A comprehensive competency framework covering 7 domains and 30 competencies to build expertise in behavioural cybersecurity
View recommended competency levels aligned to your role
This framework defines the knowledge, skills, and capabilities required to effectively manage human cyber risk through evidence-based behavioural science. Click on any competency to explore the five levels of proficiency.
Foundation knowledge of behavioural theories, cognitive biases, habit formation, and research methods applied to cybersecurity
Ability to apply behavioural models to cyber risk problems
Can explain basic behavioural terms using provided materials but struggles to apply them to cyber scenarios.
Identifies simple capability, opportunity and motivation barriers for straightforward behaviours with guidance.
Independently conducts behavioural diagnosis for defined security behaviours and selects appropriate models such as COM-B or Social Learning Theory.
Integrates multiple behavioural theories to explain patterns across incidents and programmes and adapts models to the organisational context.
Sets the organisation's behavioural diagnostic approach, mentors practitioners and contributes to external thought leadership or research.
Understanding how cognitive biases influence security decisions
Recognises common bias names such as authority or scarcity when given examples.
Can spot obvious bias patterns in phishing or scam content and describe them to others.
Systematically analyses user journeys and incidents for cognitive biases and recommends simple countermeasures.
Designs interventions that directly address specific biases and tests different framings or decision aids.
Advises senior leaders on bias in strategic decisions and codifies guidance on bias-aware security design.
Designing environments and prompts that encourage secure behaviours
Understands the basic idea of habits and nudges at a conceptual level.
Suggests small reminders, prompts or default settings to encourage simple secure actions.
Designs habit formation strategies for key behaviours including cues, routines and rewards and integrates them into processes.
Works across teams to embed secure defaults and nudges into products, workflows and tooling and evaluates long-term habit formation.
Leads the overall organisational strategy for secure habits and choice architecture and shares proven patterns across multiple contexts.
Conducting rigorous research to understand and measure human behaviour
Is familiar with basic terms such as survey, interview, experiment and observation.
Supports simple data collection activities following a defined protocol and understands the importance of consent and anonymity.
Designs and runs small-scale behavioural studies or pilots, selects appropriate methods and draws cautious conclusions.
Plans more robust evaluations with control or comparison groups where feasible and accounts for common validity threats.
Leads complex behavioural research programmes, partners with academic or data science teams and publishes or shares evidence-based insights.
Understanding threat landscapes, risk frameworks, control usability, and incident analysis from a human-centred perspective
Understanding threats that target or arise from human behaviour
Can list key human-driven threats such as phishing, social engineering and insider mistakes.
Describes in simple scenarios how attackers exploit people in common attacks.
Translates technical threat intelligence into human behaviour stories tailored to different audiences.
Anticipates how new technologies and business changes will create new human attack paths and advises on mitigations.
Shapes the organisation's human threat narratives and influences external communities on emerging human-centric threats.
Integrating human factors into risk assessment and management
Recognises that human behaviour is part of overall cyber risk but not how it maps to frameworks.
With support, maps simple behaviours such as password reuse to controls or categories in frameworks like NIST CSF or ISO 27001.
Consistently expresses behavioural risks in terms of likelihood, impact and control effectiveness within existing risk registers and frameworks.
Integrates human risk systematically into cyber and enterprise risk processes and reporting.
Influences how risk frameworks and regulators treat human factors and represents the organisation in external risk discussions.
Ensuring security controls are usable and don't create dangerous workarounds
Understands at a high level what key security controls do from a user perspective.
Can describe obvious user frictions created by specific controls when prompted by examples.
Collaborates with control owners to identify usability and workflow issues that drive workarounds or non-compliance.
Works with product, UX and engineering teams to redesign controls and processes so that secure behaviour is usable and low effort.
Sets standards for human-centred control design and ensures usability considerations are embedded in control governance.
Learning from incidents by understanding human and systemic factors
Reads incident reports but focuses mainly on technical causes or user error labels.
Starts to identify simple behavioural and contextual contributors in incidents when prompted.
Conducts incident reviews that systematically surface behavioural, system and cultural contributors without blame.
Establishes just culture-oriented incident learning processes that feed into behavioural risk assessments and interventions.
Shapes organisational norms for learning from incidents and shares approaches externally as good practice.
Strategy for behavioural data, metrics design, analysis techniques, and network mapping to understand and influence human risk
Responsible collection and use of behavioural data
Has basic awareness that behavioural data can be sensitive and must be protected.
Follows defined rules for handling behavioural or monitoring data and flags concerns to senior staff.
Defines ethical and compliant use cases for behavioural data across tools such as training platforms, phishing simulations and system logs.
Designs a coherent behavioural data strategy with clear governance, transparency and safeguards.
Chairs or advises on ethics and data use forums for human risk data and adapts strategy to new laws or societal expectations.
Designing meaningful measures of human cyber risk
Reports basic activity metrics such as training completion and phishing click rates when asked.
Understands the difference between activity metrics and risk-relevant indicators and can explain limitations of simple measures.
Designs balanced metric sets that include leading indicators, behaviour measures and relevant cultural indicators aligned to risk outcomes.
Embeds human risk metrics into regular management information and decision processes and iteratively refines them.
Sets the organisation-wide approach to human risk measurement and influences external discussions on meaningful metrics.
Turning behavioural data into actionable insights
Uses standard dashboards and reports but struggles to interpret them without guidance.
Performs basic sorting, filtering and simple analysis to answer straightforward questions.
Combines multiple data sources to identify patterns and segments and presents clear visual insights for stakeholders.
Works with data specialists to develop more advanced analyses or simple models that inform targeted interventions.
Leads complex analytical work on human risk, sets analytical standards and translates sophisticated findings into strategic decisions.
Understanding social networks to optimise intervention strategies
Recognises that informal networks and influencers exist but not how to identify them.
Can name key influencers in their own area based on observation.
Uses simple network or relationship mapping techniques to identify potential Security Champions and influence points.
Applies social network analysis concepts to design or optimise Champion networks and intervention routes.
Sets the organisation's approach to influence mapping and collaborates with specialists to refine network-based strategies.
Planning, designing, implementing and scaling behavioural interventions including learning, communication, and choice architecture
Systematic design of evidence-based interventions
Understands that interventions should be based on behavioural diagnosis but requires templates and step-by-step guidance.
Uses basic COM-B style templates to identify barriers for a single behaviour and suggests simple interventions such as training or reminders.
Conducts structured diagnosis and designs coherent intervention packages using Behaviour Change Wheel functions and APEASE-style criteria.
Integrates organisational constraints and multiple levers into a multi-channel intervention plan with feedback and measurement loops.
Owns and evolves the organisation's standard method for behavioural intervention design and mentors others in its use.
Creating effective learning experiences that drive behaviour change
Delivers standard training material created by others with little adaptation.
Adapts existing content to audience needs and includes simple scenarios or examples.
Designs learning experiences that target specific behaviours using adult learning principles and spacing or reinforcement.
Builds blended learning and practice journeys that integrate with campaigns, nudges and local coaching.
Sets learning design standards for behavioural cyber risk and oversees a coherent curriculum across the organisation.
Crafting messages that motivate and enable secure behaviours
Sends out standard security messages and notices as provided.
Tailors basic language and channels for different groups while keeping core messages intact.
Crafts messages that use framing, social proof and clear calls to action to promote desired behaviours.
Designs multi-touch communication strategies that build shared norms and narratives around secure behaviour.
Acts as a trusted advisor on security communication to senior leaders and shapes the overall security story for the organisation.
Designing secure-by-default systems and workflows
Recognises that interface and process design affect user behaviour but cannot yet specify changes.
Suggests simple prompts or reminders in existing tools when asked about improving behaviour.
Works with product and process owners to embed secure defaults, prompts and checks into user journeys.
Leads cross-functional initiatives that redesign workflows and interfaces to make desired behaviours easy and mistakes less likely.
Defines patterns and guidelines for secure choice architecture that are reused across products and services.
Managing delivery of behavioural programmes at scale
Participates in delivery of interventions planned by others and completes assigned tasks.
Manages small pilots or local rollouts with support and documents basic lessons learned.
Plans and manages end-to-end delivery of behavioural interventions, including stakeholder engagement and risk management.
Designs and oversees scaling of proven interventions across multiple business units or geographies, adapting to local context.
Leads a portfolio of behavioural programmes and ensures a coherent, prioritised and sustainable change roadmap.
Assessing culture maturity, engaging stakeholders, building Champion networks, fostering psychological safety, and developing security leadership
Measuring and evolving security culture across the organisation
Is aware that security culture can be assessed but has limited experience with tools or methods.
Administers standard culture surveys or focus groups following guidance and helps summarise responses.
Selects and applies culture assessment tools, interprets results and identifies key themes for action.
Designs multi-method culture assessments and maturity models and links findings to strategy and programmes.
Owns the organisation's security culture assessment approach and benchmarks performance internally and externally.
Building support and coalitions for behavioural risk initiatives
Attends meetings with stakeholders and shares updates when asked.
Identifies key stakeholders for specific initiatives and conducts basic engagement activities.
Develops engagement plans, tailors messages and gains support or resources for behavioural risk initiatives.
Builds coalitions across functions and levels, negotiates trade-offs and maintains long-term sponsorship.
Acts as a strategic influencer on human risk with senior executives and external partners, shaping agendas and priorities.
Building and managing effective Champion networks
Understands the purpose of Security Champions or similar networks in general terms.
Supports Champion activities locally or participates in Champion events.
Designs or manages a Champion network, including selection, enablement and basic governance.
Optimises the network using behavioural and network insights, defines clear roles and measures impact.
Defines the organisational model for Champions and peer networks and evolves it as part of wider security culture strategy.
Creating environments where people feel safe to report and learn
Recognises that people need to feel safe to speak up about issues but sees it mainly as a general HR topic.
Encourages colleagues not to fear reporting mistakes and avoids blaming language in their own communication.
Co-designs processes, communications and policies that support non-punitive reporting and learning from incidents.
Works with leaders to embed psychological safety behaviours and just culture principles into everyday practice and governance.
Acts as a key voice on psychological safety for cyber, influences policy and models behaviours that support trust and openness.
Developing leaders who model and enable secure behaviours
Understands that leaders influence security behaviour but focuses mainly on their own individual tasks.
Provides leaders with simple talking points and asks them to reinforce specific messages.
Coaches leaders on specific behaviours that support secure culture and helps integrate them into routines.
Develops and delivers leadership development elements focused on behavioural cyber risk and measures leadership impact.
Advises executive teams on their role in security culture, aligns leadership development and performance management with behavioural expectations.
Policy design, ethical practice, programme governance, and vendor management for behavioural cybersecurity initiatives
Creating behaviourally realistic and enforceable policies
Reads and applies security policies but rarely questions their design.
Provides feedback on policy clarity from a user perspective and suggests small improvements.
Collaborates in rewriting or creating policies and standards so they are behaviourally realistic and clear.
Leads policy and standard design for key human risk areas and ensures alignment with behaviour change strategies.
Sets principles and templates for behaviourally informed policy design and influences wider organisational policy practice.
Ensuring responsible application of influence and surveillance
Follows existing rules about monitoring and behavioural interventions and escalates any concerns.
Recognises ethical tensions in monitoring or influence techniques when they are pointed out.
Conducts basic ethical impact assessments of behavioural initiatives and monitoring proposals.
Establishes and maintains ethical guardrails, consultation processes and transparency practices for human risk initiatives.
Acts as a recognised authority on ethics in behavioural cyber risk and engages with external bodies or regulators as needed.
Establishing oversight and assurance for human risk initiatives
Attends governance or steering meetings when requested and shares status updates.
Tracks actions and risks for small initiatives and reports into existing governance forums.
Designs governance structures for behavioural programmes that integrate with cyber and operational risk governance.
Chairs or co-chairs governance forums for human risk, ensuring clear priorities, escalation paths and assurance.
Embeds human risk governance into the organisation's overall risk and performance framework and adjusts as strategy evolves.
Evaluating and managing technology solutions for behavioural security
Uses assigned tools and platforms following instructions.
Provides user feedback on tools and contributes to basic requirements lists.
Defines behavioural and functional requirements and participates in vendor evaluation and selection.
Leads selection and integration of tools into a coherent human risk ecosystem and evaluates their performance.
Sets long-term strategy for human risk tooling and manages key supplier relationships at a strategic level.
Critical thinking, ethical reflexivity, interdisciplinary collaboration, and knowledge sharing to advance the field
Evaluating claims and research with appropriate scepticism
Accepts most claims at face value, particularly from senior people or vendors.
Starts to question bold claims and looks for basic evidence when prompted.
Reviews research or vendor material for methods and limitations and prefers evidence-based approaches.
Systematically appraises evidence, compares options and communicates balanced recommendations.
Leads the organisation's stance on evidence-based behavioural practice and contributes to broader knowledge bases.
Learning from experience and maintaining professional standards
Occasionally reflects on what went well or badly but does not record or structure learning.
Responds constructively to feedback and can describe some lessons learned from past work.
Maintains regular reflective practice, identifies patterns in own behaviour and adjusts approach.
Encourages reflective practice within teams and integrates it into ways of working, especially around incidents.
Models high standards of reflective and ethical practice and shapes the culture of learning and integrity in the human risk function.
Building partnerships across functions and disciplines
Works mainly within own function and engages others when asked.
Participates in cross-functional meetings and respects other perspectives.
Proactively builds relationships with functions such as HR, legal, IT, risk and communications to deliver joint outcomes.
Leads cross-functional initiatives that reconcile different priorities and creates shared ownership of behavioural risk.
Acts as a trusted integrator across disciplines and shapes organisational structures or forums to support ongoing collaboration.
Contributing to and advancing the field of behavioural cybersecurity
Shares useful resources informally with close colleagues.
Presents work informally in team meetings or internal communities when asked.
Regularly shares case studies, tips and lessons learned internally through appropriate channels.
Organises or leads internal communities of practice on behavioural cyber risk and encourages contribution from others.
Represents the organisation in external forums, publishes or speaks on behavioural cyber risk and brings external insight back inside.
Recommended competency levels by professional role
| Domain | CISO / Head of Cyber | Director of Security Culture | Human Risk & Culture Lead | Security Architect | Behavioural Practitioner | Security Awareness Manager | Security Awareness Analyst | Security Champion |
|---|---|---|---|---|---|---|---|---|
| A. Behavioural Science & Human Factors | Level 3 | Level 4 | Levels 4-5 | Levels 3-4 | Level 4 | Levels 3-4 | Levels 2-3 | Level 2 |
| B. Cyber & Risk Context | Levels 4-5 | Level 5 | Level 4 | Levels 4-5 | Levels 3-4 | Level 3 | Level 2 | Level 2 |
| C. Behavioural Diagnostics & Analytics | Levels 3-4 | Levels 4-5 | Levels 4-5 | Levels 3-4 | Level 4 | Level 3 | Level 2 | Levels 1-2 |
| D. Intervention Design & Delivery | Levels 3-4 | Levels 4-5 | Levels 4-5 | Levels 4-5 | Levels 4-5 | Level 4 | Level 3 | Levels 2-3 |
| E. Culture, Leadership & Stakeholder Influence | Levels 4-5 | Level 5 | Levels 4-5 | Levels 3-4 | Levels 3-4 | Levels 3-4 | Levels 2-3 | Levels 2-3 |
| F. Governance, Ethics & Compliance | Levels 4-5 | Level 5 | Level 4 | Level 4 | Levels 3-4 | Level 3 | Level 2 | Levels 1-2 |
| G. Professional & Reflective Practice | Levels 4-5 | Level 5 | Levels 4-5 | Level 4 | Level 4 | Levels 3-4 | Level 3 | Levels 2-3 |
This framework integrates evidence-based behavioural science with cybersecurity practice, drawing on established models:
The competencies are informed by peer-reviewed research and industry practice:
This Behavioural Cyber Risk Management framework complements NICE by addressing the human and cultural dimensions of cybersecurity work roles:
→ Maps to: CISO / Head of Cyber role in this framework
Use Domain B (Cyber & Risk Context) and Domain E (Culture & Leadership) competencies to supplement NICE technical KSAs with behavioural leadership capabilities.
→ Maps to: Security Awareness Manager and Human Risk & Culture Lead roles
Use Domain A (Behavioural Science), Domain D (Intervention Design), and Domain E (Culture) to enhance awareness programmes with evidence-based behavioural approaches.
Integration Approach: Use NICE for technical cybersecurity competencies and this framework for behavioural, cultural, and human risk competencies. Together they provide comprehensive coverage of both technical and human dimensions.
This framework extends SFIA by providing detailed behavioural and cultural competencies not covered in standard SFIA skills:
→ Complement with: Domain B (Cyber & Risk Context) and Domain F (Governance)
Add behavioural risk assessment and just culture principles to technical security administration.
→ Complement with: Domain A (Behavioural Science) and Domain E (Culture)
Enhance technical security controls with understanding of human behaviour and culture change.
→ Maps to: Director and CISO roles in this framework
Use Domain E (Culture & Leadership), Domain F (Governance), and Domain G (Professional Practice) for senior leadership competencies.
Integration Approach: Map SFIA technical skills to equivalent technical domains, then overlay behavioural competencies from this framework. SFIA provides the "what" (technical skills), this framework provides the "how" (behavioural approaches).
This Behavioural Cyber Risk Management Skills Framework is provided by CyBehave as a free, open resource for the cybersecurity and behavioural science communities.
Credit CyBehave when using or adapting this framework:
Behavioural Cyber Risk Management Skills Framework by CyBehave
cybehave.com/skills-framework.php