Imagine this: you are a part of a security team that has invested heavily in cybersecurity technology, layered defenses and rigorous training for your team. Yet a single click on a phishing email from an unsuspecting employee at your organization could still open the door to a serious incident. If so, you’re not alone.
Even though you’ve put security measures in place, held training sessions and distributed awareness posters, security incidents keep happening. But why? Because real security isn’t just about what employees know. It’s about how they feel about their responsibility in protecting your organization. It also about how they react when faced with a threat. In cybersecurity, knowledge without behavior change is incomplete.
Today’s threat landscape is more complex than ever with cybercriminals constantly refining their tactics to exploit human vulnerabilities. However, there is good news: People can become your most effective line of defense. When employees feel empowered and engaged in their role as defenders, they shift from being potential security risks to proactive protectors. How do you get them to that place? You need a systematic, people-first approach to building a security culture.
This is where the Proofpoint DICE framework comes into play. DICE stands for detect, intervene, change behavior and evaluate. In this blog post, we’ll explore each of these components. We’ll also talk about the psychology behind this framework—and how it empowers organizations to create resilient security cultures. It doesn’t matter if you're a seasoned security leader or just starting to build a positive security culture, this guide offers actionable insights into achieving long-term behavior change. Let’s dive in.
What is DICE?
Our experience working with organizations across industries has taught us that effective behavior change begins when you can detect the people who are most at-risk from threats or those who are most likely to engage in unsafe behaviors and intervene in a timely way. Part of this is tailoring educational experiences to align to each person’s vulnerabilities. You also need to continuously evaluate and improve your program’s impact.
That’s why DICE makes such a difference. It goes beyond traditional security training, which relies on a one-size-fits-all approach. Instead, it provides employees with continuous, contextually relevant guidance that helps them to develop lasting habits.
There are four steps in the Proofpoint DICE framework.
Steps in the Proofpoint DICE framework.
Step 1: Detecting human risk—the heart of effective behavior change
The first step is detecting human risk, which is based on threat context and behavioral choices. What’s most important here is to identify and understand organizational, departmental and individual risk.
Why detection matters
The journey toward effective security behavior change starts with a deep understanding of human risk. Who in your organization is most vulnerable to cyber threats? Which employees continually take risky actions? And why do they do this? Traditional security awareness programs often lack this level of precision. Instead, they treat everyone as if they face the same risks and need the same training.
During this phase, organizations must quantify and analyze several key risk factors. This helps them to build a comprehensive view of each employee's risk posture. This is crucial because when programs don’t use targeted insights, they can become unfocused and less impactful. Content that’s one-size-fits-all may not resonate with high-risk users that face unique challenges.
Here’s how to build an effective strategy for detecting risk:
- Analyze behavior. When you analyze real-world behaviors, you can see that some people are more susceptible to security threats than others. Just consider how activities can reveal whether someone is high-risk. If they click on a suspicious link, respond to an unknown sender or share confidential data with an unauthorized recipient, then they are a higher risk than someone who doesn’t. Security teams can use this insight to create targeted education that directly addresses an individual’s risky patterns. This gives them the skills to make safer choices in the future.
- Assess knowledge gaps. Regular, targeted assessments provide key insights. Not only do they reveal how well employees understand security principles, but they also help to identify where they lack knowledge. For example, quizzes or short surveys can highlight specific gaps in understanding, like how to avoid social engineering tactics or the best practices for handling data. When security teams know which employees need help with critical areas, they can provide them with foundational awareness on those topics.
- Assess vulnerability to real-world threats. Threat simulations—such as QR code scams, credential phishing and SMS phishing—can be used during the assessment process. This helps reveal employees' vulnerability to real-world attacks. By observing responses, security teams gain a more accurate view of each person’s weaknesses. True-to-life assessments help teams prioritize interventions. Thus, they can focus on the individuals who need more practice identifying specific threats.
- Evaluate security beliefs and attitudes. Security awareness isn’t just about knowledge and skills. It’s also about mindset. Cultural assessments and surveys can help security teams get insight into employees’ attitudes toward cybersecurity and whether they view it as a shared responsibility. For example, questions about how they perceive their role in the organization’s security can uncover key cultural factors that may increase their vulnerability. It’s crucial to address these beliefs so that a more security-conscious attitude can be fostered.
Why context matters
Context is needed to effectively detect risk. It enables a more tailored and impactful approach to behavior change. And it ensures that interventions are relevant to the unique challenges each employee faces.
For example, an executive who makes high-stakes decisions might encounter different risks than an entry-level employee who has limited access to sensitive data. This is one reason why the detection process should consider each employee’s job role. It should also take into account their level of access as well as their exposure to external threats.
Step 2: Intervening—turning insight into action
The second step is providing users with relevant content to inform and qualify their risk.
Moving from detection to intervention
Once you’ve identified high-risk employees, the next step is to guide them toward safer behaviors. In this phase, employees should be offered personalized, contextual guidance. This should happen at the point that they behave in a risky way or encounter a threat. Alternatively, at a minimum, they should automatically be enrolled in an educational curriculum that directly relates to what they did that was risky.
Strategies for intervening effectively
To create a more targeted approach to behavior change, it’s important to track and adaptively place employees into groups, which are based on their roles, behaviors and risk profiles.
Here’s how:
- Provide timely, contextual alerts and guidance. Real-time alerts about emerging threats allow employees to make informed decisions when faced with potential risks. Email Warning Tags are a great example of a timely intervention that provides information about the suspicious nature of an email. This nudge can help guide an individual to not respond or to report the message if they know that they have never interacted with this sender before. These proactive alerts ensure that employees receive the support that they need at the moment of risk, preventing incidents before they occur.
- Automatically enroll people into tailored learning paths. Security teams can intervene in a targeted way by developing learning paths that are based on individual behavior, threat context and risk profiles. For example, high-risk employees who are targeted by a specific threat can be assigned a curriculum that coaches them on how to recognize that threat. Meanwhile, employees who carelessly share confidential data with unauthorized people can get refreshers on data security best practices. This approach ensures that employees receive the right amount of guidance according to their unique needs. It also increases the chances that their habits will change.
Step 3: Changing behavior—using continuous, real-world training
In this step, users are motivated to change their behavior so that it’s more secure. Good choices are reinforced.
The science of behavior change
Behavior change doesn’t happen overnight. Rather, it’s the result of consistent, deliberate practice that is informed by key principles from behavioral science. This phase combines proven learning techniques to embed secure practices into employees’ everyday actions. This, in turn, helps them to form lasting habits.
Key components of continuous education
- Spaced practice. Spaced practice is a study technique that involves learning over time. These are shorter, more frequent sessions so that information isn’t crammed in all at once. This aligns well with micro-learning and nano courses. It gives employees the opportunity to revisit security concepts periodically, allowing them to absorb information in manageable doses so that they can retain it over the long term. This approach builds a strong foundation for behavior change, making secure actions more natural and habitual.
- The testing effect. The testing effect is a learning principle where students are asked to actively retrieve what they’ve learned by taking quizzes, tests or other assessments. This improves their long-term memory. In the context of security education, this aligns perfectly with phishing simulations and regular assessments. As employees actively engage with realistic phishing exercises and knowledge quizzes, they recall security best practices. These repeated experiences help to solidify their ability. As a result, secure behaviors more instinctive when they’re faced with real-world attacks.
- The doer effect. The doer effect says that students are more likely to remember something when they apply it to real life. They learn through doing—not passively absorbing information. When it comes to security education, this principle is applied through interactive training modules and gamified learning experiences. As employees participate in hands-on activities—such as simulations, role-playing scenarios and competitive challenges—they gain practical experience. Gamified elements like point systems, achievements and leaderboards also enhance motivation. This makes learning both memorable and enjoyable.
Creating lasting change through active learning
These principles ensure that training is designed in a way that’s not only meant to educate but to also create lasting behavior change. Together, they create a culture of active learning where secure behaviors become second nature. Through frequent, engaging and realistic training experiences, employees gain the confidence and reflexes that they need to respond securely to threats.
Step 4: Evaluating effectiveness—measuring what matters
In this step, you evaluate the effectiveness of your program. Then, you refine your strategy according to your results.
Why evaluation matters
Meaningful data is essential to understand the impact of a behavior change program. This phase must provide metrics that assess behavior change efforts. And it should demonstrate to stakeholders that the program has real value.
Key metrics for measuring success
- Real-world behavior analysis. Both positive and negative real-world behaviors provide essential insights into a program’s impact on human risk. When organizations track these behaviors, they can understand the real-world impact of their security awareness efforts. This approach enables a proactive, data-driven strategy to human risk management.
- Positive behaviors—like consistently reporting suspicious emails and avoiding risky actions—show that an employee’s risk level has been reduced. What’s more, they show that secure behaviors are becoming ingrained and that their individual risk profile is lower. This means that the organization’s overall risk is reduced too.
- Negative behaviors—like ignoring security guidelines even after a course is complete—show that the risk level is increasing. Security teams can analyze these patterns and adjust education to address specific vulnerabilities. Employees who continue to behave in risky ways should be a priority. And when they do show any positive actions, their behaviors should be reinforced.
- Suspicious email reporting metrics. It’s essential to track user reporting rates and reporting accuracy. These metrics help security teams evaluate how well a program is helping to change user behavior. They provide a complete picture of behavior change. And they show that training is strengthening an organization's human defense layer.
- Reporting rate measures how often employees report suspected phishing or suspicious activity. It indicates how vigilant and proactive they are when it comes to defending the organization.
- Reporting accuracy measures how well employees correctly identify actual threats versus false positives. It shows that their skill is growing skill when it comes to identifying genuine risks.
- Benchmarking and industry comparisons. When organizations measure how well their security culture performs against industry standards, they can better assess it within a broader context. This is called benchmarking. And it provides a valuable perspective on program effectiveness. It helps organizations understand where they stand relative to their peers.
Conclusion: building a resilient security culture
Changing security behavior is a complex and ongoing process. People must be more than just aware of security practices—they must also be engaged. To get there, security education must be both relevant and continuously measured.
The DICE framework helps organizations transform their education. It does this by providing a structured, effective way to make security awareness into something that creates lasting behavior change.
By following the framework, organizations can create a security culture that isn’t just about being aware but about being resilient. Employees become active partners in defending against threats. This, in turn, actively reduces an organization’s risk and enhances its security posture.
How Proofpoint can help
Proofpoint is committed to helping you build a proactive, behavior-based security program. Through the DICE framework and tools like ZenGuide, People Risk Explorer, Adaptive Groups and the Adaptive Learning Framework, we provide everything you need to guide your team toward lasting security behavior change.
If you’re ready to make the shift from awareness to action, connect with us. Together, we can work to reduce your human risk and create a culture of resilience.