What makes people change their security behaviour?

What is it that triggers change in people's security behaviour? How good is the general public at managing their own cyber security?