Secure by
⌘K
Home
Blog
aAbout
sSpeaking
bBook
cCourses
cContact
History
Back
You’re not fighting ignorance. You’re fighting instincts.
Behavioral science·Sarah Aalborg·Apr 14, 2025· 3 minutes

Do you ever click on something you know you shouldn’t?

I do.

And so do your colleagues. Your boss. Your team. Pretty much everyone.

Not because we’re ignorant. Or because we haven’t been through training. But because in the moment, instinct wins.

That sentence – "you’re not fighting ignorance, you’re fighting instincts" – popped out of my mouth during a Q&A last week.
And I’ve been thinking about it ever since. Because it captures something that sits at the heart of every awareness program that doesn’t quite work.

We assume that people do risky things because they don’t know better. But what if the opposite is true? What if they do it even though they know better?

Enter: the Stone Age brain

Our brains haven’t updated much since the days we had to dodge wild animals and forage for berries. The world, however, has moved on.

Fast-forward a few thousand years, and we’re juggling Outlook calendars and Slack notifications while fending off phishing emails and compliance checklists. But our brain still runs on the same basic principles:

  • Quick is better than slow
  • Familiar is safer than unfamiliar
  • Don’t overthink, just act

Which is great for survival. But not so great when the “threat” is a fake invoice or a "CEO" asking you to buy gift cards.

Security risk isn’t about information

Here’s the uncomfortable truth: Most people in your organization already know what they should do.
The problem is, we keep treating secure behavior like a knowledge problem.

It’s not. It’s an instinct problem. A habit problem. A friction problem.

You can teach policies until you’re blue in the face. But when instinct kicks in, people fall back on what feels easiest, fastest, or most familiar.

That’s why we need to stop focusing on what people know – and start designing for what people do.

So what does that actually mean?

It means:

  • Making the secure action the path of least resistance
  • Reducing the friction that leads people to insecure choices
  • Reinforcing behavior instead of just repeating rules
  • Training people to act, not just understand

Because here’s the thing: You don’t change behavior with facts. You change it by working deliberately with the context people act in, the culture they’re part of, and the behaviors you reinforce. Structure matters. Positive reinforcement works.

And culture? That’s your most powerful lever!

Ask the better question

The next time someone in your organization clicks on something they shouldn’t, resist the urge to ask, "Didn’t they know better?"

Instead, ask: "What made that choice feel like the right one in the moment?"

That’s the question that will move your culture forward.

Because you’re not fighting ignorance. You’re fighting instincts!

Want to work structured with a brainfriendly Cyber security culture in your organization?
Check out myMasterclass in Cyber security culture