2LRN4 security awareness platform
← Back to knowledge base

The difference between security awareness and privacy awareness

Science breaks security awareness down into knowledge, attitude and behaviour, and privacy awareness into perceiving, understanding and applying. That very difference explains why security calls for behaviour change and privacy for the application of knowledge, and why a single training format falls short for both subjects.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

In brief

  1. Security awareness and privacy awareness come from different research traditions. For twenty years, security awareness has been measured as a triad of knowledge, attitude and behaviour (Kruger and Kearney, 2006; Parsons et al., 2014), whereas privacy awareness is more often described as situational awareness: noticing that a situation calls for the rules to be applied, and then applying those rules correctly (Correia and Compeau, 2017).
  2. For security, the gap between knowing and doing is well documented: training mainly raises knowledge and attitude, while behaviour moves far less. This is because an attacker exploits fast, automatic processing; at that moment, knowledge only helps once the right behaviour has become a habit (Vishwanath et al., 2011; Prümmer, van Steen and van den Berg, 2024).
  3. The hypothesis that privacy awareness is about applying knowledge while security awareness is about changing behaviour is largely supported by the literature, but as a difference in emphasis rather than an absolute divide. With privacy too, knowing and doing diverge (the privacy paradox), and a large share of reported breaches are routine errors, such as a letter or email sent to the wrong recipient (DLA Piper, 2026).

In training programmes, security awareness and privacy awareness are often mentioned in the same breath. Organisations buy them together, schedule them in the same annual round and cast them in the same format, usually an e-learning module with a test. Yet the two subjects ask something fundamentally different of an employee. The hypothesis of this study is that privacy is mainly about applying knowledge of rules and procedures at the right moment, while security is mainly about changing one's own behaviour, right down to the reflexes.

This report tests that hypothesis against the scientific research. It follows on from two earlier reports in this series: The attention problem, on what phishing simulations do and do not achieve, and The vulnerable first months, on the timing of initial training. Those reports were about security; this one places security and privacy side by side.

About this report

Type
Literature review based on peer-reviewed scientific research and publications from authoritative bodies.
Main question
Do security awareness and privacy awareness call for a different approach, in which privacy awareness comes down mainly to applying knowledge and security awareness mainly to changing behaviour?
Sub-questions
  1. How does the literature define both concepts, and what components are they made up of?
  2. To what extent does knowledge translate into safe behaviour in the case of security?
  3. Does privacy show the same gap between knowing and doing, and does it also apply to employees who process other people's data?
  4. Does the kind of situation in which each form of awareness has to prove itself differ?
  5. What does this mean for the design of a training programme?
Sources
Measurement instruments for security awareness (the KAB model, the HAIS-Q), review studies and a meta-analysis on security training, the research into the privacy paradox, conceptual work on privacy awareness, and figures from European data protection authorities and ENISA.
As of
June 2026.

01 · FRAMEWORKTwo concepts from different traditions

Anyone who lays the scientific literature on the two forms of awareness side by side immediately notices a difference in origin. Research into security awareness is rooted in the question of how an organisation gets employees to comply with security policy. The most widely used foundation for this is the KAB model, which treats awareness as a triad of knowledge (what you know), attitude (what you think) and behaviour (what you do) (Kruger and Kearney, 2006). The most thoroughly validated measurement instrument, the Human Aspects of Information Security Questionnaire (HAIS-Q), is built explicitly on that model and measures the three layers across seven focus areas, from passwords to incident reporting (Parsons et al., 2014). In this tradition, behaviour is therefore not a by-product of awareness but a fixed part of the definition. The influential compliance study by Bulgurcu, Cavusoglu and Benbasat (2010) likewise views awareness through the question of whether employees ultimately behave in line with policy.

Research into privacy awareness is younger and different in nature. The broad review by Smith, Dinev and Xu (2011) shows that privacy research has traditionally focused on concerns, attitudes and the trade-offs around sharing data, and far less on behaviour in a working environment. Where the concept is elaborated, this strikingly often takes the form of knowledge. The Online Privacy Literacy Scale (OPLIS) explicitly treats privacy literacy as knowledge, both factual knowledge of rules and practices and knowledge of strategies for protecting data (Trepte et al., 2015). Correia and Compeau (2017) go a step further and describe privacy awareness as a form of situational awareness, following Endsley's model: perceiving a situation, understanding what it means and projecting what may happen. On that reading, privacy awareness is the ability to see that personal data is involved and to understand which standard applies, after which the knowledge can be applied.

Two traditions, each with its own centre of gravity

How the literature builds up each form of awareness

SECURITY AWARENESS three layers, after Kruger and Kearney (2006) Knowledge what you know Attitude what you think Behaviour what you do PRIVACY AWARENESS situational awareness, after Correia and Compeau (2017) Perceiving personal data is involved here Understanding which standard applies here Applying turning knowledge into action

Figure 1 How the literature builds up each concept. For security awareness, behaviour is a fixed part of the definition and, in practice, the weakest link; for privacy awareness, the emphasis lies on recognising the situation and applying knowledge. After Kruger and Kearney (2006) and Correia and Compeau (2017).

02 · FINDINGFor security, the bottleneck is not knowledge

That knowledge and behaviour do not coincide for security was already apparent in the very first application of the KAB model. In Kruger and Kearney's (2006) case study at an international mining company, employees scored 77 per cent on knowledge and 76 per cent on attitude, but only 54 per cent on behaviour. What employees knew and thought was more than adequate, but what they did in practice lagged far behind. Later validation studies confirm that picture. Among five hundred Australian employees, knowledge of policy and procedures was more strongly associated with attitude than with their own security behaviour, leading the researchers to conclude that training should explain not only what is expected but also why it matters (Parsons et al., 2014).

The review research points in the same direction. A systematic review of 142 studies on security training finds that most studies measure their effect in terms of knowledge or intentions rather than actual behaviour, that effects are usually measured after a single training session without a follow-up measurement, and that lasting behaviour change therefore cannot be established with certainty, even though such change requires repetition, since habits only form through repetition (Prümmer, van Steen and van den Berg, 2024). The accompanying meta-analysis shows that training clearly improves end-users' knowledge and awareness, but that the effect on behaviour in the longer term is more modest (Prümmer, van Steen and van den Berg, 2024). As early as 2015, Bada, Sasse and Nurse concluded that information on its own does not change behaviour: people must also be able to apply the advice and be motivated to do so. ENISA draws the same lesson and argues for a shift from information provision to behaviour change and culture (ENISA, 2019).

For the part of the hypothesis that concerns security, the evidence is therefore solid: the bottleneck lies not in what employees know but in what they do under the pressure of the moment. In The attention problem we already described that phishing is an attention problem rather than a knowledge problem, and that a falling click rate says little about what employees have actually learned.

Knowing, thinking and doing diverge

Scores per dimension in Kruger and Kearney's (2006) case study

Knowledge 77% Attitude 76% Behaviour 54% 0% 50% 100%

Figure 2 Scores on the three dimensions of security awareness in Kruger and Kearney's (2006) case study: knowledge 77 per cent, attitude 76 per cent and behaviour 54 per cent. The gap between knowing and doing has since been found in much research.

03 · FINDINGWith privacy too, knowing and doing diverge

Anyone taking the hypothesis literally would expect knowing and doing to coincide neatly for privacy. The research shows something else, and the phenomenon even has its own name: the privacy paradox. In the experiment that gave it its name, participants disclosed considerably more personal information than they had said beforehand they would (Norberg, Horne and Horne, 2007). Pötzsch (2009) describes the same gap: even those who are privacy-aware often do not act accordingly. Review studies confirm that attitudes and concerns about privacy only weakly predict what people actually do when sharing data, and explain this partly through trade-offs of convenience and benefit, through uncertainty, and through the strong influence of context on privacy preferences (Kokolakis, 2017; Gerber, Gerber and Volkamer, 2018; Acquisti, Brandimarte and Loewenstein, 2015).

Yet the working environment differs in an important respect. Almost all of this research concerns people deciding about their own data, as consumers who share something in exchange for convenience, a discount or contact. Solove (2021) further points out that little can be inferred about attitudes from such behaviour, because people weigh up something different in a concrete situation than in a general question. An employee who processes the personal data of customers, patients or colleagues plays a fundamentally different role: it is not their own data, the personal trade-off largely disappears, and the question is not how much they want to share but whether the processing fits within the rules of the organisation and the law. That role calls above all for recognising and applying: seeing that something is personal data, knowing whether there is a legal basis, recognising a request from a data subject, and reporting a breach in good time. Strikingly little research has been done into this employee role, and the way privacy awareness is defined varies from study to study (Smith, Dinev and Xu, 2011; Correia and Compeau, 2017).

One nuance deserves emphasis here. The figures from practice show that privacy incidents are by no means always knowledge failures. Across Europe, supervisory authorities now receive an average of 443 reported data breaches per day, a 22 per cent rise in a single year (DLA Piper, 2026). A substantial share of these are not sophisticated cyberattacks but routine human errors: a letter or email sent to the wrong recipient is consistently among the most commonly reported breach types, and human error is one of the leading causes of breaches across Europe (ENISA, 2019). A letter in the wrong envelope is not a gap in knowledge of the GDPR but a routine slip, and therefore a behavioural problem par excellence. In privacy practice, applying knowledge and embedding careful routines thus occur side by side.

For security, ingrained behaviour has to hold its own against an adversary aiming at the autopilot; for privacy, a person has to recognise the situation and apply the right knowledge to it.

Based on the literature reviewed

04 · EXPLANATIONThe adversary and the decisive moment differ

The pattern from the previous two chapters is well explained by the kind of situation in which each form of awareness has to prove itself. Security is about protecting information and systems against deliberate compromise (von Solms and van Niekerk, 2013). There is therefore a thinking adversary facing the employee, and that adversary determines the moment, the form and the pressure. Research into phishing shows that most phishing messages are processed via the fast, superficial route: people decide on the basis of simple cues in the message, without thorough consideration, especially when the sender plays on urgency and authority (Vishwanath et al., 2011). At such a moment there is no opportunity to apply knowledge calmly. What counts then is the behaviour a person has made their own: pausing for a moment, checking the request through another channel, and reporting anything out of the ordinary. That is why security awareness is at its core a behavioural matter, and why training that is short, repeated and lets employees practise in the context of their work works better than one-off knowledge transfer (Prümmer, van Steen and van den Berg, 2024).

For privacy, the decisive moment is different. The standard comes not from an attacker but from the law and the organisation's policy, and the questions usually arise in ordinary work: may I share this file with this colleague, how long do we keep this data, is this request a subject access request, and is this incident a breach that has to be reported? With such questions there is almost always an opportunity to think, to look something up or to consult the data protection officer. The bottleneck here is not the time pressure of an adversary but recognising the situation: anyone who does not see that something is personal data or a breach never gets as far as applying knowledge. That fits precisely with the description of privacy awareness as situational awareness (Correia and Compeau, 2017).

The two domains do overlap. Phishing frequently targets personal data in particular, so that a successful attack is at once a breach, and the misdirected letters and emails in the supervisory authorities' figures are routine behaviour that calls for the same behaviour-focused approach as security habits. Conversely, knowledge does matter for security: those who score higher on the HAIS-Q, including the knowledge component, demonstrably perform better in an experimental phishing test (Parsons et al., 2017). The difference between the two domains is therefore not a sharp dividing line between knowledge and behaviour; the difference lies in which of the two is decisive in the critical situation.

05 · CONCLUSIONA difference in emphasis

The answer to the main question is this: the hypothesis is largely supported, provided it is understood as a difference in emphasis. Security awareness is at its core a behavioural matter: knowledge is necessary, but the research shows time and again that knowledge and attitude run well ahead of behaviour, and that the decisive moments are so short and so deliberately exploited by the attacker that only ingrained habits offer a foothold. Privacy awareness in the working environment, by contrast, is mainly a matter of recognising and applying: seeing that a situation falls under the rules, knowing which standard applies and acting accordingly, with the time and the resources that are usually available in those situations.

For the design of a training programme, this means that a single format falls short for both subjects. Security training calls for short, repeated, behaviour-focused practice in the context of the work, so that habits can form. Privacy training calls for recognisable case studies, clear decision rules and easily findable reference material and reporting routes, so that the knowledge is available at the moment the situation arises. For both, what the research has long said holds true: merely distributing information changes little, because employees must also be able and willing to apply the advice (Bada, Sasse and Nurse, 2015; ENISA, 2019).

At the same time, modesty is in order. The privacy paradox shows that, for privacy too, knowing and doing do not go together automatically, and the breach figures show that a large share of privacy incidents consists of routine errors that themselves call for behaviour change. Anyone using the distinction in this report would therefore do well to treat it as a difference in emphasis and not as a strict division: a mature programme trains mainly behaviour for security while maintaining the knowledge, and trains mainly recognising and applying the rules for privacy, without losing sight of careful routines.

Limitations

  • This report is a literature review that summarises existing research and contains no new research of its own.
  • The research into the privacy paradox concerns almost exclusively consumers deciding about their own data; the translation to employees who process other people's data is partly reasoned rather than directly measured.
  • Much research into security awareness measures self-reported behaviour or short-term effects, which limits the view of lasting behaviour change.
  • The concepts of security awareness and privacy awareness are not defined uniformly in the literature; the comparison in this report depends on the definitions chosen.
  • The breach figures count reported breaches; not every incident is recognised or reported, and the reporting obligation weighs differently by type of incident.

Sources

  1. Acquisti, A., Brandimarte, L., and Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509-514. doi.org/10.1126/science.aaa1465
  2. Bada, M., Sasse, A. M., and Nurse, J. R. C. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? International Conference on Cyber Security for Sustainable Society. arxiv.org/abs/1901.02672
  3. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-548. aisel.aisnet.org/misq/vol34/iss3/9
  4. Correia, J., and Compeau, D. (2017). Information Privacy Awareness (IPA): A Review of the Use, Definition and Measurement of IPA. Hawaii International Conference on System Sciences (HICSS-50). aisel.aisnet.org/hicss-50
  5. DLA Piper (2026). GDPR Fines and Data Breach Survey: January 2026. dlapiper.com
  6. Gerber, N., Gerber, P., and Volkamer, M. (2018). Explaining the privacy paradox: A systematic review of literature investigating privacy attitude and behavior. Computers & Security, 77, 226-261. doi.org/10.1016/j.cose.2018.04.002
  7. Kokolakis, S. (2017). Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & Security, 64, 122-134. doi.org/10.1016/j.cose.2015.07.002
  8. Kruger, H. A., and Kearney, W. D. (2006). A prototype for assessing information security awareness. Computers & Security, 25(4), 289-296. doi.org/10.1016/j.cose.2006.02.008
  9. Norberg, P. A., Horne, D. R., and Horne, D. A. (2007). The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. Journal of Consumer Affairs, 41(1), 100-126. doi.org/10.1111/j.1745-6606.2006.00070.x
  10. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., and Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176. sciencedirect.com/.../S016740481300179X
  11. Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., and Zwaans, T. (2017). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66, 40-51. doi.org/10.1016/j.cose.2017.01.004
  12. Pötzsch, S. (2009). Privacy Awareness: A Means to Solve the Privacy Paradox? In The Future of Identity in the Information Society, IFIP AICT 298. doi.org/10.1007/978-3-642-03315-5_17
  13. Prümmer, J., van Steen, T., and van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585. doi.org/10.1016/j.cose.2023.103585
  14. Prümmer, J., van Steen, T., and van den Berg, B. (2024). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206. doi.org/10.1016/j.cose.2024.104206
  15. Smith, H. J., Dinev, T., and Xu, H. (2011). Information Privacy Research: An Interdisciplinary Review. MIS Quarterly, 35(4), 989-1015. aisel.aisnet.org/misq/vol35/iss4/11
  16. Solove, D. J. (2021). The Myth of the Privacy Paradox. George Washington Law Review, 89, 1-51. gwlr.org
  17. Trepte, S., Teutsch, D., Masur, P. K., et al. (2015). Do People Know About Privacy and Data Protection Strategies? Towards the “Online Privacy Literacy Scale” (OPLIS). In Reforming European Data Protection Law. doi.org/10.1007/978-94-017-9385-8_14
  18. Vishwanath, A., Herath, T., Chen, R., Wang, J., and Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), 576-586. doi.org/10.1016/j.dss.2011.03.002
  19. von Solms, R., and van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102. doi.org/10.1016/j.cose.2013.04.004
  20. ENISA (2019). Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity. European Union Agency for Cybersecurity. enisa.europa.eu
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles