SebDB principles & writing guide
What is SebDB?
The Security Behaviors Database (SebDB) is the world's security behavior database. SebDB maps security behaviors to impacts. It'smaintained by a global community of security professionals and academics, and periodically reviewed by our in-house Science and Research team.
A security behavior is an action or practice by an individual that protects information, systems, or assets from unauthorized access, damage, or threats.
Impact is the harm or damage that happens when a security risk becomes real. It's the overall result of a risk materializing. Impacts are linked to specific security behaviors (e.g., risky actions that led to the harm).
SebDB principles
These principles define what SebDB security behaviors and impacts are, and provide a framework for evaluating and updating them over time.
A SebDB security behavior is…
1. focused on the everyday actions and decisions of technology users, not those who build technology, set policy, or manage systems (e.g., developers, policymakers, human resource teams, or system administrators).
✅ SB068:Clears a desk of sensitive information and devices when not in use
❌ Vets employees before offering a position
❌ Practices secure coding
2. is a single specific action or response of an individual to a situation, stimulus, or environment.
✅ SB027: Downloads an application only from an approved or official source
❌ SB027: Downloads and installs apps from approved or official sources (e.g., Google Play, App Store, or company-managed app store/catalog)
3. focused on cybersecurity and physical security as it relates to protecting information.
✅ SB064: Prevents tailgating at security checkpoints
4. a pro-security action, or a positive security action, not a mistake.
✅ SB156: Shares sensitive information only on an approved or official website
❌ SB156: Discloses credentials to a phishing site
5. framed in positive, affirmative language to emphasize constructive action.
✅ SB010: Keeps a password (or passphrase) private
❌ SB010: Does not share passwords
6. an action that could result in a negative impact on the organization. These can include personal security behaviors, too.
✅ SB070: Reviews security and privacy settings for an account or application
7. technology-agnostic and inclusive, applying to both hardware (like electronic devices) and software (like operating systems, apps, communication tools, etc.). Therefore, there are no sub-behaviors.
✅ SB024: Keeps software up-to-date
❌ SB174: Does not log in from a device running out of date operating software
❌ SB174a: Does not log in from a mobile running out of date operating software
❌ SB174b: Does not log in from a desktop/laptop running out of date operating software
8. an action that is subjectively or objectively measurable. Metrics for some behaviors may depend on (self-)reported measurements.
✅ SB049: Covers a device webcam when not in use
9. realistic, relevant, actionable, achievable within everyday contexts, and considers the practical limitations and resources available to individuals.
✅ SB171: Uses a work email address that has not been compromised
❌ SB172: Does not use a personal email address that has been compromised in a data breach
10. a unique action in the SebDB context, which avoids overlap with other SebDB behaviors.
✅ SB024: Keeps software up-to-date
❌ SB174: Does not log in from a device running out of date operating software
❌ SB208: Ensures work devices and software are updated regularly
❌ SB174a: Does not log in from a mobile running out of date operating software
❌ SB174b: Does not log in from a desktop/laptop running out of date operating software
11. subject to change over time, for example, behaviors can be merged, split or no longer relevant. This makes a changelog for each behavior essential to track updates and maintain clarity.
Status | Description |
---|---|
Deprecated / Retired | Behavior has been removed from the database because it did not meet the criteria outlined in SebDB Principles. The most common reasons include it no longer being relevant (SebDB Principle 8) or not being a behavior of a technology user (SebDB Principle 1). |
Deprecated / Merged | Behavior has been removed due to duplication with other behavior(s) or combined with another because of overlap or redundancy. In such cases, we specify the target behavior. |
Renamed | Behavior has been renamed to better reflect its purpose, align with terminology standards, or improve clarity, accuracy, or relevance to current practices. |
Unchanged | Behavior has been reviewed and requires no modifications. |
Split | Behavior has been divided into two or more behaviors to improve specificity or clarity. |
Adopted | Behavior has been newly introduced into the database. |
Rejected | Behavior has been considered but not included in the database because it does not meet SebDB Principles criteria. |
12. one that has a unique identifier (UID) permanently assigned. If a behavior is removed, its UID is retired and not reassigned, ensuring consistency and maintaining a clear historical record.
13. assigned to a tier based on its influence on risk. Tier 1 behaviors have the greatest influence, while Tier 4 behaviors have the least. A behavior's tier is determined by assessing how significantly performing (or not performing) the behavior affects the likelihood of undesirable outcomes (i.e., impacts) from related security risks. For example, if the behavior is not performed, how plausible is it that each potential impact will occur? These plausibility judgments are combined into a score, which determines the behavior's tier. To support this assessment, an AI model specifically trained in cybersecurity and human risk management was used.
A SebDB impact is…
1. focused on the harmful or undesirable result of a security risk (i.e., the result if a risk materializes).
✅ [IMP001] System compromise
❌ Increase in share price (considering that this is generally a desirable result for a company)
2. a category of harmful or undesired result of a security risk (i.e., the result if a risk materializes).
✅ [RISK001] Data compromise
❌ [RISK006] Personal exposure
3. a result that could arise due to a negative security behavior, or that could be prevented by a positive security behavior.
✅ [IMP001] System compromise
✅ [IMP007] Account compromise
4. able to cause, or lead to, other impacts.
✅ "[IMP001] System compromise" could lead to ( → ) "[IMP007] Account compromise"
5. a result that represents a significant concern for an organization.
✅ [IMP007] Account compromise
❌ Loss of a small amount of corporate stationery
6. a unique result in the SebDB context, which avoids overlap with other SebDB impacts.
✅ [IMP002] Data compromise
❌ [RISK008] Data leak
7. subject to change over time, for example, impacts can be merged, split, or no longer relevant. This makes a changelog for each impact essential to track updates and maintain clarity.
8. one that has a unique identifier (UID) that is permanently assigned. If an impact is removed, its UID is retired and not reassigned, ensuring consistency and maintaining a clear historical record.
1. adheres to a standardized grammatical structure to ensure clarity, consistency, and ease of understanding.
Verb (third person) → Object → Modifier (if needed) → Tool/Context (if needed)
a. always starts with a verb, indicating an actionable step, rather than an adverb (e.g., "regularly").
b. is worded in the third person, not in the present continuous tense.
2. is written in a concise, specific, and unambiguous way that anyone using the database can understand and interpret consistently. It avoids unnecessary complexity, vague terms, or redundant words, focusing on precise language to describe security behaviors.
3. a single, specific action (Principle 2), and is worded accordingly, making some terminology redundant. For example,
• Regularly, Frequently, Periodically
A behavior states the action itself without referencing how often it occurs, making words like "regularly", "frequently", or "periodically" unnecessary.
✅ SB061: Backs up data
❌ SB061: Regularly backs up data
4. uses the same terminology consistently:
✅ Preferred term | ❌ Instead of | Example |
---|---|---|
account | online account important account all accounts any accounts | ✅ SB009: Deactivates or deletes an unneeded account ❌ SB009: Ensures online accounts that are no longer needed are de-activated |
authenticate | log in as a means to log in | ✅ SB003: Authenticates with a strong password (or passphrase) ❌ SB003: Uses a strong password or passphrase |
antivirus | antivirus antimalware antivirus software | ✅ SB022: Uses antivirus on a device ❌ SB022: Uses antivirus or antimalware software on compatible device(s) |
application | app | ✅ SB027: Downloads an application only from an approved or official source ❌ SB027: Only downloads apps from trusted sources (e.g. Google Play or The App Store) |
approved Refers to tools, resources, or actions that have been explicitly sanctioned by an organization for use. | authorized | ✅ SB094: Works only on an approved device ❌ SB094: Does not use personal devices for work unless authorised to do so |
approved or official Refers to tools, resources, or actions that have been officially sanctioned or endorsed by an organization or relevant authority, meeting specific approval or compliance criteria. | reliable trusted reputable | ✅ SB019: Downloads content only from an approved or official website ❌ SB019: Only uses well-known, reputable and trusted websites to download content |
compromised Refers to accounts, passwords, devices, or systems that have been breached, hacked, or exposed to unauthorized access. | compromised in a data breach appeared in a known data breach | ✅ SB007: Checks whether a password (or passphrase) or other personal information have been compromised ❌ SB007: Checks whether passwords (or other personal data) have appeared in known data breaches |
device | mobile device phone mobile phone laptop all devices any devices internet-connected devices | ✅ SB035: Changes the default password on a device ❌ SB035: Changes default passwords (if possible) on all internet-connected devices |
message | emails messages digital communications Whatsapp messages texts instant messages/IMs public messaging channel | ✅ SB081: Checks a message for signs of deception ❌ SB081: Checks instant messages for signs of deception |
password (or passphrase) | password(s) passphrase(s) | ✅ SB150: Uses a password (or passphrase) that has not been compromised ❌ SB150: Does not use a password that has been compromised in a data breach |
removable media Source: NCSC | media USB removable devices USB flash drives | ✅ SB032: Inserts only an approved removable media into a device ❌ SB032: Does not insert unauthorised devices/media into work devices/network |
reports As a verb | informs highlights | ✅ SB056: Reports a security policy, procedure, or control that hinders work or leads to unsafe practices ❌ SB056: Highlights security controls that prevent or disrupt ability to work sensibly |
sensitive information | PII confidential data confidential information sensitive data | ✅ SB185: Shares sensitive information only in an approved communication channel ❌ SB186: Does not post PII in a public channel |
unneeded | no longer needed no longer used unused | ✅ SB009: Deactivates or deletes an unneeded account ❌ SB009: Ensures online accounts that are no longer needed are de-activated |
uses | installs installs or enables installs and enables | ✅ SB022: Uses antivirus on a device ❌ SB022: Installs antivirus on compatible devices |
legitimate Refers to sources, communications, or resources that have undergone a process of validation or reliability checks and have been verified as trustworthy. | trusted reputable verified reliable | ✅ SB159: Opens only a legitimate link ❌ SB159: Does not click a phishing link |
work purpose | work-related purposes work purposes | ✅ SB173: Uses a work email address for a work purpose ❌ SB173: Does not use work email addresses for non-work purposes |