Your people are part of your attack surface.
Can you prove they're ready?
Most breaches already involve people. AI enables personalized attacks at scale. Regulators demand proof, not a compliance theater.
Your journey with SafeHabits
Evolve from compliance-driven awareness to measurable human risk management.
Become compliant
AvailableEstablish a baseline security culture and ensure people know how to act.
You are here if
- Security awareness is ad hoc or newly introduced
- You need to pass an audit or meet a framework
- You need a reliable way to run awareness without internal overhead
- A single, fully managed campaign to establish your human security baseline
- 7 core security habits for all employees
- Participation, completion, and acknowledgement tracking
- Audit-ready evidence mapped to one framework (SOC 2, ISO 27001, NIS2, or NIST CSF)
- Fully managed campaign delivery
- Auditor-ready report and evidence export (CSV, JSON)
Run a security program
AvailableMake security behavior visible and measurable for leadership.
You are here if
- Security awareness runs regularly but impact is unclear
- Leadership lacks visibility into effectiveness
- You need to meet NIS2 governance requirements
- Continuous program delivery throughout the year
- 7 employee security habits + 3 governance habits for leadership
- Support for onboarding new employees and evolving user base
- Coverage across SOC 2, ISO 27001, NIS2, and NIST CSF
- Effectiveness measurement, including trend analysis and campaign comparison
- Normalize reporting and remove stigma around security mistakes
- Fully managed program delivery
- Leadership and board-level reporting (including PPT-ready outputs)
- Auditor-ready report and evidence export (CSV, JSON)
Manage human risk
PlannedTurn human risk into a managed, decision-ready security domain.
You are here if
- Human risk exists in isolation from your overall security and risk strategy
- Leadership cannot act on human risk data at board level
- You need to integrate human risk into your overall risk management and GRC stack
- All stage 2 capabilities included
- Human risk identification, scoring, and prioritization with actionable treatment plans
- Benchmark your organization against peers based on aggregated human risk data
- Mapping of human risks to supporting technical controls
- Board-level reporting on human risk exposure
- Continuous updates on evolving human-targeted threats
- Identification of security champions and high-risk groups
- Enterprise support: GRC integration, SSO/SAML, self-managed dashboard
How SafeHabits works
SafeHabits builds a security culture where people recognize threats, know how to act, and leadership can make decisions based on real human risk data.
- Bite-sized lessons that fit into the workday
- Scenario-based learning anchored in real-world attacks
- Visual progress and positive reinforcement
- Removes stigma around reporting mistakes and incidents
DESIGNED FOR REAL WORKDAYS
• Short, self-paced lessons - pick up where you left off • Works on any device • Secure passwordless login (email / OTP) • Respectful of people's time and attention spans
HABIT-BUILDING, NOT E-LEARNING
• Bite-sized lessons your brain can actually retain • Reflection prompts connect learning to real work situations • Light checks to reinforce key concepts • Self-checks to confirm understanding
WHITE-HAT GAMIFICATION
• Visual progress that actually motivates people • Builds genuine mastery and confidence • Gamification supports completion, not distraction • Positive reinforcement, not fear-based
- Practical security mindset, not theoretical awareness
- Clear action steps for incidents, not just knowledge
- Governance habits that equip leadership to manage risk
- Aligned with NIS2, SOC 2, ISO 27001, and NIST CSF
Employee core habits
- 1.Know your security basicsCore
- 2.Protect your accountsCore
- 3.Handle data safelyCore
- 4.Spot and report phishingHigh focus
- 5.Keep devices and remote work safeCore
- 6.Know what to do when something goes wrongHigh focus
- 7.Use AI tools safelyHigh focus
Board and management governance
- 8.Cyber risk for board and managementDeep dive
- 9.Management oversight and KPIsDeep dive
- 10.Governance, liability, and continuous improvementDeep dive
Intentionally designed
- Structured as 7 employee habits and 3 governance habits (management & board complete all 10)
- Aligned with regulatory expectations
- Board members get real cyber risk literacy, not superficial awareness
Risk-based focus
- Security habits tailored to real-world risks
- High-impact topics get more time and depth (phishing, incidents, AI)
- Focused on real risk reduction, not compliance theatre
Based on recognised best practices
- Grounded in ENISA, CISA, and NIST guidance
- No jargon approach
- Delivers what auditors and regulators expect to see
Scenario-based, not theoretical
- Every habit is anchored in realistic workplace scenarios
- Reflection exercises connect learning to daily work situations
- Knowledge checks use real-world situations as close to actual attacks as possible
- Audit-ready reports and defensible evidence
- Human risk identification and scoring
- Board-level and management reporting
- Security ownership embedded across the organization
Multi-framework compliance engine
- National implementations of NIS2, Articles 20 & 21Belgium (CyFun), Czech Republic, Norway, Finland. Additional countries added as they come into force.
- SOC 2
- ISO 27001 and NIST CSF
Delivers three concrete security outcomes
- Compliance evidence (audit-ready)
Verifiable proof that employees participated, understood key topics, and completed defined awareness campaigns. - Human risk identification
Clear visibility into where people struggle, recurring weak patterns, and the most relevant human security risks across the organisation. - Security ownership and culture
A shared understanding of security where employees and leaders take responsibility for safer decisions in daily work.
Why I built SafeHabits
I am building the security programme I would personally trust to roll out to my own teams, one that builds real understanding, ownership, and action.
As a security engineer, I have seen the same pattern repeat. Security awareness programmes that people rush through, learn little from, and quietly ignore. Most tools optimise for completion metrics, not for real understanding or ownership.
The problem is not that people are unaware of security. It is that they often do not fully understand what matters, what to look for, or what to do when something happens. As a result, security remains abstract, and responsibility stays unclear.
To challenge this, I built a methodology focused on habit-building, real understanding, and clear action. I first explored this approach by building a free consumer app focused on practical security habits(free.safehabits.eu). User feedback confirmed what I suspected. Short, respectful learning moments help people internalize security and act when it matters.
I am now bringing this approach into organizations, expanding it beyond individual behaviour to support security ownership, culture-building, and decision-making at scale. SafeHabits applies the same habit-driven principles while aligning them with modern regulatory expectations, including NIS2, SOC 2, ISO 27001, and NIST CSF. The goal of SafeHabits is to change how organizations approach human security. To move from awareness to understanding, from understanding to action, and from action to shared ownership across the organization. Not compliance theatre, but a security culture that works in practice.
I am now bringing this approach into organizations, expanding it beyond individual behaviour to support security ownership, culture-building, and decision-making at scale. SafeHabits applies the same habit-driven principles while aligning them with modern regulatory expectations, including NIS2, SOC 2, ISO 27001, and NIST CSF.
The goal of SafeHabits is to change how organizations approach human security. To move from awareness to understanding, from understanding to action, and from action to shared ownership across the organization. Not compliance theatre, but a security culture that works in practice.
Vlastimil Sindelar
Founder · Security & Risk Practitioner
EUSPA · Former NATO advisor and Senior consultant
Verified professional credentials
Pricing
Your entire human security program, fully managed.
Starting at
€1,500/ year
Fully managed for you
- We run the entire human security program for you
- No internal effort or administration required
- Campaign delivery, reminders, tracking, and employee onboarding included
- Audit-ready evidence and reporting out of the box
Built to stay current
- Tracks evolving threats and compliance requirements
- New content and reporting improvements throughout the year
- Supports annual certification and targeted ad hoc campaigns
Where does your journey to measurable human security begin?
SafeHabits is onboarding a small number of early access organisations. Tell us where you are and we will map out the right step together.