From awareness to ownership: How sharp minds stop cyber attacks

Tony Christodoulou, CEO and Founder of Cyber Dexterity.

---

Ferrari avoided a nasty accident, thanks to one simple question and a sharp-minded executive. In late 2024, Ferrari's CEO, Benedetto Vigna, contacted the executive via WhatsApp, urging their involvement in a major but sensitive financial transaction. However, the executive was suspicious and asked a question: what book did Vigna recommend to them the previous week? The CEO promptly disconnected, because it wasn't him but a carefully staged deep fake attack.

What is the biggest security vulnerability your organisation will face in 2026? It's not an unpatched server or a misconfigured cloud setting. It's your employees. Research reveals time and again that confusing, coercing and manipulating people remain the most effective way to breach security measures.

Yet, people can also be your strongest security asset. Like the Ferrari executive, they can become suspicious, think laterally and outfox an attacker. The fundamental problem isn't people but how they are prepared for security, says Tony Christodoulou, CEO and Founder of Cyber Dexterity.

"The challenge for business leaders is that traditional 'tick-box' awareness has reached its ceiling. Employees can quote policies yet still approve a fraudulent payment under pressure. Executives can sponsor campaigns yet still fall for a well-crafted voice clone or MFA fatigue attack at the wrong moment. The gap is no longer knowledge; it’s behaviour. The organisations that will thrive in 2026 are those that move beyond awareness to ownership of cyber, fraud and insider risk across their entire ecosystem from their employees to their customers and suppliers."

Christodoulou calls this alternative approach cyber dexterity: an intuitive, behaviourally embedded ability to detect, interpret and respond to cyber threats, especially those that rely on social engineering and psychological manipulation.

"Cyber dexterity is what happens when secure behaviour is no longer a conscious checklist, but a default reflex. My research in cyber psychology and learning sciences points to it as a critical capability to participate safely and sustainably in the digital economy."

Conventional awareness training doesn't hone this skillset. Instead, tailored training that uses cyber-psychology research is far more effective, incorporating examples of real-world attacks, focusing on emotional manipulation and confronting cognitive biases that shape decisions under pressure.

"The most crucial thing to understand is that cyber criminals weaponise emotions such as urgency, fear and overconfidence, and they use cognitive reactions such as authority bias or familiarity bias to overcome our suspicions and create a false sense of trust."

Traditional e-learning rarely touches these dimensions. It focuses on explicit knowledge, telling people what they should do, but neglects the tacit knowledge and context that underpin real-world decisions.

Gamified and immersive simulations are showing excellent improvements in security awareness. Rather than telling people what a phishing e-mail looks like, employees experience realistic attack scenarios in an environment that lets them navigate evolving storylines, make choices, see consequences and reflect on their reasoning.

This approach works for three reasons:

1. Social learning and shared sense-making: When people work through scenarios together, discuss what they noticed and compare decisions, they can share tacit cues that rarely appear in formal training.
2. Turning explicit rules into tacit reflexes: Repeated practice, feedback and reflection help people move from hearing a rule to articulating its meaning to integrating it with other knowledge, and finally, to acting on it automatically.
3. Aligning with how the brain learns under stress: Cyber incidents are rarely calm, reflective moments. Immersive experiences can recreate some of that complexity, helping people recognise their own tendencies under stress and rehearse more secure responses.

Cyber dexterity training deliberately uses narrative, challenge, feedback and social interaction to help people internalise secure behaviours so that, in the wild, they respond with greater confidence and less hesitation.

The first step, though, is for boards and business leaders to recognise the importance of this approach, says Christodoulou.

"Business stakeholders should stop asking if they are training their people and start asking if their people are developing the dexterity to recognise and resist manipulation in real-time?"

Adopting cyber dexterous training requires several shifts:

• It redefines success metrics from completion and scores to behavioural indications.
• It treats security training as a strategic risk control, not an HR process.
• It focuses on the whole of human psychology, not just the "user moments" when they log in.
• It provides a safe environment where mistakes and near-misses are learning moments, not sources of blame.
• It deliberately leads organisations towards a cyber-resilient culture where security is accepted broadly, not delegated narrowly.

"In an AI-accelerated world, it is unrealistic to promise perfect prevention. What is achievable and increasingly essential is a workforce that understands how attackers think, recognises when their emotions and biases are being targeted, and has rehearsed secure responses often enough that they feel natural. That is what it means to move from awareness to ownership: people at every level see cyber resilience as part of their professional judgment, not just an IT or compliance requirement."

As 2026 approaches, organisations that embrace this shift will not only reduce the likelihood and impact of incidents, but also build a more confident, adaptable and digitally fluent workforce.

A simple question can derail a potentially catastrophic attack. It's time to hone staff to become your strongest defence.