Knowing and Doing

The 1-Breath Moment: An employee, having just completed mandatory cybersecurity training, falls for a simulated phishing email sent by their own IT department.

In 2020, a major corporation faced backlash after a poorly executed phishing simulation promised employees a holiday bonus, only to reveal it was a test when they clicked the link1.

The Psychology: The complex relationship between awareness campaigns and actual behaviour change. Despite increased knowledge, individuals often fail to apply learned principles in real-world situations, a phenomenon known as the “knowing-doing gap”2.

one breath moment - between knowing and doing

The Knowing-Doing Gap

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security… 3

Cybersecurity campaigns often fall short due to a fundamental challenge illustrated by the “Security, Functionality, and Usability Triangle”. The model illustrates the delicate balance organisations must strike in their cybersecurity approaches. The triangle represents three often conflicting goals: security, functionality, and usability. As efforts intensify in one area, they typically come at the expense of the other two. For instance, implementing more stringent security measures often reduces system functionality and user-friendliness. Conversely, prioritising usability might compromise security safeguards. When cybersecurity campaigns push too hard towards the security vertex of this triangle, they risk inducing “security fatigue” in users. This occurs when security requirements become overly burdensome, leading to cognitive overload. Users faced with an abundance of complex security protocols, frequent password changes, and intricate authentication processes may find themselves overwhelmed. This mental strain can result in decreased compliance, as users seek shortcuts or workarounds to alleviate their cognitive burden.

man working on devices, head full of thoughts and issues

This concept highlights how pushing too hard on security can create cognitive overload for users, ultimately undermining the campaign's effectiveness. Often, many awareness programs bombard employees with too much information in a short time, leading to poor retention and application. The cognitive load of processing and retaining cybersecurity knowledge can be overwhelming, making it difficult to translate awareness into consistent action.

Additionally, generic, one-size-fits-all awareness programs often fail to resonate with employees across different roles and departments. Research demonstrates that security behaviours are highly context-dependent, and interventions that don't account for specific work environments and job responsibilities are likely to be ineffective

Furthermore, campaigns often assume that knowledge automatically leads to behaviour change, ignoring the complexities of human psychology and habit formation. Changing ingrained habits and behaviours requires sustained effort and motivation. Without ongoing reinforcement and support, individuals often revert to their previous, less secure practices, perpetuating the knowing-doing gap. As the saying goes, practice makes ~~perfect~~ habit.

Traditional awareness campaigns often overlook the psychological factors that influence security behaviours. Issues such as cognitive biases, risk perception, and motivation play crucial roles in determining how individuals respond to security threats. Past researches highlighted the need to incorporate behavioural science principles into security awareness programs 456. Campaigns that address psychological barriers to secure behaviour (e.g., optimism bias, present bias)would be more effective than those that simply provide information. Also, awareness alone is not sufficient to overcome psychological barriers to security compliance. And overemphasis on threats can lead to anxiety and avoidance rather than proactive security behaviours.

Enhancing Awareness

The Impulsive Repost on SocMed platforms

The 1-Breath Moment: A person reposts or comments on a controversial meme without fact-checking, sparking a social media firestorm.

The Psychology: The exemplification of the online disinhibition effect, where reduced social cues and perceived anonymity lead to impulsive behaviour.

Enhancing Awareness: Before sharing content, take a breath. Ask:

  • Is this information verified?

  • Would I say this in a face-to-face conversation?

  • What might be the consequences of sharing this?

The Phishing Click

The 1-Breath Moment: An employee clicks on a seemingly harmless email link, inadvertently granting hackers access to the company's network.

The Psychology: The “optimism bias” in online risk perception. Individuals may underestimate their personal risk of experiencing negative online events, leading to lax security practices

Enhancing Awareness: Develop a "stop and think" reflex for digital interactions:

  • Pause before clicking on any links or downloading attachments.

  • Verify the sender’s identity through a separate communication channel if unsure.

  • Regularly update and use security software.

The Viral Post: Dopamine, Social Validation, and Digital Well-being

The 1-Breath Moment: A user posts a photo on Instagram and obsessively checks for likes and comments over the next few hours.

The Psychology: This behaviour is driven by the dopamine-fuelled feedback loop of social media where the user obsessively checks social media for likes, comments etc.

Enhancing Awareness: Implement mindful social media practices:

  • Set specific times for checking social media, rather than constant monitoring.

  • Reflect on our emotional state before and after using social media.

  • Focus on meaningful interactions rather than quantitative metrics.

The Data Breach: Social Engineering and Human Vulnerability

The 1-Breath Moment: A customer service representative, under pressure during a busy period, provides sensitive information to a caller without proper verification.

The Psychology: This incident demonstrates how social engineers exploit human psychology, particularly under conditions of stress or cognitive load. A 2022 study in Computers & Security found that time pressure, cognitive load, and emotional manipulation were key factors in the success of phishing attacks [7].

Enhancing Awareness: Develop a security-first mindset:

  • Always follow proper verification procedures, regardless of perceived urgency.

  • Be aware of emotional manipulation tactics used by social engineers.

  • If unsure, consult with a colleague or supervisor before providing sensitive information.

The Digital Detox Moment: Building Psychological Resilience

The 1-Breath Moment: A user, feeling overwhelmed by constant notifications, decides to turn off their phone for an hour.

The Psychology: This action reflects a growing awareness of the need for digital mindfulness. Individuals who practiced digital mindfulness – being fully present and aware during online interactions experiences lower levels of stress and anxiety related to technology use.

Enhancing Awareness: Cultivate digital mindfulness:

  • Set aside regular periods for disconnecting from digital devices.

  • Practice being fully present during both online and offline interactions.

  • Reflect on your relationship with technology and how it affects your well-being.

Given the limitations of traditional awareness campaigns, researchers and forward-thinking organisations are exploring more holistic approaches to cybersecurity culture. These emerging strategies focus on:

  1. Behavioural Design: Integrating security seamlessly into workflows rather than treating it as a separate task. For example, using nudges and default secure options to make secure behaviour the path of least resistance.

  2. Tailored, Role-Based Training: Developing awareness programs that are specific to different roles and contexts within the organisation.

  3. Continuous, Adaptive Learning: Implementing platforms that provide personalised, just-in-time security guidance based on an employee's behaviour and risk profile.

  4. Psychological Safety: Creating an environment where employees feel safe reporting security concerns without fear of retribution. Organisations that foster psychological safety see significantly higher rates of security incident reporting.

  5. Measuring What Matters: Shifting focus from compliance metrics to outcome-based measurements that reflect actual security improvements and cultural change.

Ultimately, it is upon us to remember that every online interaction is and opportunity or risk. It is an opportunity to practice awareness. It is a risk that we take. So take that breath, reflect, and make intentional choices in your digital life. In doing so, we'll not only enhance our own cyber resilience but contribute to a more thoughtful and secure digital world for all.

A single breath – a moment of pause and reflection – can make all the difference. By understanding the psychology behind our online behaviours and cultivating mindful digital habits, we can navigate cyberspace more safely and consciously.

  1. https://www.cbsnews.com/news/godaddy-apologizes-insensitive-phishing-email-bonuses-employees/ 

  2. https://www.gsb.stanford.edu/insights/knowing-doing-gap 

  3. Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672. 

  4. Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & security, 31(4), 597-611 

  5. Wong, L. W., Lee, V. H., Tan, G. W. H., Ooi, K. B., & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 102520. 

  6. Aschwanden, R., Messner, C., Höchli, B., & Holenweger, G. (2024). Employee behavior: the psychological gateway for cyberattacks. Organizational Cybersecurity Journal: Practice, Process and People. 

links

social