SebDB logo
corner plus icon
corner plus icon

What is SebDB?

The Security Behaviors Database (SebDB) is the world's security behavior database. SebDB maps security behaviors to impacts. It'smaintained by a global community of security professionals and academics, and periodically reviewed by our in-house Science and Research team.

A security behavior is an action or practice by an individual that protects information, systems, or assets from unauthorized access, damage, or threats.

Impact is the harm or damage that happens when a security risk becomes real. It's the overall result of a risk materializing. Impacts are linked to specific security behaviors (e.g., risky actions that led to the harm).

SebDB principles

These principles define what SebDB security behaviors and impacts are, and provide a framework for evaluating and updating them over time.

A SebDB security behavior is…

1. focused on the everyday actions and decisions of technology users, not those who build technology, set policy, or manage systems (e.g., developers, policymakers, human resource teams, or system administrators).

SB068:Clears a desk of sensitive information and devices when not in use

Vets employees before offering a position

Practices secure coding

2. is a single specific action or response of an individual to a situation, stimulus, or environment.

SB027: Downloads an application only from an approved or official source

SB027: Downloads and installs apps from approved or official sources (e.g., Google Play, App Store, or company-managed app store/catalog)

3. focused on cybersecurity and physical security as it relates to protecting information.

SB064: Prevents tailgating at security checkpoints

4. a pro-security action, or a positive security action, not a mistake.

SB156: Shares sensitive information only on an approved or official website

SB156: Discloses credentials to a phishing site

5. framed in positive, affirmative language to emphasize constructive action.

SB010: Keeps a password (or passphrase) private

SB010: Does not share passwords

6. an action that could result in a negative impact on the organization. These can include personal security behaviors, too.

SB070: Reviews security and privacy settings for an account or application

7. technology-agnostic and inclusive, applying to both hardware (like electronic devices) and software (like operating systems, apps, communication tools, etc.). Therefore, there are no sub-behaviors.

SB024: Keeps software up-to-date

SB174: Does not log in from a device running out of date operating software

SB174a: Does not log in from a mobile running out of date operating software

SB174b: Does not log in from a desktop/laptop running out of date operating software

8. an action that is subjectively or objectively measurable. Metrics for some behaviors may depend on (self-)reported measurements.

SB049: Covers a device webcam when not in use

9. realistic, relevant, actionable, achievable within everyday contexts, and considers the practical limitations and resources available to individuals.

SB171: Uses a work email address that has not been compromised

SB172: Does not use a personal email address that has been compromised in a data breach

10. a unique action in the SebDB context, which avoids overlap with other SebDB behaviors.

SB024: Keeps software up-to-date

SB174: Does not log in from a device running out of date operating software

SB208: Ensures work devices and software are updated regularly

SB174a: Does not log in from a mobile running out of date operating software

SB174b: Does not log in from a desktop/laptop running out of date operating software

11. subject to change over time, for example, behaviors can be merged, split or no longer relevant. This makes a changelog for each behavior essential to track updates and maintain clarity.

StatusDescription
Deprecated / RetiredBehavior has been removed from the database because it did not meet the criteria outlined in SebDB Principles. The most common reasons include it no longer being relevant (SebDB Principle 8) or not being a behavior of a technology user (SebDB Principle 1).
Deprecated / MergedBehavior has been removed due to duplication with other behavior(s) or combined with another because of overlap or redundancy. In such cases, we specify the target behavior.
RenamedBehavior has been renamed to better reflect its purpose, align with terminology standards, or improve clarity, accuracy, or relevance to current practices.
UnchangedBehavior has been reviewed and requires no modifications.
SplitBehavior has been divided into two or more behaviors to improve specificity or clarity.
AdoptedBehavior has been newly introduced into the database.
RejectedBehavior has been considered but not included in the database because it does not meet SebDB Principles criteria.

12. one that has a unique identifier (UID) permanently assigned. If a behavior is removed, its UID is retired and not reassigned, ensuring consistency and maintaining a clear historical record.

13. assigned to a tier based on its influence on risk. Tier 1 behaviors have the greatest influence, while Tier 4 behaviors have the least. A behavior's tier is determined by assessing how significantly performing (or not performing) the behavior affects the likelihood of undesirable outcomes (i.e., impacts) from related security risks. For example, if the behavior is not performed, how plausible is it that each potential impact will occur? These plausibility judgments are combined into a score, which determines the behavior's tier. To support this assessment, an AI model specifically trained in cybersecurity and human risk management was used.

A SebDB impact is…

1. focused on the harmful or undesirable result of a security risk (i.e., the result if a risk materializes).

[IMP001] System compromise

Increase in share price (considering that this is generally a desirable result for a company)

2. a category of harmful or undesired result of a security risk (i.e., the result if a risk materializes).

[RISK001] Data compromise

[RISK006] Personal exposure

3. a result that could arise due to a negative security behavior, or that could be prevented by a positive security behavior.

[IMP001] System compromise

[IMP007] Account compromise

4. able to cause, or lead to, other impacts.

"[IMP001] System compromise" could lead to ( → ) "[IMP007] Account compromise"

5. a result that represents a significant concern for an organization.

[IMP007] Account compromise

Loss of a small amount of corporate stationery

6. a unique result in the SebDB context, which avoids overlap with other SebDB impacts.

[IMP002] Data compromise

[RISK008] Data leak

7. subject to change over time, for example, impacts can be merged, split, or no longer relevant. This makes a changelog for each impact essential to track updates and maintain clarity.

8. one that has a unique identifier (UID) that is permanently assigned. If an impact is removed, its UID is retired and not reassigned, ensuring consistency and maintaining a clear historical record.

1. adheres to a standardized grammatical structure to ensure clarity, consistency, and ease of understanding.

Verb (third person) → Object → Modifier (if needed) → Tool/Context (if needed)

a. always starts with a verb, indicating an actionable step, rather than an adverb (e.g., "regularly").

b. is worded in the third person, not in the present continuous tense.

2. is written in a concise, specific, and unambiguous way that anyone using the database can understand and interpret consistently. It avoids unnecessary complexity, vague terms, or redundant words, focusing on precise language to describe security behaviors.

3. a single, specific action (Principle 2), and is worded accordingly, making some terminology redundant. For example,

• Regularly, Frequently, Periodically

A behavior states the action itself without referencing how often it occurs, making words like "regularly", "frequently", or "periodically" unnecessary.

SB061: Backs up data

SB061: Regularly backs up data

4. uses the same terminology consistently:

✅ Preferred termExample
accountSB009: Deactivates or deletes an unneeded account
authenticateSB003: Authenticates with a strong password (or passphrase)
antivirusSB022: Uses antivirus on a device
applicationSB027: Downloads an application only from an approved or official source
approved
Refers to tools, resources, or actions that have been explicitly sanctioned by an organization for use.
SB094: Works only on an approved device
approved or official
Refers to tools, resources, or actions that have been officially sanctioned or endorsed by an organization or relevant authority, meeting specific approval or compliance criteria.
SB019: Downloads content only from an approved or official website
compromised
Refers to accounts, passwords, devices, or systems that have been breached, hacked, or exposed to unauthorized access.
SB007: Checks whether a password (or passphrase) or other personal information have been compromised
deviceSB035: Changes the default password on a device
messageSB081: Checks a message for signs of deception
password (or passphrase)SB150: Uses a password (or passphrase) that has not been compromised
removable media
Source: NCSC
SB032: Inserts only an approved removable media into a device
reports
As a verb
SB056: Reports a security policy, procedure, or control that hinders work or leads to unsafe practices
sensitive informationSB185: Shares sensitive information only in an approved communication channel
unneededSB009: Deactivates or deletes an unneeded account
usesSB022: Uses antivirus on a device
legitimate
Refers to sources, communications, or resources that have undergone a process of validation or reliability checks and have been verified as trustworthy.
SB159: Opens only a legitimate link
work purposeSB173: Uses a work email address for a work purpose