The bottom line: the industry stopped measuring what people know and started measuring what they do
A security behavior and culture program (SBCP) is, in Gartner's definition, an enterprise-wide approach to reducing cybersecurity incidents associated with employee behavior. Put in two sentences: it is no longer about running courses and counting who finished them, but about changing how people act against a real deception and confirming that the change happened. It is the name analysts gave to a shift that had been building for years, the move from awareness, which measures what someone knows, to behavior, which is what actually decides whether a company withstands an attack.
The shift is not a matter of vocabulary. Cisco's 90-5-5 framework, which estimates that roughly 90 percent of breaches involve a human factor, places the risk where it lives: in people and in how they behave under pressure, not in whether they passed a quiz. And if the risk lives in conduct, measuring conduct stops being a luxury and becomes the whole point of the program.
What the security behavior and culture framework names, and why it appeared
The framework names something awareness campaigns never delivered: moving behavior in a sustained way across the whole organization. Gartner describes it as the move from merely raising awareness toward fostering a security culture appropriate to each company's context, and recommends running it with its PIPE framework (practices, influences, platforms and enablers), meaning not an annual campaign but a system that works on habits, incentives and tools at the same time.
Human risk is managed automatically.
Turn human risk into your first line of defense.
Book a demoFree demo · 30 minutes · No commitment
It appeared because the old model fell short against the reality of the attack. According to CISA, more than 90 percent of successful cyberattacks begin with a phishing email, and that email does not fail against a firewall, it fails against a person who opens it at the wrong moment. An annual video about what phishing is does not change that reaction; at best it explains it. The framework emerged to close the gap between knowing a threat exists and acting differently when it arrives.
How it differs from a traditional awareness program
The difference is clearest when you put both approaches side by side against the same criteria. It is not that traditional awareness is wrong, it is that it answers a different question, whether the employee received the information, not whether they changed their conduct.
| Criterion | Traditional awareness | Behavior and culture program |
|---|---|---|
| What it measures | What the person knows or recalls | How they act against a real deception |
| Unit of success | Course completed, quiz passed | Conduct that changes and holds |
| When it acts | On the calendar, once or twice a year | At the moment of the failure, when it matters |
| Facing the error | Repeats the same content for everyone | Targets each person's specific weakness |
| How leadership sees it | Compliance percentage | Reduction in susceptibility to deception |
What no table fully captures is the change in mindset behind it. Awareness assumes that informing is enough. The behavior program starts from the opposite premise: information is necessary but not sufficient, and that is why its yardstick is not attendance but conduct.
Four signs a program measures conduct, not activity
The first sign is that it measures behavior under real pressure, not answers on a quiz where the employee knows they are being tested. A risk score that rises and falls with how a person reacts to a simulated attack says far more than an exam grade.
The second is that its success metric is not completion or click rate in isolation, but whether the person falls again when tested anew. It helps to be precise about what gets measured and in what order, because not every metric carries the same weight: we cover it in detail in report rate, click rate and retest.
The third is that training arrives at the moment of the failure and is specific to the attack the person fell for, not a generic module on a calendar date. There is evidence for why this matters, and for why traditional training does not change conduct when it is delivered disconnected from the error.
The fourth is that the program repeats and is measured over time, because human vulnerability is not static. A person who is resilient today may fall three months from now under a new pretext, and a program that measures conduct knows this and tests again, instead of marking a risk as solved with an attendance certificate.
Where retest fits: the proof that conduct changed
This is where the framework stops being a nice idea and becomes verifiable. Retest means testing the behavior again weeks after the failure, with a different scenario of the same type and difficulty, to see whether the person learned the lesson or merely remembered one specific email. It is the difference between believing someone changed and proving it.
And it is not a matter of style, it has backing. There is peer-reviewed evidence (Ho et al., IEEE S&P 2025; Lain et al., IEEE S&P 2022) that completing training does not on its own predict a reduction in real failures; what demonstrates the change is retesting conduct under similar conditions. A behavior program without retest stops halfway: it trains, but it does not validate. With retest, the claim "this person is less vulnerable than a month ago" stops being a hope and becomes a fact.
Understood this way, a security behavior and culture program is not awareness under a new name. It is a system that measures conduct, intervenes at the moment of the error and confirms the change, and that is why it can tell leadership something a percentage of completed courses never will: not how many people saw the material, but how many actually changed.
At Fensivo we build human risk management (HRM) on exactly this logic: we measure each person's behavior against realistic simulations, deliver training at the moment of the failure, and validate with retest that conduct changed, not that the course was completed. You can see how it applies to your case in our use cases. The question the framework leaves is uncomfortable on purpose: does your current program know how many of your people changed their conduct, or only how many clicked "finish course"?
Human risk is managed automatically.
Turn human risk into your first line of defense.
Book a demoFree demo · 30 minutes · No commitment
