Beyond awareness: Why cyber security must become a human habit in 2026

Tony Christodoulou, Founder and CIO/CISO, Cyber Dexterity.

---

An employee receives a message that looks like their CFO asking for them to update the banking details for one of their suppliers using a provided link. The tone is confident. The timing is inconvenient. The request feels “just plausible enough”. They’ve done the annual cyber security training. They know what phishing is. And yet… they click.

That moment reveals the uncomfortable truth: our biggest cyber security gap isn’t technical, it’s behavioural. In a world of relentless digital noise, risk is hidden inside everyday micro-decisions. A rushed approval, a quick reply, a password re-used “just this once”, a file shared to keep work moving. 

Most organisations have invested heavily in “awareness”. Posters. Policies. E-learning. Phishing simulations. Compliance tick-boxes. But when cues are ambiguous, urgency is high, authority is implied or reporting feels socially risky, behaviours often break down. Under pressure, people default to instinct.

Most people don’t understand that cyber criminals manipulate situations to make you act in a way that achieves their objectives. The outcome is predictable. With the addition of AI and deepfake capabilities, the problem will only worsen.

Humans use mental shortcuts to make fast decisions. We respond to familiar names. We avoid conflict. We act quickly to be helpful. We fear getting it wrong publicly. We don’t push back on authority when a request comes from the top. Social engineers don’t need to defeat firewalls if they can hijack trust, urgency and distraction.

The business impact is no longer hypothetical. Cyber crime is projected to cost the world over $12.2 trillion annually by 2031, and cyber incidents are now a steady operational reality. In this environment, “more training” isn’t the answer if it produces more knowledge but not more resilience.

In cyber security, there’s a major difference between knowing what to do and doing it when it matters.

Traditional programmes are designed to transfer explicit knowledge: rules, definitions, steps. But secure behaviour is largely tacit. It’s the instinctive pause before clicking. The confidence to challenge a request that “feels off”. The ability to recognise manipulation tactics in real time, even when you’re tired, busy, and interrupted.

That capability is built through experience, not through awareness.

It’s similar to driving. You can study a road safety manual, but it won’t make you a safer driver under pressure. Safe driving comes from pattern recognition, muscle memory and practised judgement. Cyber security needs the same shift: from “knowing” to “behaving”.

From a cyber psychology lens, people don’t fail because they are careless. They fail because they are human.

Attackers deliberately trigger psychological levers that override rational thinking:

• Authority (“This is the CEO. Do it now.”)
• Urgency (“We’ll lose the deal if this isn’t done in 10 minutes.”)
• Fear (“Your account is compromised. Confirm your details.”)
• Curiosity (“Look who died, I think you know them.”)

Furthermore, enabled by trust heuristics (logos, names, colours and branding you trust). When these triggers collide with high workload and constant interruption, mistakes become statistically inevitable. That’s why human behaviour remains a reliable entry point for adversaries even when technical controls are mature. They bank on the point of least resistance.

If awareness is the foundation, behaviour is the outcome.

Behavioural cyber resilience is the ability of your people to make secure decisions consistently, especially when conditions are messy. It is the fast, context-appropriate enactment of safe responses under pressure: pause, verify, escalate, report.

In practice, it means shifting from “security as knowledge” to security as a habit system. And habits are built through:

1. Repetition (practice in realistic scenarios)
2. Reinforcement (feedback that shapes patterns)
3. Social modelling (norms that make safe behaviour the default)
4. Emotional salience (a felt sense of consequence, not just a stated one)

If employees believe reporting a mistake will lead to embarrassment, punishment or “being that person”, they will delay reporting, even when they know they should speak up. If security is treated as a department’s job rather than a shared norm, accountability becomes blurry. If speed is the only currency, verification will feel like friction.

A resilient culture is one where stopping an attack is socially rewarded, not socially costly. Where verifying is seen as professionalism, not paranoia. Where “I almost clicked” becomes learning, not shame. 

The organisations winning in cyber resilience are redesigning learning around behaviour, not just content delivery. They are moving from passive training to active capability-building, creating safe environments where employees experience real-world pressure, learn patterns and build confidence.

This isn’t about making training “fun”. It’s about designing it to mirror reality: speed, ambiguity, emotion, hierarchy and social consequences. Done right, the goal is not perfect compliance. The goal is reliable judgment, simulated and socialised so it can be recalled when it matters.

If 2025 was the year organisations acknowledged “the human factor”, 2026 must be the year we operationalise it. Five leadership focus areas:

1. Measure behaviour, not completion. Track decision quality: reporting speed, verification habits and response behaviours in realistic simulated scenarios. Use frequent phishing campaigns as a method to build the required muscle memory and have insights into where focus must be.
2. Build micro-behaviours into daily work. Reinforce simple action loops: Stop → Think → Check → Confirm → Report. Have these built into people's goals and objectives when it comes to their daily craft. Ensure synergy between what they do and how they should do it.
3. Make reporting psychologically safe. Reward reporting. Normalise near-misses. Remove shame from escalation and celebrate those contributing to the line of defence.
4. Train for pressure, not just knowledge. Practise responding to urgency and authority cues, because that’s where mistakes happen. Utilise the latest attack vectors so people see the potential (deepfake video calls, synthetic voice note instructions on WhatsApp and quishing QR codes in the canteen).
5. Treat cyber resilience as a leadership capability. Cyber resilience isn’t an IT initiative. It’s a leadership discipline. Get leadership to live the behaviours we look to have in place. Be the example of why the way we do things is more than its speed, so that we minimise friction between people needing to deliver on their objectives and doing so in the right way.

The future of cyber security will belong to organisations that treat people as the front line of resilience, not the weakest link. Awareness starts the conversation. Behaviour wins the battle.

By Antonios (Tony) Christodoulou

Adjunct Faculty GIBS Business School | PhD Candidate in Cyberpsychology | Founder and CEO of Cyber Dexterity | CIO/CISO by profession | Former CIO for a Global Fortune500 Company