People continue to be the primary target for cyber attackers – a growing challenge for organisations as threats escalate globally. However, by understanding why people are susceptible to social engineering and empowering them to resist it, organisations can reduce their cyber risk exposure.
This is according to Anna Collard, SVP of Content Strategy and an Evangelist for KnowBe4 Africa, who was addressing a webinar hosted by the Institute of Information Technology Professionals South Africa (IITPSA) Cyber Security special interest group. The session was moderated by Prof Kerry-Lynn Thomson, Professor in the School of IT at Nelson Mandela University and chairperson of IITPSA’s SIGCyber.
Collard noted that a survey of 1 000 workers in the UK and US showed 48% failed phishing tests because they were distracted, and KnowBe4’s own IT department surveys indicated that in 53% of the cases where their own staff failed phishing simulations, they were multitasking or stressed.
“Interpol’s recent African Cyber Threat Assessment shows that online scams and phishing, followed by BEC, online scams and ransomware, are the most frequently reported cyber crimes in Africa, and in many of these cases, humans are exploited. Combating cyber crime is as much about psychology as it is about technology, so we have to build a security culture that addresses human vulnerabilities with behavioural science.”
Drawing from insights in cyber psychology and behavioural science, Collard introduced the concept of digital mindfulness as a powerful tool in the defender’s toolkit, helping individuals and teams develop cognitive defences, build healthy digital habits and foster a culture of security from the inside out.
The science of deception
Collard explained: “The science of deception starts with an actor who has a malicious motivation, which forms the foundation for a storyline that can be supported by artefacts like deepfakes, ‘cheapfakes’ or phishing mails. When successful, this leads to the incident, the compromise and, ultimately, the impact on the victim.
"Manipulations don't need to be AI operated – even authentic content used in the wrong context can be deceptive. A plausible storyline makes a manipulation attempt successful.”
She said what makes humans vulnerable is not just a lack of training – it is also due to cognitive, psychological, situational, demographic and behavioural factors.
"There are more than 200 cognitive biases that scientists have documented – we get tricked by our own minds into acting on information that exploits how we naturally think. Scams work because they exploit our cognitive shortcuts and psychological tendencies, not because they're necessarily accurate or truthful.
“There are more than 200 cognitive biases that scientists have documented – we get tricked by our own minds into acting on information that exploits how we naturally think. For example, scams work because they exploit plausibility, not accuracy.
"The Dunning-Kruger effect makes us overconfident, thinking we're too smart to be caught out. There's also the plausibility bias, where we accept information simply because it seems reasonable. Criminals deliberately exploit these vulnerabilities because they've studied how to do so effectively,” she said.
“In addition, the more we see something, the more we like it – even if we were initially sceptical. This is the Mere Exposure effect. Or if something is easy to process, we believe it’s true – even if it’s false. This applies especially to emotional content. In social engineering, scammers often use negative or positive emotional content which is particularly powerful because it reaches our judgment system before logic has a chance to intervene.”
Instilling mindfulness
Collard explained that mindfulness addresses 23 of the 33 key susceptibility factors, including personality traits.
“Practising mindfulness reduces stress, improves your cognitive abilities and helps you regulate emotional responses to make you less susceptible to social engineering. Another term for this digital mindfulness is zero trust mindset – by default not trusting anything until you can verify it. Digital mindfulness – or zero trust mindset – means creating a healthy dose of scepticism and slowing down emotional reactions that make us fall victim to social engineering,” Collard said.
Collard added that multitasking negatively impacts cyber security, limits productivity and even has mental health implications. “Organisations need to teach people to go back to single tasking mode, remove distractions and develop self- and meta-awareness and the power of the pause,” she said.
To change employee behaviour, Collard said: “We can look to science. BJ Fogg, the father of behaviour design, came up with the Fogg Behaviour model that says behavioural change requires motivation, ability and a prompt to do the behaviour. Organisations must equip employees with the tools they need to do the right thing – from password managers to teaching them how to breathe, as well as with nudges or prompts to change their behaviour. Organisations can also build a digitally mindful security culture with education and awareness training on the latest scams, regular phishing simulations and creating psychological safety around making mistakes and reporting when they fall victim to phishing attacks.”
Organisations need to combine advanced technologies with the human element to cultivate real-time situational awareness, adaptability and resilience,” she said. “Security professionals know there’s not one silver bullet to mitigate cyber risk. You need defence in depth – from the technology through to educating, empowering and protecting people. It needs a layered approach.”
Prof Thomson underscored this point, noting: “Often, cyber security vulnerabilities aren't technical – they are habitual, unconscious or automatic behaviour. People are inclined to click, accept and reply automatically, especially when under pressure or multitasking. Digital mindfulness helps in breaking through that 'autopilot' loop.”
Watch the full IITPSA SIGCyber webinar here.
Share