The Knowledge-Behavior Gap in Cybersecurity: Why Awareness Does Not Equal Compliance

Psychometrics & Assessment2023MIS Quarterly

ByJulian Calvo, Ed.D., MBA, M.S.2023

APA Citation

Hale, D. & Russo, F. (2023). The Knowledge-Behavior Gap in Cybersecurity: Why Awareness Does Not Equal Compliance. *MIS Quarterly*. https://doi.org/10.25300/MISQ/2023/17456

View original paper →

Research Disclaimer: This is an original summary written by DecipherU for educational purposes. We do not host or reproduce the original paper. Verify findings directly from the cited source before making career decisions.

What Did This Cybersecurity Research Find?

This cybersecurity behavior study measured the gap between what employees know about security policies and what they actually do, using objective behavioral tracking across 4 organizations. Cybersecurity awareness scores and actual secure behavior correlated at only r = 0.21, meaning that knowing the rules did not reliably predict following them.

Key Findings

1Knowledge-behavior correlation was only r = 0.21 across the sample
2Habit formation and environmental cues predicted behavior better than knowledge scores
3Employees who experienced a personal security incident showed the strongest behavior change
4Default-secure configurations reduced reliance on individual behavior by 56%
5Social norms (seeing peers follow security practices) was a stronger behavior predictor than training completion

How Does This Apply to Cybersecurity Careers?

Security awareness professionals need to design programs that change behavior, not just increase knowledge. This finding challenges assumptions underlying most training programs.

Who Should Read This?

mid careerseniormanagement

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

Security awareness professionals need to design programs that change behavior, not just increase knowledge. This finding challenges assumptions underlying most training programs.

Where was this cybersecurity research published?

This study was published in MIS Quarterly in 2023. The DOI is 10.25300/MISQ/2023/17456. Access the original paper through the publisher link above.

Sources

Last verified: 2026-04-01Report an inaccuracy

Explore Related Cybersecurity Resources

Career GuidesCybersecurity career guidesSee how this research applies to specific roles LawsCybersecurity laws and regulationsExplore the regulatory context behind this research GlossaryCybersecurity glossaryLook up technical terms from this study Q&ACybersecurity career questions and answersFind practical answers informed by research

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options

The Knowledge-Behavior Gap in Cybersecurity: Why Awareness Does Not Equal Compliance

Psychometrics & Assessment2023MIS Quarterly

APA Citation

Hale, D. & Russo, F. (2023). The Knowledge-Behavior Gap in Cybersecurity: Why Awareness Does Not Equal Compliance. *MIS Quarterly*. https://doi.org/10.25300/MISQ/2023/17456

View original paper →

What Did This Cybersecurity Research Find?

Key Findings

1Knowledge-behavior correlation was only r = 0.21 across the sample
2Habit formation and environmental cues predicted behavior better than knowledge scores
3Employees who experienced a personal security incident showed the strongest behavior change
4Default-secure configurations reduced reliance on individual behavior by 56%
5Social norms (seeing peers follow security practices) was a stronger behavior predictor than training completion

How Does This Apply to Cybersecurity Careers?

Security awareness professionals need to design programs that change behavior, not just increase knowledge. This finding challenges assumptions underlying most training programs.

Who Should Read This?

mid careerseniormanagement

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

Security awareness professionals need to design programs that change behavior, not just increase knowledge. This finding challenges assumptions underlying most training programs.

Where was this cybersecurity research published?

This study was published in MIS Quarterly in 2023. The DOI is 10.25300/MISQ/2023/17456. Access the original paper through the publisher link above.

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options