing, creating, launching and then managing and reporting on security awareness campaigns.

Tip 5: Ensure that the training is on a per-user basis. focused on helping to influence and drive individual behavioral changes.

Tip 6: Metrics should be convertible to enterprise-level reports for a view on the ROI of the program and to easily and quickly demonstrate success and risk mitigation.

Book a demo of SafeTitan to see how to improve security behavior and prevent cyber-attacks such as ransomware, Business Email Compromise, and malware infections.

Sign up for a FREE Demo of SafeTitan to learn how behavior-driven security awareness training works to educate employees.

Book Free Demo
Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us