This paper aims to apply habit-based research to the domain of information security. It proposes a new training paradigm in which a user “automatically” does the right thing without being an expert in the area of information security. The authors used a multiphased approach in which a new security training program was created and assessed for three groups: administrators (mostly managers), medical professionals (included physicians, physician assistants etc.) and staff (appointment coordinators, billing specialists etc.). The authors were able to find strong correlations between habit creation and security threats such as phishing, unauthorized cloud computing use, and password sharing. The authors were also able to ascertain that traditional security training and awareness programs need to move away from the “one-size” fits all technique to custom models that need to look at employee groups. This study supports the idea of training programs that are focused on changing habits, which is an area that has not yet been extensively researched in this context.