Hacking Minds and Shaping Behaviors

Building a lasting security culture is a big challenge, especially when many users lack the motivation to change their habits.

In this presentation, I will explore how principles of neuroscience, behavioral psychology, and practical learning can enhance engagement, improve knowledge retention, and drive lasting behavioral change within cybersecurity awareness programs.

This approach is grounded in real-world practice, developed and implemented during my role as Security Awareness Officer at Flamengo, one of Brazil’s largest soccer clubs, with over 40 million supporters.

We’ll break down three of the most common hurdles faced by cybersecurity awareness managers—and the science-backed techniques to overcome them.

1. Knowledge retention: How to prevent information from being forgotten?

One of the greatest challenges in any security awareness training program is ensuring that knowledge is retained over time rather than quickly forgotten. The human brain learns more effectively when information is delivered in a spaced, interactive format rather than through a single, intensive training session. In this session, I will explore how neuroscience-based learning techniques—such as spaced repetition, short and frequent simulations, quizzes, prior knowledge activation, multisensory learning (Visual, Auditory, and Kinesthetic), and gamification—can enhance information retention and elevate your program from a simple compliance requirement to a truly impactful experience for your users.

2. Behavioral change: how to turn knowledge into action?

Knowing is not the same as doing. To drive meaningful behavior change, applying BJ Fogg’s behavior model to the security awareness training program can be highly effective. We will explore the importance of understanding your audience, identifying their motivations and expectations, providing immediate feedback and positive reinforcement, setting progressively challenging goals, and leveraging social recognition. These strategies are essential for making secure behaviors become second nature.

3. Emotional engagement: How to get users to care?

Traditional training programs fail because they lack emotional connection. True engagement occurs when employees feel like an integral part of the process. I will explore how techniques designed to create stimuli and encourage interaction—such as gamification, storytelling, and social dynamics—can cultivate authentic involvement, spark curiosity, and reinforce each individual’s role as a key player in the organization’s defense, making awareness initiatives more dynamic, engaging, and rewarding.

In addition to addressing the challenges mentioned, I will share lessons learned and present key metrics and KPIs to evaluate the impact of the mentioned techniques, such as phishing report rates, training participation rates, and engagement rates.

Key Takeaways

Regardless of their organization’s size or maturity level, by the end of the presentation, participants will gain practical insights and tools to:

- Apply neuroscience and behavioral psychology methodologies in information security programs;

- Make the program more attractive and engaging, increasing user participation and engagement;

- Improve knowledge retention and content assimilation;

- Promote lasting and effective behavioral changes by encouraging the adoption of secure habits in daily routines, empowering users to actively assist the company in mitigating real-world risks; and

- Measure the program’s impact using concrete metrics and data.