Making Cyber Security Stick
A practical approach to cyber security culture change
Make cyber risk visible: identify root causes, prioritise the right changes with What-If analysis, and track results.
When the controls are in place — but...
Most organisations invest heavily in cyber security tools and controls, and still get caught out by avoidable incidents.
The gap isn’t effort. It’s that secure behaviour is shaped by the system people work in: leadership cues, work pressure, policies, processes and technology design. The PYXIS Platform helps you identify the drivers and root causes of human risk, prioritise what to change using What-If analysis, and track leading indicators over time.
Strong technical controls, but risky workarounds in day-to-day operations
Training completion is high, but reporting and secure practice don’t stick
Security is seen as a technology issue, not a business risk enterprise-wide
Board updates are detailed and technical, but don’t lead to better decisions
Blame culture keeps people from speaking up
Why cyber security programmes stall
If you’re doing ‘the right things’ but outcomes aren’t improving, you’ll usually see one or more of these patterns:
This is where culture becomes practical
Cyber security culture is the set of organisational conditions that shape how people prioritise and act on cyber risk — especially when no one is watching!
When these drivers point in different directions, human risk rises — even with good technology. Culture includes, and connects drivers like:
Leadership behaviour • Policy design • Tool usability • Time pressure • Peer norms • Supervision • Reporting climate • Third-party practices
See the map
Map cyber risk across people, policies and technology. Identify the hotspots driving human risk.
Target change
Identify the root causes of human risk and use What-If analysis to prioritise the fixes that reduce risk fastest.
Prove impact
Track leading indicators and KPIs so leaders and boards can see improvement before incidents occur.
How the PYXIS platform Works
Controls that create workarounds
MFA or access steps slow work, so shortcuts appear.
Reporting hesitation
Suspicious emails go unreported due to blame or uncertainty.
Policy and process complexity
Access and data rules don’t fit real workflows.
After-incident leadership focus
Leaders focus after breaches, not on day-to-day risk.
Tool friction and support gaps
Slow IT support drives insecure sharing and shadow tools.
Third-party exposure
Supplier access and handoffs create risk without clear ownership.
What we typically find
Even in mature cyber security programmes, human risk usually comes from the system people work in, not a lack of awareness or intent. Common patterns include:
Reporting rate and time-to-report
Suspicious emails, credential issues, near-misses, and policy exceptions.
Workarounds by process or control
Where access controls are bypassed to get work done.
Policy adoption versus friction
Where data handling rules create delays, confusion, or avoidance.
Tool usability and support responsiveness
How security tooling affects work speed, errors, and workarounds.
Leadership reinforcement signals
How often leaders reinforce cyber priorities in operational forums.
Third-party risk indicators
Supplier access, privileged accounts, and control compliance trends.
What you can measure
PYXIS helps you move beyond lagging incident metrics by tracking leading indicators that show whether cyber risk is rising or falling:
Cyber security case study
How PYXIS compares
Most organisations use a mix of approaches. PYXIS doesn’t replace them — it helps you understand what’s driving human risk and where change will have the biggest impact.
Good for:
Building baseline cyber awareness and reinforcement. Useful for onboarding, regular refreshers, and measuring training completion and phishing simulation outcomes.
Often misses:
Click rates show symptoms, not causes. They rarely reveal the organisational drivers behind workarounds, under-reporting, and repeated human-risk exposure.
What PYXIS adds:
Identifies root causes across people, policies and technology. Prioritises the changes that reduce human risk at source and improves leading indicators over time.
Good for:
Reducing attack surface, enforcing controls, and detecting suspicious activity. Essential for prevention, visibility and incident response across the environment.
Often misses:
Controls can add friction. When secure ways of working slow people down, workarounds appear and human risk increases in day-to-day operations.
What PYXIS adds:
Maps where policies, processes and technology create friction and hotspots. Prioritises fixes that reduce workarounds and strengthen cyber resilience at source.
Good for:
Setting standards, accountability and assurance. Useful for clarifying expectations, supporting audits, and strengthening cyber governance at leadership level.
Often misses:
Frameworks show what “should” happen, not what does happen. They rarely explain why issues repeat or which cultural drivers are undermining secure practice.
What PYXIS adds:
Connects governance to measurable culture drivers and leading indicators. Helps leaders prioritise change and evidence improvement beyond compliance.
Good for:
Aligning stakeholders and kick-starting change. Helpful for shaping strategy, building engagement, and surfacing issues through interviews and workshops.
Often misses:
Momentum can fade once the programme ends. Without measurement, it’s hard to prioritise actions or prove impact beyond narrative.
What PYXIS adds:
Provides ongoing insight into drivers and root causes across people, policies and technology. Uses What-If analysis and dashboards to sustain progress over time.
FAQs
Improving cyber security culture with PYXIS
Cyber security culture is the set of organisational conditions that influence secure behaviour — leadership cues, policies, processes, tools, incentives and norms.
No. Training can help, but culture change targets the system that makes secure behaviour practical and sustainable.
Because secure processes can add friction. When speed and productivity pressures compete with controls, people adapt.
The upstream conditions creating risk: policy design, tool usability, work pressure, supervision, peer norms, leadership reinforcement, and cross-functional handoffs.
It helps leaders prioritise. Instead of doing everything, you can model which changes will deliver the biggest improvement and where effort will be wasted.
Yes. Visual mapping and leading indicators make cyber risk easier to discuss and govern without drowning in technical detail.
No. The work can be confidential. The value is clarity for internal decision-making and governance.
Leading indicators often move earlier than incident rates, giving leadership feedback and control sooner.
No. PYXIS helps you get more value from them by reducing the cultural and systemic drivers that undermine outcomes.
Any organisation where human risk and operational trade-offs materially shape cyber outcomes — especially regulated, complex, or multi-site environments.