There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116


      Cognitive Dissonance: Why Employees Break Security Rules

      Security failures are rarely about ignorance. Understand the psychology behind the gap between knowing and doing, and six ways to close it.

      Shortcuts:

      Cognitive dissonance: why employees know the rules and still break them

      Security failures are rarely caused by ignorance. More often, people know what they should do, and choose differently. Understanding the psychological mechanism behind that gap is the key to training that actually changes behavior.

      With Martin Karlqvist, Online Behavior Specialist at Nimblr. Martin is a certified psychologist focusing on human behavior in IT security and security awareness, and contributes to Nimblr's course content as part of the content team.

      In this article:

      What cognitive dissonance is and why it matters for security

      The four paradigms, with security examples for each

      The "it won't happen to me" problem

      Six strategies to reduce dissonance in your team

      Why Nimblr's approach is built around this science

      The gap between knowing and doing

      Ask most employees whether they know they shouldn't reuse passwords. They will say yes. Ask them whether they do it anyway. Many will admit they do. That gap, between knowing the right behavior and actually doing it, is not a training failure. It is a psychological one. And it has a name: cognitive dissonance.

      Cognitive dissonance, first described by psychologist Leon Festinger in 1957, is the mental discomfort a person feels when they hold two contradictory beliefs, or when their actions contradict their beliefs. The important insight is what happens next: the brain doesn't simply accept the discomfort. It works to eliminate it, usually by rationalizing the behavior rather than changing it.

      For IT leaders and security managers, this is critical to understand. If your training simply tells people what the right behavior is, it may actually be arming them with better rationalizations, not changing what they do.

      The brain's first instinct when confronted with dissonance isn't to change behavior. It is to find a reason why the behavior is acceptable.

      Four paradigm

      The four paradigms, and what they look like in your organization

      Cognitive dissonance research has identified several distinct patterns through which people reconcile conflicting beliefs and behaviors. Each has a direct parallel in how employees behave around security.

      Paradigm 1: Belief disconfirmation

      When people encounter information that contradicts a strongly held belief, they often dismiss or reframe it rather than updating their belief. The new information is treated as the problem, not the belief itself.

      In security, this looks like: an employee who considers themselves tech-savvy is told they are at risk from phishing. Rather than accepting the risk, they dismiss it: "Those attacks are obvious; I'd never fall for something like that." The training has reinforced their confidence, not reduced their vulnerability. This is one reason lecture-style awareness courses can backfire with technically experienced employees.

      Paradigm 2: Induced compliance

      When people are required to act in a way that contradicts their beliefs, especially for small or insufficient reward, they often change their attitude to align with the action, justifying it after the fact.

      In security, this looks like: an employee clicks through mandatory compliance training they find irrelevant. Rather than engaging with the content, they complete it as fast as possible and conclude: "This stuff doesn't really apply to my job." The requirement has produced compliance, but not the attitude change that makes compliance meaningful. Mandatory training without relevance can deepen disengagement.

      Paradigm 3: Free choice justification

      After making a decision, especially an irreversible one, people tend to exaggerate the positives of their choice and downplay the negatives, reducing post-decision dissonance.

      In security, this looks like: an employee reuses the same password across multiple accounts because creating unique ones feels inconvenient. After doing so, they rationalize: "My accounts aren't interesting enough to target." The decision has already been made, and the brain is now working to justify it rather than reverse it. This is why telling people their behavior is risky after they have already adopted it is rarely effective.

      Paradigm 4: Effort justification

      People assign greater value to things they have worked hard for. Conversely, things that required no effort are subconsciously devalued, even if they are objectively important.

      In security, this looks like: a security policy that took five minutes to acknowledge is treated as less important than one that required a full-day certification. This is a double-edged challenge for micro training: the short format increases completion rates, but content and delivery need to actively signal that the topic matters, through relevant examples, realistic simulations, and immediate consequence when someone gets it wrong.

      The "it won't happen to me" problem

      Virtually every employee, if asked, knows that cyberattacks are real and that organizations like theirs get breached. Yet most also believe, at some level, that they personally are unlikely to be the one who causes it.

      This optimism bias is a form of dissonance reduction. It allows people to hold the belief "cyberattacks are serious" alongside the behavior "I don't need to be especially careful" without significant discomfort. Training that presents threat statistics without making the threat feel personal consistently fails to bridge this gap.

      What does work: simulated attacks that create a personal, first-hand experience of nearly failing, not a slide deck explaining that others have failed.

      Six strategies

      Six strategies for IT leaders to reduce dissonance

      Make the threat personal, not statistical. Generic breach statistics don't move people. A simulation that shows an employee they nearly clicked a phishing link creates the emotional salience that lectures can't.

      Give people agency and choice. Post-decision dissonance is reduced when people feel they chose the right behavior rather than having it imposed. Frame security as enabling work, not restricting it.

      Reinforce positively, not punitively. Punishment increases dissonance and leads to rationalization. Positive reinforcement of good behavior, such as reporting a suspicious email or catching a simulation, aligns attitudes with actions.

      Address dissonance directly. Name it. "We know it feels unlikely to happen to you. Here's why that feeling itself is part of the problem." Naming the mechanism reduces its unconscious influence.

      Use social proof thoughtfully. Seeing peers report phishing attempts normalizes the behavior. Social proof works because it reduces post-decision dissonance: if others are doing it, it must be the right choice.

      Build continuous small commitments. Each completed micro training creates a small behavioral commitment. Over time these accumulate: people who consistently complete training are more likely to behave consistently with its content.

      How Nimblr applies behavioral science

      Nimblr's platform wasn't designed as a compliance checkbox. It was built by behavioral experts, learning designers, and security experts specifically to address the mechanisms that make security awareness hard. Every design decision reflects what we know about how people actually change: not through information overload, but through repeated, personally relevant, emotionally salient experiences.

      Phishing simulations create the safe-failure moment that produces real attitude change. Micro Training delivers one relevant concept at a time, avoiding the cognitive overload that produces dismissal. Immediate feedback, presented without blame, converts the discomfort of nearly failing into a learning moment rather than a defensive rationalization. And behavioral change is what the whole platform is measured on.

      This is what Martin Karlqvist and Nimblr's behavior science team work on every day: turning what psychology knows about human decision-making into training that actually works.

      Want training that addresses the psychology, not just the content? Book a demo.

      FAQ

      FAQ: Cognitive dissonance in security

      What is cognitive dissonance?

      Cognitive dissonance is the psychological discomfort experienced when a person holds two contradictory beliefs, or when their actions contradict their beliefs. The concept was introduced by Leon Festinger in 1957. People are motivated to reduce the discomfort, usually by rationalizing behavior rather than changing it, which has significant implications for how security training is designed.

      Why does security training often fail even when employees complete it?

      Because completion and behavior change are different things. Cognitive dissonance explains why people can understand the right behavior and continue doing the wrong thing: the brain finds it easier to rationalize existing habits than to change them. Training that doesn't create personally relevant, emotionally salient experiences tends to produce rationalization rather than attitude change.

      What is optimism bias in cybersecurity?

      Optimism bias is the tendency to believe you are less likely than average to experience a negative event: in security terms, less likely to be the one who clicks a phishing link. It lets people acknowledge real threats while exempting themselves from them. Simulated phishing attacks counter it effectively because they create direct, personal experience of nearly failing.

      How should security managers respond when employees rationalize risky behavior?

      Confrontation tends to deepen dissonance and entrench rationalization. More effective: acknowledge that the risk feels remote, explain the mechanism of optimism bias directly, provide concrete personal examples such as simulation data from the employee's own behavior, and use positive reinforcement rather than blame.

      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.