Dear renegades, mavericks and deviants…

If you're like most security professionals I know, you already believe behavior matters.
You’ve probably said it in reporting decks, leadership discussions, and strategy docs:

“We need to change security behaviors.”

But here’s the uncomfortable truth:
We talk about behavior like it’s a shared, precise concept — but most of the time, it’s not.
We confuse behaviors with beliefs or attitudes.
We say “change behavior” but don’t name which ones.
We default to phishing clicks and phishing reporting — because they’re the only things we feel we can measure, leadership is hooked on them.
And we run programs that claim to manage human risk, but track little more than training completion and phishing sims.

It’s not that we don’t care.
It’s that we’ve been vague, overwhelmed, and under-equipped.

That’s partly why we worked with the community to build the Security Behaviors Database, or SebDB — a structured, evidence-based way to define and operationalize security behaviors. It’s an open source research resource, available to everyone - for free.

And soon, we’re launching the most important update yet: SebDB v4.0.

If you want to check out the current version (SebDB v3.0), you can see it here.

Just bear in mind — v4.0 is coming soon, and it goes much further.

First, a definition

You can define a security behavior as:

An action or practice by an individual that protects information, systems, or assets from unauthorized access, damage, or threats.

It’s not a feeling.
It’s not “awareness.”
It’s something people actually do — or don’t.

And when you treat it that way, everything changes.

You can measure it.
You can influence it.
You can connect it to risk models and threat tactics.
You can embed it into your core security program — just like technical controls.

SebDB is built like CVSS — but for people

Just as CVSS brought clarity and consistency to how we assess technical vulnerabilities, SebDB does the same for human behavior.

It’s the start of a structured ontology — mapping behaviors to outcomes, threats, frameworks, and change strategies.

It’s machine-usable. Evidence-based.
And it’s completely open.

SebDB gives you a repeatable way to evaluate which behaviors matter most, based on context, complexity, frequency, and risk.

But here's the bigger shift: SebDB tracks what’s right, not just what’s wrong

Most of us focus on human error:

• Missed warnings
• Unsafe clicks
• Poor password practices
  
  

And yes — SebDB helps identify those failures.

But it also shines a light on success:

• Locking screens
• Using strong authentication
• Avoiding unsafe tools
• Reporting anomalies
  
  

Because risk isn’t only created when people do the wrong thing. It’s reduced when they do the right thing — consistently.

If you want to measure resilience — not just risk — you need visibility into the full spectrum of human behavior.

Positive. Negative. All of it.

What’s new in SebDB v4.0?

SebDB v4.0 makes human risk measurable, explainable, and aligned to the language of security.

Here’s what you’ll soon get:

- Security behaviors

An expanded, refined list of clearly defined behaviors — updated from v3, with new additions.

- Impacts

Seven clearly defined impacts that can result if behaviors aren’t performed — replacing vague “risk outcomes.”

- Impact case studies

Real-world examples showing how behavior failures lead to actual harm.

- Behavior descriptions

Plain-language summaries of what each behavior is.

- “Why it’s important”

Concise, evidence-backed explanations for why each behavior matters.

- Further reading

Relevant links, research, and context to support each behavior.

- Subject categories

New thematic groupings to help you explore and manage behaviors by domain.

- Mapping: categories → behaviors

Understand how subject domains relate to specific actions.

- Mapping: NIST CSF → behaviors

Every behavior is mapped to NIST CSF 2.0 core functions — with justifications.

- Mapping: MITRE ATT&CK → behaviors

Behaviors are mapped to MITRE ATT&CK tactics, so you can link actions to adversary goals.

- Mapping: impacts → behaviors

Each behavior is scored for plausibility to influence specific impacts — helping you prioritise.

- Tiering

Behaviors are tiered based on their aggregate risk-reduction potential across all mapped impacts.

- Change log

A full breakdown of what’s changed from v3 to v4 — including added, updated, and removed behaviors.

- SebDB principles & writing guide

A transparent overview of how SebDB is built — and how you can contribute or adapt it.

Why this matters

For years, the human side of cybersecurity has been treated as soft, hard-to-measure, and separate from “real” controls.

But the truth is this:
Risk lives in what people do. And behavior is the most underleveraged control domain in cybersecurity.

SebDB v4.0 gives you a way to:

• Track behavior like a control
• Map it to NIST CSF and MITRE ATT&CK
• Prioritise based on risk and impact
• Report on resilience, not just failure
• And embed human risk management directly into your core program

Final thought

Most teams don’t need more awareness content.
They need more clarity.

Because if you can’t name the behavior, you can’t influence it.
If you can’t influence it, you can’t change it.
And if you can’t change it, you’re not reducing risk — you’re just hoping for the best.

SebDB v4.0 is coming soon.

It’s a great opportunity to stop being vague.
And it’s a great step in making human risk measurable.

I hope this is helpful. Now let’s go.

Thanks for reading! 

Was this email forwarded to you? Sign up here. 

Oz Alashe MBE

CEO and Founder,

CybSafe