Building a Foundation for Behavioural Cyber Risk Management: Why We Need Open, Evidence-Based Skills Frameworks

The Critical Gap in Cybersecurity Skills Development

While organisations worldwide struggle with a well-documented skills shortage, we simultaneously lack a comprehensive framework that addresses the human and behavioural dimensions of cyber risk management. Technical certifications abound - from CISSP to CEH - but where are the frameworks that guide professionals working at the intersection of human behaviour, psychology, and cybersecurity?

This gap isn't merely inconvenient; it's dangerous. As cyber threats increasingly exploit human vulnerabilities rather than technical ones, we need professionals who can understand behavioural science, design effective interventions, build security cultures, and measure human risk. Yet these professionals have no clear roadmap for developing their capabilities, no recognised competency standards, and no framework to guide their career progression.

The Behavioural Cyber Risk Management Skills Framework was created to fill this void.

Why Another Framework? The Case for Behavioural Competencies

You might reasonably ask: don't we already have frameworks like NICE and SFIA? Why create another one?

The answer lies in what existing frameworks cover, and what they don't. NICE (the National Initiative for Cybersecurity Education) provides excellent guidance on technical cybersecurity roles and competencies. SFIA (Skills Framework for the Information Age) maps a broad range of IT and digital skills. Both are invaluable resources that have shaped how organisations approach skills development.

However, neither framework comprehensively addresses the behavioural and human risk aspects of cybersecurity. They tell us what technical skills a Security Analyst needs, but not how to conduct behavioural diagnostics of security challenges. They outline requirements for Security Architects, but not how to design choice architecture that guides secure decisions. They describe Information Security Management, but not how to measure and shift organisational security culture.

The behavioural dimension of cybersecurity represents a distinct domain of expertise that intersects with, but extends beyond, traditional technical cybersecurity competencies. It requires understanding of:

  • Behavioural science theories and their application to cyber risk
  • Human decision-making processes and cognitive biases
  • Cultural assessment and change methodologies
  • Intervention design based on evidence-based frameworks
  • Quantitative and qualitative research methods
  • Ethical considerations in measuring and influencing behaviour

These competencies don't replace technical skills; they complement them. A comprehensive approach to cyber risk management requires both technical controls and behavioural interventions, both technological solutions and cultural change.

The Imperative of Open Access

Perhaps the most fundamental decision in developing this framework was making it freely available. This wasn't merely a nice-to-have feature, it was a moral and practical imperative.

The Paywall Problem

Skills development shouldn't be a privilege reserved for those who can afford expensive certifications or corporate training programmes. When we put critical knowledge behind paywalls, we:

  • Limit innovation by restricting who can engage with and build upon foundational concepts
  • Reduce adoption by creating barriers for small organisations, non-profits, and developing regions
  • Perpetuate inequality by favouring well-resourced organisations over those most in need of guidance
  • Slow progress by preventing the rapid iteration and improvement that comes from open collaboration

In an era where cyber threats affect everyone, from multinational corporations to small charities, from government agencies to individual citizens, we cannot afford to restrict access to the knowledge needed to build human cyber resilience.

The Power of Open Frameworks

Open access frameworks have repeatedly demonstrated their value:

  • MITRE ATT&CK, freely available, has become the de facto standard for describing adversary tactics and techniques
  • The NIST Cybersecurity Framework, publicly accessible, guides organisations worldwide
  • OWASP's resources, openly shared, have fundamentally improved application security practices

These frameworks succeeded not despite being free, but because of it. Open access enabled:

  • Rapid adoption across diverse contexts
  • Community contributions that improved quality
  • Integration with existing tools and methodologies
  • Adaptation to local needs and constraints
  • Building of a shared professional language

The Behavioural Cyber Risk Management Skills Framework follows this proven model. By making it freely available, we enable organisations of any size, in any sector, anywhere in the world to:

  • Assess current capabilities
  • Identify development needs
  • Design training programmes
  • Structure roles and responsibilities
  • Create career pathways
  • Establish professional standards

No registration required. No fees. No corporate gatekeepers. Just open access to a comprehensive, evidence-based framework.

Building on Scientific Foundations

Making a framework free is meaningless if the framework itself lacks rigour. Quality and accessibility must go hand in hand. That's why this framework was built using established scientific methodologies and grounded in peer-reviewed research.

Evidence-Based Development

The framework rests on multiple scientific foundations:

Rather than inventing new theories, we built upon established frameworks with decades of validation:

  • COM-B Model (Michie et al., 2011) structures our understanding of behaviour change, recognising that effective interventions must address capability, opportunity, and motivation
  • Behaviour Change Wheel (Michie et al., 2011) guides the selection and design of interventions based on systematic analysis
  • Social Learning Theory (Bandura, 1977) informs our approach to how security behaviours spread through organisations
  • Nudge Theory (Thaler & Sunstein, 2008) shapes our understanding of choice architecture and decision environments

Skills Acquisition Research The five proficiency levels (Novice to Expert) draw directly from the Dreyfus Model of Skill Acquisition (Dreyfus & Dreyfus, 1980), which describes how professionals develop from rule-following beginners to intuitive experts. This isn't arbitrary; it reflects decades of research into how people develop expertise.

Organisational Science Our approach to culture and leadership competencies builds on:

  • Just Culture principles (Dekker, 2012) that balance accountability with learning
  • Psychological Safety research (Edmondson, 1999) that enables error reporting and continuous improvement
  • Research on security culture assessment and development (Schlienger & Teufel, 2003; Da Veiga & Martins, 2015)

Measurement Science The analytics and assessment competencies reflect validated approaches to measuring human behaviour and risk, drawing on established instruments like the Human Aspects of Information Security Questionnaire (Parsons et al., 2017) and principles of productive security (Beautement et al., 2016).

Roles as Guides, Not Prescriptions

One crucial aspect often misunderstood in skills frameworks is the role of professional roles. The eight roles described in the framework - from Security Champion to Director of Security Culture - are guides, not rigid prescriptions.

The Flexibility Imperative

Organisations vary enormously in:

  • Size and structure
  • Sector and regulatory context
  • Maturity and resources
  • Culture and priorities
  • Risk profile and threat landscape

A security champion in a 50-person non-profit looks very different from one in a 50,000-person financial institution. A Security Awareness Manager in a healthcare organisation faces different challenges than one in a technology company. Attempting to define universal role specifications would be both impossible and counterproductive.

Roles as Reference Points

Instead, the framework's roles serve as reference points:

For Career Development Professionals can see potential progression paths and identify capabilities they might develop. A Security Awareness Analyst can understand what developing towards a Manager role might entail, without being locked into a specific trajectory.

For Recruitment Organisations can use role profiles as starting points for job descriptions, adapting the competency mix to their specific needs. The framework provides a common language for discussing requirements and expectations.

For Team Building Leaders can map required competencies across their team, identifying gaps and overlaps. The key insight: no single person needs every competency at expert level. Teams distribute expertise.

For Training Design Learning professionals can structure development programmes around the competency progressions, knowing that different individuals will move at different rates and reach different levels based on their roles and interests.

Competency Mixing

The real power lies not in the predefined roles but in understanding the competencies themselves. Organisations should:

  • Mix and match competencies based on actual role requirements
  • Create hybrid roles that combine elements from multiple framework roles
  • Adapt proficiency targets to context and needs
  • Recognise specialist roles that deep-dive on specific competencies
  • Allow for growth paths that don't fit standard hierarchies

A practitioner might be Level 5 (Expert) in behavioural intervention design but Level 2 (Developing) in data analytics, and that's perfectly appropriate if their role emphasises designing interventions rather than conducting statistical analysis.

Context-Driven Application

The framework explicitly acknowledges that:

  • Small organisations might combine multiple framework roles into a single position
  • Large organisations might split single framework roles across multiple specialists
  • Sector-specific contexts require emphasis on different competencies
  • Emerging roles might not map cleanly to framework roles yet should be guided by relevant competencies
  • Career trajectories need not follow a linear path through framework roles

The roles exist to make the framework easier to navigate and understand. They're entry points, not constraints. The competencies are what matter.

Integration with Established Frameworks

The Behavioural Cyber Risk Management Skills Framework was never intended to exist in isolation. It's designed to complement and integrate with established frameworks, particularly NICE and SFIA.

Complementing, Not Competing

Think of frameworks as overlapping circles in a Venn diagram:

  • NICE provides comprehensive coverage of technical cybersecurity roles and competencies
  • SFIA maps the full range of IT and digital skills across organisations
  • This framework addresses the behavioural and human risk dimension

The overlaps are intentional and valuable. A Security Awareness Manager, for example, might:

  • Use NICE's "Security Awareness and Training Specialist" role (OV-TEA-002) for technical baseline requirements
  • Reference SFIA's "Information Security" skill for organisational positioning
  • Apply this framework's Domains A, D, and E for behavioural intervention design, culture building, and leadership capabilities

Together, they provide comprehensive guidance. Separately, they each illuminate important aspects.

Practical Integration

The framework documentation includes specific integration guidance:

NICE Framework Mapping For key roles, we identify relevant NICE work roles and explain how behavioural competencies complement technical requirements. For instance:

  • A Cybersecurity Manager (OV-MGT-001 in NICE) benefits from adding behavioural competencies in Domains B (understanding human risk context) and E (leading culture change)
  • A Security Awareness Specialist (OV-TEA-002 in NICE) should develop deep capabilities in Domain A (behavioural science) and Domain D (intervention design)

SFIA Framework Alignment We map framework domains to relevant SFIA skills:

  • Domain B competencies complement SFIA's "Security administration" (SCAD) by adding behavioural risk assessment
  • Domain E capabilities extend SFIA's "Information security" (SCTY) with culture and leadership dimensions
  • Domain F governance competencies align with SFIA Levels 5-6, providing behavioural perspectives on strategic leadership

Creating Competency Crosswalks

Organisations can create "competency crosswalks" that map their needs across multiple frameworks:

  1. Identify the role you need to fill or develop
  2. Check NICE or SFIA for technical baseline requirements
  3. Add behavioural competencies from this framework where human risk is significant
  4. Customise the mix based on specific context and challenges
  5. Set proficiency targets appropriately for each competency

This approach ensures comprehensive coverage without duplication or confusion.

Building a Common Language

Perhaps the greatest value of framework integration is establishing a common professional language. When a Security Awareness Manager discusses their role using NICE, SFIA, and behavioural framework terminology, they're speaking a language understood across the industry. This enables:

  • Better recruitment by clarifying expectations
  • Easier mobility as professionals move between organisations
  • Clearer development paths with recognised milestones
  • Professional recognition through shared standards
  • Knowledge sharing across organisational boundaries

Why This Matters Now

The timing of this framework is not coincidental. Several converging trends make it particularly urgent:

The Sophistication of Social Engineering

Modern social engineering attacks leverage sophisticated psychological techniques, from deepfake videos to AI-generated phishing that adapts to individual targets. Technical controls alone cannot defend against attacks designed to exploit human psychology. We need professionals who understand both the threat landscape and human decision-making.

The Rise of Insider Risk

Organisations increasingly recognise that insider threats, whether malicious or inadvertent, represent significant risk. Managing this requires understanding motivation, opportunity, and capability at individual and organisational levels. It's not a technical problem; it's a behavioural one.

The Maturity of Security Culture

"Security culture" has moved from buzzword to business imperative. But actually building and measuring culture requires specific competencies that most security professionals haven't formally developed. The framework provides the roadmap.

The Emergence of GenAI Risks

Generative AI introduces novel behavioural risks, from employees bypassing controls to use consumer AI tools, to sophisticated AI-enabled social engineering. Understanding and managing these risks requires behavioural expertise.

The Professionalisation of Human Risk Management

Behavioural cybersecurity is maturing from a niche specialty to a recognised discipline. As it does, professionals need clear competency standards, just as technical security professionals have. This framework supports that professionalisation.

A Living Framework

One final, crucial point: this framework is not finished. It cannot be finished, because the field continues to evolve.

Being open means being adaptable. As practitioners apply the framework, they'll identify:

  • Competencies that need refinement
  • Proficiency descriptions that could be clearer
  • Role profiles that don't quite fit real-world needs
  • Integration challenges with other frameworks
  • Emerging competencies not yet included

This feedback is invaluable and welcome. The framework will evolve based on practical use, new research, and changing threat landscapes.

Getting Started

The framework is available now at www.cybehave.com/skills-framework.php, with no registration or fees required. You're free to:

  • Use it to assess your team's capabilities
  • Adapt competencies to your organisational context
  • Build it into your recruitment and development processes
  • Share it with colleagues and clients
  • Integrate it with your existing frameworks
  • Include it in training materials

All we ask is attribution: "Behavioural Cyber Risk Management Skills Framework by CyBehave" with a link back to the framework.

Conclusion: Building Together

By making it freely available and grounding it in scientific evidence, we're making a bet: that open collaboration produces better outcomes than proprietary gatekeeping, and that rigorous methodology builds more lasting value than marketing hype.

The cybersecurity skills shortage won't be solved by a framework alone. But it might be helped by giving professionals a clear, evidence-based roadmap for developing the behavioural capabilities that organisations desperately need.

The framework exists to serve the community. Use it. Adapt it. Improve it. Share it.

Together, we can build a more behaviourally informed approach to cyber risk management, one that recognises that the human element isn't the weakest link, but rather the foundation upon which all security rests.

 

References

Bandura, A. (1977). Social learning theory. Prentice Hall.

Beautement, A., Sasse, M. A., & Wonham, M. (2008). The compliance budget: Managing security behaviour in organisations. In Proceedings of the 2008 New Security Paradigms Workshop (pp. 47-58). ACM. https://doi.org/10.1145/1595676.1595684

Da Veiga, A., & Martins, N. (2015). Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, 162-176. https://doi.org/10.1016/j.cose.2014.12.006

Dekker, S. (2012). Just culture: Balancing safety and accountability (2nd ed.). CRC Press.

Dreyfus, H. L., & Dreyfus, S. E. (1980). A five-stage model of the mental activities involved in directed skill acquisition (Unpublished report). University of California, Berkeley, Operations Research Center.

Edmondson, A. (1999). Psychological safety and learning behavior in work teams. Administrative Science Quarterly, 44(2), 350-383. https://doi.org/10.2307/2666999

Michie, S., van Stralen, M. M., & West, R. (2011). The behaviour change wheel: A new method for characterising and designing behaviour change interventions. Implementation Science, 6, Article 42. https://doi.org/10.1186/1748-5908-6-42

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176. https://doi.org/10.1016/j.cose.2013.12.003

Schlienger, T., & Teufel, S. (2003). Analyzing information security culture: Increased trust by an appropriate information security culture. In Proceedings of TrustBus'03: International Workshop on Trust and Privacy in Digital Business, in conjunction with the 14th International Conference on Database and Expert Systems Applications (DEXA 2003) (pp. 405-412). IEEE Computer Society.

Thaler, R. H., & Sunstein, C. R. (2008). Nudge: Improving decisions about health, wealth, and happiness. Yale University Press.