Knowledge-behavior gap
The empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.
The knowledge-behavior gap is the empirically documented distance between what an employee knows about cybersecurity — what they would answer correctly on a quiz — and what they actually do when faced with a real decision in their inbox, their browser, or their SaaS console. It is the single most important reason the legacy Security Awareness Training category is being replaced by Human Risk Management.
The gap shows up across every dataset that has ever measured both knowledge and behavior on the same population. The widely cited figure — 78% of employees say they understand cybersecurity risks, yet 56% still take actions they know are risky — comes from the 2024 Behavioral Cybersecurity Report by behavior-research firms aligned with the Gartner SBCP guidance. Verizon’s Data Breach Investigations Report triangulates the same conclusion from the breach side: the human element has accounted for between 68% and 82% of breaches every year since 2020, even as awareness-training spend has grown.
The structural drivers of the gap are well understood:
- Forgetting curve. Ebbinghaus’s 1885 research, replicated extensively since, shows that single-session learning decays sharply within days. Annual training is structurally inconsistent with how memory works. See forgetting curve.
- Cognitive load at the moment of risk. When an employee is asked to act on a possibly-malicious email, they are usually multitasking, behind on a deadline, or context-switching. Recalled knowledge competes with attentional bandwidth and loses.
- Social pressure beats policy. A request that looks like it comes from the CFO triggers compliance to the social signal, even when the employee “knows” to verify channel changes. This is the heart of business email compromise.
- No feedback loop. Traditional training never tells the employee whether their last real action was correct. Without feedback, there is no learning — only opinion.
Closing the gap requires intervention at the behavior, not at the head. That is what a nudge does, what a behavioral KPI measures, and what a behavior baseline lets you compare against over time.
Engarde (engarde.cc) treats the knowledge-behavior gap as the platform’s North Star metric: every shipped feature has to either widen the set of risky behaviors observed, or shorten the time between detection and corrective nudge.
Related terms
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.
- Security Awareness Training (SAT)The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.
- NudgeA small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- Forgetting curveEbbinghaus's 1885 finding that newly learned information decays exponentially — the reason annual security awareness training fails.