Cyber-security is not concerned so much with average or median vulnerability in an organization. Rather more important is identifying the weakest links. Individual user susceptibility and user behaviour risk assessment are key to measuring the effectiveness of cyber-security awareness programs and policies. Increasingly, it has been demonstrated that managing individual user susceptibility is as critical to organization well-being as maintaining patched IT infrastructure or responding to specific immediate cyber-threat alerts.
 Despite IT systems audits, human factor studies, training courses, user policies, and user documentation, managing user cyber-security awareness remains one of the weakest links in protecting organizations from cyber-threats. Most employees are not aware of the cyber-threats they are most likely to encounter while performing their work. They are susceptible to malicious manipulation (social engineering threats) and they tend not to follow standard procedures (either through ignorance or in attempting to circumvent security procedures to achieve more productivity). Typically, employees only recognize the importance of cyber-security policies and practices after an incident has happened to themselves.
 With the increasing availability and utility of IT network traffic analysis tools and active user behaviour probes (e.g., fake-phishing), employees can be given direct and individual feedback to increase their cyber-security awareness and improve their cyber-security practices. Beyond an organization’s employees, the same holds for a country’s citizens, or a government’s public servants. At their best, these user behaviour monitoring tools can be used in an open and transparent way to increase awareness of individual vulnerability before actual incidents occur.
 In addition to presenting results from the application of user behaviour monitoring tools to cybersecurity, this paper examines the efficacy of the privacy protection safeguards that they incorporate. These results are applied to public sector approaches to: (a) public awareness of citizen cyber-health; (b) securing online pubic services; and (c) public servant awareness of their own vulnerability to cyber-threats.