Nick (the director at Culturlabs) was recently chatting with a Chief Information Security Officer at a mid-sized organisation. There, cyber security awareness meant running monthly phishing simulations.
They logged which employees ‘failed’ their phishing simulations and every first Friday of the month, the security team sent out the list of employees who had ‘clicked’ most often. This organisation is not alone in taking this kind of approach. A common response to cyber risks is to identify ‘high risk’ staff and to provide more tailored, relevant training.
But during the conversation, it became clear that the names on the monthly lists were typically not the same employees. What does that tell us? Whereas some employees may be consistently vulnerable, only focusing on changing their behaviours misses the broader picture. Even well-intentioned, informed staff can make mistakes if the system sets them up to fail. If the list of names changes month after month, it prompts us to look beyond individual blame and consider what aspects of the system make these behaviours more likely.
So, let’s talk about system change a bit.
First of all, what is a system? A system is a set of interconnected elements that are organised in a way that achieves something (Meadows, 2009). An organisation in any industry or sector is by definition a system, because it has elements (e.g., people and information) that are interconnected (e.g., people access and exchange information with each other), and it has a purpose (e.g., sell or provide a product or service). System change is – put simply – the process of changing the system (Hacking, n.d.).
With a systems lens, it becomes obvious that there is more to human risk management than changing a person’s behaviour through training. For starters, people care about what others think. A large-scale survey of over 1,000 employees across Germany, the UK and the US found that employees report suspicious emails more often the more they feel that their peers and managers discuss, prioritise, and pay attention to information security (Petrič & Just, 2025). Many similar studies show that employees’ perceptions of their managers and how security is communicated are key drivers of employee compliance and cyber risk awareness (Flores & Ekstedt, 2016; McKnight & Warkentin 2020). In short, a person’s behaviour doesn’t occur in a vacuum; what’s happening in their social environment influences the person, and vice versa. Together, they form a system that’s more than the sum of its parts.
This doesn’t mean we should throw behaviour-focused approach in the bin! In a manifesto for using behavioural science to address important problems of today, Dr Michael Hallsworth – Chief Behavioural Scientist at Behavioural Insights Team – says that targeted behaviour change can be made a lot more effective by embracing the complexity of systems (Hallsworth, 2023). Complex systems can produce wide-ranging outcomes from smaller, lower-level processes. For example, an organisation’s culture is not just defined and created by leaders but emerges from the day-to-day interactions among its employees. And within these social networks are a handful of people who are influential (think of that colleague whom everyone likes and respects). Behavioural science can help identify and target such leverage points and design interventions – perhaps these ‘influencers’ could champion security within their own network (Alexander et al., 2022; Jaatun & Cruzes, 2021).
So, stop getting too bogged down on the list of employees who ‘failed’ phishing simulations. Step back and start asking how the system reinforces their behaviours. What can you do to shape the system so that cyber security comes easily to everyone? This is a tough question for anyone to answer – and that’s why we want to help you tackle it.
