Your people are part of your attack surface.
Can you prove they're ready?
Fully managed human risk program for lean teams. Curated, human-authored security habits that measure human risk and deliver audit-ready behavioural and compliance evidence with minimal internal overhead. Ready the same day.
Your journey with SafeHabits
Evolve from compliance-driven awareness to measurable human risk management.
Become compliant
AvailableEstablish a baseline security culture and ensure people know how to act.
You are here if
- Security awareness is ad hoc or newly introduced
- You need to pass an audit or meet a framework
- You need a reliable way to run awareness without internal overhead
- A single, fully managed campaign to establish your human security baseline
- 7 core security habits for all employees
- Participation, completion, and acknowledgement tracking
- Audit-ready evidence mapped to one framework (SOC 2, ISO 27001, NIS2, or NIST CSF)
- Fully managed campaign delivery
- Auditor-ready report and evidence export (CSV, JSON)
Run a security program
AvailableMake security behavior visible and measurable for leadership.
You are here if
- Security awareness runs regularly but impact is unclear
- Leadership lacks visibility into effectiveness
- You need to meet NIS2 governance requirements
- Continuous program delivery throughout the year
- 7 employee security habits + 3 governance habits for leadership
- Support for onboarding new employees and evolving user base
- Coverage across SOC 2, ISO 27001, NIS2, and NIST CSF
- Effectiveness measurement, including trend analysis and campaign comparison
- Normalize reporting and remove stigma around security mistakes
- Fully managed program delivery
- Leadership and board-level reporting (including PPT-ready outputs)
- Auditor-ready report and evidence export (CSV, JSON)
Manage human risk
AvailableTurn human risk into a measurable, decision-ready security domain.
You are here if
- Human risk exists in isolation from your overall security and risk strategy
- Leadership cannot act on human risk data at board level
- You need to integrate human risk into your overall risk management and GRC stack
Available today
- All Stage 2 capabilities included
- Board-level reporting on workforce exposure
- Human risk identification, scoring, prioritization and treatment
- Actionable treatment plans
- Governance visibility and trend reporting
Enterprise capabilities in development
- Peer benchmarking across aggregated data
- Security champions and high-risk group insights
- GRC integrations
- SSO / SAML
- Self-managed dashboards
- Threat intelligence updates
Ready to make human risk measurable?
See how SafeHabits identifies workforce risk and delivers audit-ready evidence without adding internal overhead.
How SafeHabits works
Habits drive behaviour change. Compliance evidence and an organisation-wide campaign report turn that change into something you can defend to an auditor and discuss at the board.
DESIGNED FOR REAL WORKDAYS
• Short, self-paced lessons - pick up where you left off • Works on any device • Secure passwordless login (email / OTP) • Respectful of people's time and attention spans
HABIT-BUILDING, NOT E-LEARNING
• Bite-sized lessons your brain can actually retain • Reflection prompts connect learning to real work situations • Light checks to reinforce key concepts • Self-checks to confirm understanding
WHITE-HAT GAMIFICATION
• Visual progress that actually motivates people • Builds genuine mastery and confidence • Gamification supports completion, not distraction • Positive reinforcement, not fear-based
Every habit is curated by a security practitioner with real-world cybersecurity and risk-management experience, not generated from a prompt.
Employee core habits
- 1.Know your security basicsCore
- 2.Protect your accountsCore
- 3.Handle data safelyCore
- 4.Spot and report phishingHigh focus
- 5.Keep devices and remote work safeCore
- 6.Know what to do when something goes wrongHigh focus
- 7.Use AI tools safelyHigh focus
Board and management governance
- 8.Cyber risk for board and managementDeep dive
- 9.Management oversight and KPIsDeep dive
- 10.Governance, liability, and continuous improvementDeep dive
Intentionally designed
- Structured as 7 employee habits and 3 governance habits (management & board complete all 10)
- Aligned with regulatory expectations
- Board members get real cyber risk literacy, not superficial awareness
Risk-based focus
- Security habits tailored to real-world risks
- High-impact topics get more time and depth (phishing, incidents, AI)
- Focused on real risk reduction, not compliance theatre
Based on recognised best practices
- Grounded in ENISA, CISA, and NIST guidance
- No jargon approach
- Delivers what auditors and regulators expect to see
Scenario-based, not theoretical
- Every habit is anchored in realistic workplace scenarios
- Reflection exercises connect learning to daily work situations
- Knowledge checks use real-world situations as close to actual attacks as possible
Mapped to major compliance frameworks
- National implementations of NIS2 Articles 20 and 21Belgium (CyFun), Czech Republic, Norway, Finland. Additional countries added as they come into force.
- SOC 2
- ISO 27001
- NIST CSF
Evidence you can actually use
- CSV and JSON exports available
- Built for internal review and external audits
- Acknowledgements, habit completions, and program completion records
- Pseudonymized by default, identified mode available
Most companies can show training completion. Few can show defensible evidence.
{
"schema_version": "1.1",
"generated_at": "2026-03-15T09:00:00Z",
"export_mode": "pseudonymous",
"campaign": {
"name": "Q1 2026 Security Foundations",
"organization": "NovaBridge Technologies BV"
},
"summary": {
"frameworks": [
"NIS2 Art.20", "NIS2 Art.21",
"ISO 27001 A.6.3", "SOC 2 CC2"
],
},
"evidence": [
{
"event_type": "acknowledgement_confirmed",
"user_identifier": "c7e2f1a4-8b3d-4e5f-...",
"timestamp": "2026-02-10T09:18:41Z"
},
{
"event_type": "habit_completed",
"metadata": { "quiz_score": 19, "quiz_total": 23 },
"timestamp": "2026-02-11T11:48:22Z"
}
]
}What leadership can see immediately
- Highest workforce risk areas by topic and severity
- Where confidence exceeds actual capability
- Trends between campaigns
- Participation and engagement gaps
- Prioritized next actions
Most companies manage technical risk. Few manage human risk with evidence.
Useful for human risk management, leadership reporting, internal audit, ISO 27001, SOC 2, and NIS2 governance evidence.
Baseline visibility from campaign one. Trends strengthen from campaign two onward.
| Credential compromise | Elevated |
| Social engineering | Elevated |
| Breach amplification | Elevated |
| Data exfiltration | Moderate |
| Incident Response | 58% | Weak |
| Phishing | 61% | Weak |
| AI Safety | 58% | Overconfident |
| Security Basics | 89% | Strong |
AI Safety confidence exceeds measured capability.
Why I built SafeHabits
I am building the security programme I would personally trust to roll out to my own teams, one that builds real understanding, ownership, and action.
As a security engineer, I have seen the same pattern repeat. Security awareness programmes that people rush through, learn little from, and quietly ignore. Most tools optimise for completion metrics, not for real understanding or ownership.
The problem is not that people are unaware of security. It is that they often do not fully understand what matters, what to look for, or what to do when something happens. As a result, security remains abstract, and responsibility stays unclear.
To challenge this, I built a methodology focused on habit-building, real understanding, and clear action. I first explored this approach by building a free consumer app focused on practical security habits(free.safehabits.eu). User feedback confirmed what I suspected. Short, respectful learning moments help people internalize security and act when it matters.
I am now bringing this approach into organizations, expanding it beyond individual behaviour to support security ownership, culture-building, and decision-making at scale. SafeHabits applies the same habit-driven principles while aligning them with modern regulatory expectations, including NIS2, SOC 2, ISO 27001, and NIST CSF.
The goal of SafeHabits is to change how organizations approach human security. To move from awareness to understanding, from understanding to action, and from action to shared ownership across the organization. Not compliance theatre, but a security culture that works in practice.
P.S. I write and curate every SafeHabits habit myself, drawn from real-world cybersecurity and risk-management experience. Not generated from a prompt.
Vlastimil Sindelar
Founder · Security & Risk Practitioner
EUSPA · Former NATO advisor and Senior consultant
Verified professional credentials
Pricing
Your entire human security program, fully managed.
Starting at
€1,500/ year
Fully managed for you
- We run the entire human security program for you
- No internal effort or administration required
- Campaign delivery, reminders, tracking, and employee onboarding included
- Audit-ready evidence and reporting out of the box
Built to stay current
- Tracks evolving threats and compliance requirements
- New content and reporting improvements throughout the year
- Supports annual certification and targeted ad hoc campaigns
Where does your journey to measurable human security begin?
Tell us where you are today, and we’ll identify the right next step for your organisation.