Instinct overrides knowledge. When we touch a hot surface, we don't interpret the events consciously and systematically. Our instincts take over, causing us to jerk our hand from the heat. But even with more complex scenarios, such as an urgent-sounding e-mail, we are naturally more reactive than proactive.
Our brains use instinctive shortcuts called heuristics to rapidly process much of the information we encounter. Deepfakes exploit these instincts. The more realistic a deepfake is, the more likely that we'd accept it as real.
Compliance helps create effective cyber security. But compliance-driven security can also undermine security efforts, such as when training people to spot deepfake attacks.
"Traditional, compliance-driven cyber security approaches produce employees who are proficient at passing training modules but who are inadequately prepared for real-world scenarios involving sophisticated psychological manipulation. As cyber criminals exploit deepfakes, organisations must fundamentally change their approach to cyber security, moving away from compliance-driven methods and towards developing genuine cyber dexterity," explains Tony Christodoulou, Founder and CIO/CISO at Cyber Dexterity.
Scammers often use deepfakes for a range of social engineering crimes, from pretending to be executives on video calls and WhatsApp voice notes to fooling know your customer (KYC) processes with fake photos. In many of these incidents, a vigilant employee can spot a fraud. But how do they become more vigilant?
Compliance training shortfalls
In 2020, researchers found that humans detected only 24.5% of high-quality deepfakes presented to them. Five years later, that technology is even more sophisticated and available, leading to a staggering 2 137% rise in fraud attacks since 2022, most using deepfakes.
Standardised cyber security education doesn't create immersive experiences or promote behavioural changes that effectively counter deepfakes, impersonations and social engineering attacks.
"Traditional training programmes are predominantly compliance-orientated and knowledge-based. They emphasise periodic checks, theoretical knowledge and policy compliance. This approach often fails to address the deeper behavioural and emotional triggers that underpin decision-making in real threat scenarios," says Christodoulou.
This shortfall is not exclusive to deepfakes. Many instances of digital fraud and cyber attacks use psychological ploys to trigger heuristic responses:
- A criminal caller claims to represent a bank, urging that the victim's account could be frozen if they don't co-operate.
- An SMS notifies the recipient of a package that they need to collect immediately or it will be destroyed.
- An e-mail claims to be from the revenue service, warning the recipient they'll lose a refund if they don't act now.
These attacks want the person to make a quick but devastating mistake, such as handing over a password, clicking on a malware file or approving a fraudulent profile.
Cyber dexterity closes the knowledge-action gap
Compliance-based training emphasises knowledge and process, yet doesn't close what Christodoulou calls the knowledge-action gap – the discrepancy between what individuals know and how they behave when under threat.
Dynamic, cyber-dexterous training closes this gap by turning knowledge into real-time responses.
"Unlike conventional static training, cyber dexterity is developed through experiential, immersive learning engagements that integrate cognitive, emotional and social elements. These methodologies facilitate the acquisition of tacit knowledge, which is critical for making intuitive decisions in crisis situations. Employees learn to instinctively respond correctly when faced with complex cyber threats involving psychological manipulation, not just knowing what to do."
Training based on cyber dexterity principles uses continuous learning modules, micro-learning scenarios and regular discussions on cyber security within routine business activities to reinforce the culture. It encourages cross-departmental collaboration and joint security exercises, fostering collective cyber security responsibility. Above all, it makes security personal, says Christodoulou.
"Organisations should reframe cyber security as a matter of personal digital safety rather than a corporate compliance requirement. When cyber security practices align with employees' personal digital well-being and their personal interests, individuals are more motivated to consistently adopt secure behaviours."
Share