According to the World Economic Forum, some 82% of cybersecurity breaches were due to a human element.

Think about things like reusing passwords, and phishing emails, and with the open deployment of generative AI, I have even seen attacks where your voice or image can be used against you.

How can we then understand what levers we have to pull when it comes to enabling a more secure environment for ourselves and our organizations?

In a company setting, you can take a few steps:

1) Determine the behaviors you want to target, the context in which they occur, and the target actors you want to enable.

2) Determine what you want people to do (start, stop, or replace/continue)

3) Understand what levers you have for driving behavior

You could, as in my example below use something like the Theoretical Domains Framework to find and use those drivers. (You could also use COM-B)

4) Once you know the levers, you can look for the right strategies to apply, based on Behavior Change Techniques. (not shown in example)

You may have noticed that the example goes from left to right, I tend to work like this, because I want to follow a logic model and go from the solution to the outcome and see how it all ties together.

This also allows you (and me) to evaluate what we have designed and to understand if at any point we have missed something.

I want to add more examples in the future, so you can understand a bit more about the levers/drivers you have.

Robert