If you’re a security awareness lead, you’ve probably felt it:
-
You’re expected to change behavior and reduce risk,
-
but most of your tools are built to ship content and track completion.
You run campaigns, launch courses, send emails, push phishing tests… and still get asked:
“Why are people still clicking?”
“Why did that incident still happen?”
“What are we actually getting for this investment?”
At the same time, regulators, NCSC, NIST, and CISA are all talking more about culture, human risk, and behaviors under pressure, not just “awareness” and “training”. The job is changing:
Security awareness is no longer just about courses and comms.
It’s about running human risk operations.
In this article, we’ll walk through:
-
Why “awareness” as a label keeps underselling what you actually do
-
How to think like a human risk operator, not just a content owner
-
The core components of a human risk operating model (for awareness leads)
-
How to plug into NCSC’s culture guidance without needing a whole new job title
-
Where Cybermaniacs can help you move from “training program” to “culture engine”
The Problem: Awareness Programs Were Built for Content, Not Change
Most awareness teams are set up around a content pipeline:
-
Annual or quarterly training modules
-
Phishing simulations and micro-learning
-
Intranet articles, posters, town halls
-
Maybe some gamification and fun stuff during Cyber Awareness Month
Again: none of that is bad. You probably do it really well.
The problem is that most of the tooling and reporting is built to answer questions like:
-
“Who completed the course?”
-
“What was the phishing click rate?”
-
“How many views did that article get?”
Boards, CISOs, and regulators are now asking a different set of questions:
-
“Where are our biggest human risks?”
-
“How is our security culture developing over time?”
-
“What behaviors can we count on under stress, pressure, and change?”
-
“How does this tie to NCSC or other frameworks?”
There’s a gap between what you’re measured on (content consumption) and what you’re actually accountable for (risk and culture).
That’s why we think awareness leads need to reposition themselves—from course owners to human risk operators.
From Awareness to Human Risk Operations: The Mindset Shift
Let’s draw the line clearly.
Awareness Lead (old framing)
-
Owns courses, campaigns, and phishing
-
Talks mainly about content, completion, and engagement
-
Brought in late to “make people aware” of decisions already made
-
Seen as nice to have or “comms support”
Human Risk Operator (new framing)
-
Owns insight into human and cultural risk
-
Connects HumanOS, real work, and decisions under pressure
-
Designs interventions that change systems, not just messages
-
Works with CISO, HR, leaders, and operations as a strategic partner
Same person, same seat—different posture.
Instead of:
“We delivered 12 courses and 24 campaigns.”
…you want to be able to say:
“We’re seeing a high human risk signal in [these areas]; here’s what we’re doing about it, here’s how it maps to NCSC culture principles, and here’s how we know it’s working.”
That’s human risk operations.
Your Operating System: HumanOS, Culture, and Org Dynamics
To make that shift, you need a model that explains why people behave the way they do, not just whether they passed a quiz.
At Cybermaniacs, we use three layers that awareness leads can absolutely steal and adopt:
-
HumanOS – the human operating system
-
Cyber Safety & Digital Risk culture model – how you do security
-
Organizational dynamics model – who you are as an organization
HumanOS – Your Real Audience
This is the messy human reality you work with every day: people are tired, distracted, busy, and constantly interrupted. They want to belong, look competent, and avoid embarrassment, so they rarely want to admit confusion or mistakes. A lot of their routine tasks run on autopilot, without much conscious thought. And when they have to make choices, they’ll naturally optimize for speed and convenience—unless the environment gives them a really clear, compelling reason not to.
Human risk operations means you:
-
Design for attention, emotion, and habit, not against them.
-
Think about when and where people see your messages.
-
Ask what else is going on in their day, in their systems, in their workload.
Cyber Safety & Digital Risk Culture – How Work Really Happens
This is the layer where real work actually happens—sales, finance, operations, development, customer service, and everything in between. It’s where processes either quietly support secure behavior or completely sabotage it, and where the unwritten norms emerge: the “this is how we actually do it here” reality that people follow, regardless of what the policy says.
As an awareness lead, this is where you ask:
-
“What does secure behavior look like in this workflow?”
-
“What gets in the way of doing it the secure way?”
-
“What shortcuts are people proud of? What do they quietly hide?”
This is where you move from generic “don’t click bad links” messages to context-specific guidance.
Organizational Dynamics – The Stuff Above Your Pay Grade (But Still Your World)
You can’t fix organizational dynamics on your own, but you do need to be able to see them. Leadership style and tone, the incentives built into performance reviews, the pressure from growth targets, cost cutting, or constant change programs, and the history of incidents, blame, or “heroic” firefighting all shape how people respond. Those dynamics determine whether your messages feel supportive or hypocritical, and whether they land on fertile ground or hit hard concrete and bounce off.
Human risk operations means you:
-
surface these dynamics to your CISO and HR partners,
-
design campaigns and interventions that work with the grain of your org where possible,
-
and tell the truth about where culture and incentives are undermining your ask.
Building a Human Risk Operating Model (Awareness Edition)
Okay, what does this look like in practice?
Here’s a simple operating model you can own as an awareness lead, aligned with NCSC’s culture ideas and our own Cybermaniacs Culture Model:
1. Discover: Know Your Human Risk Landscape
Move beyond “training completion” and start building a real picture of your human risk landscape. Which teams and roles are genuinely exposed? Which decisions and behaviors in those areas actually move the needle on risk? Where do people feel confident, and where are they quietly confused, frustrated, or scared to get it wrong? When you can see that clearly, culture work stops being generic awareness and starts becoming targeted human risk operations. You can get there with a light-touch approach—short pulses, a few conversations, or by using something like the Cybermaniacs NCSC-aligned baseline—but the key is this: you need a view of who and what really matters, not just who ticked the training box.
Your goal is a simple map:
“Here are the top 3–5 human risk hotspots by team/behavior, and here’s how that links to NCSC culture principles like trust, leadership, and usable rules.”
2. Prioritize: Pick a Few Behaviors That Matter
Instead of trying to boil the ocean, pick a small set of high-impact behaviors that clearly tie back to real incidents, matter to the business and its risk profile, and are realistically changeable.
Tie each behavior to:
-
the relevant NCSC culture principle (trust, social norms, leadership, etc.),
-
the HumanOS reality (what’s going on in people’s heads in that moment),
-
and the workflow it lives in.
That’s your target list.
3. Design: Build Interventions, Not Just Courses
Now, instead of “we need a course on X,” think:
“What combination of nudges, stories, process tweaks, and leadership moments will make this behavior more normal, easier, and safer?”
For each priority behavior, consider:
-
Learning & content – micro-learning, short videos, stories, not just big modules.
-
Environment & process – can we make the secure action faster or clearer? (e.g., a one-click report button, better forms, pre-filled fields).
-
Social proof & story – can we show “people like you” doing it the right way?
-
Leadership signals – can a manager or exec visibly back this behavior, especially under pressure?
This is where Cybermaniacs’ characters, narrative, and creative content fit beautifully: you’re not just explaining rules; you’re shaping norms and emotions.
4. Run: Launch Like an Operator, Not Just a Broadcaster
When you run campaigns or initiatives, track them like operations, not just communications.
Think in cycles:
-
Who are we targeting this quarter?
-
What specific behavior are we trying to shift?
-
What are the indicators that it’s moving?
Keep your feedback loops tight: watch the metrics and the anecdotes as you go, adjust your content and tactics quickly if something isn’t landing, and use real incidents as learning fuel (with care and anonymization where needed). That way, you’re not just saying “we sent six emails”; you’re able to say, “we’re running a behavior change play in this part of the system—and here’s what we’re seeing.”
5. Prove & Tell the Story: Become Essential to Risk Discussions
Human risk operations means you can tell a story that goes beyond “everyone took training.” Each quarter you should be able to say what you learned about human risk, which behaviors you focused on, what changed (even a little) in perception, behavior, or operations, and what’s next. Framed simply for your CISO and leaders, it sounds like: “Here are our top three human risk signals right now, what we’ve done about them, and where we need your help.” That’s when you stop being “the training person” and become the translator between NCSC-style culture principles, the messy reality on the ground, and the board’s need for clear direction.
How This Connects to NCSC (Even If You’re Not in the UK)
Even if nobody in your org has ever opened an NCSC PDF, the way they talk about cyber security culture is a good proxy for where the whole industry is heading. NCSC’s emphasis on security as an enabler (not just a blocker), trust and openness around reporting, the ability to learn and adapt, healthy social norms, real leadership ownership, and usable guidance and processes lines up with where NIST is moving with human-centric cybersecurity, and with CISA’s push for a “culture of cyber readiness” across leadership and staff. In other words: this isn’t just a UK thing or a nice-to-have—this is the direction of travel for modern security programs everywhere.
Where Cybermaniacs Can Help Awareness Leads Level Up
If you’re reading this thinking:
“Yes, I want to work like this, but I still have the same tiny team, the same platform, and way too little time…”
You’re not alone. This is exactly the gap we built Cybermaniacs to help with.
We typically support awareness leads by:
-
Running NCSC-aligned culture and human risk baselines that you can own and explain, not just “someone else’s report.”
-
Translating that into a prioritized behavior and audience map (your human risk backlog).
-
Co-designing a 12-month human risk operations plan that fits your capacity.
-
Providing the creative engine—stories, characters, interactive content, simulations—that speak to HumanOS and your culture, not just generic training modules.
-
Helping you build a simple scorecard so you can show the CISO, HR, and leadership what’s changing.
The goal isn’t to turn you into a glorified LMS admin. It’s to position you as:
the person who runs human risk operations—the glue connecting people, culture, and controls.
Key Takeaways for Security Awareness Leads
If you remember just a few things:
-
Awareness is no longer “nice content on the side.” It is the human risk engine of your program.
-
To play that role, you have to think in systems, not just courses: HumanOS, workflows, and organizational dynamics.
-
Build a light, repeatable operating model: discover → prioritize → design → run → prove.
-
Tie everything you do back to behaviors, risks, and NCSC-style culture principles, not just content and clicks.
-
You don’t have to do everything at once—but you do have to stop underselling yourself as “the training person.”
Because culture change doesn’t start with a mug or a module.
It starts when someone like you says:
“I don’t just run awareness. I run human risk operations.”
Team CM
