People continue to be the primary target for cyberattackers, but by understanding why people are susceptible to social engineering – and empowering them to resist it – organisations can reduce their cyber risk exposure.
This is the view of Anna Collard, senior vice-president: content strategy and an evangelist for KnowBe4 Africa, who was addressing a webinar hosted by the Institute of Information Technology Professionals South Africa (IITPSA) Cyber Security special interest group.
The session was moderated by Professor Kerry-Lynn Thomson, Professor in the School of IT at Nelson Mandela University and chairperson of IITPSA’s SIGCyber.
Collard notes that a survey of 1 000 workers in the UK and US showed 48% failed phishing tests because they were distracted – and KnowBe4’s own IT department surveys indicated that in 53% of the cases where their own staff failed phishing simulations, they were multitasking or stressed.
“Interpol’s recent African Cyber Threat Assessment shows that online scams and phishing, followed by BEC, online scams, and ransomware are the most frequently reported cybercrimes in Africa – and in many of these cases, humans are exploited,” she says. “Combating cybercrime is as much about psychology as it is about technology, so we have to build a security culture that addresses human vulnerabilities with behavioural science.”
Drawing from insights in cyber psychology and behavioural science, Collard introduced the concept of digital mindfulness as a powerful tool in the defender’s toolkit helping individuals and teams develop cognitive defences, build healthy digital habits, and foster a culture of security from the inside out.
The science of deception
Collard explains: “The science of deception starts with an actor who has a malicious motivation which forms the foundation for a storyline that can be supported by artifacts like deepfakes, ‘cheapfakes’, or phishing mails. When successful, this leads to the incident – the compromise – and, ultimately, the impact on the victim.
“Manipulations don’t need to be AI operated – even authentic content used in the wrong context can be deceptive,” she adds. “A plausible storyline makes a manipulation attempt successful.”
Collard says that what makes humans vulnerable is not just a lack of training – it is also due to cognitive, psychological, situational, demographic, and behavioural factors.
“There are more than 200 cognitive biases that scientists have documented – we get tricked by our own minds into acting on information that exploits how we naturally think. Scams work because they exploit our cognitive shortcuts and psychological tendencies, not because they’re necessarily accurate or truthful.
“The Dunning-Kruger effect makes us overconfident, thinking we’re too smart to be caught out,” she says. “There’s also the plausibility bias, where we accept information simply because it seems reasonable. Criminals deliberately exploit these vulnerabilities because they’ve studied how to do so effectively.
“In addition, the more we see something, the more we like it – even if we were initially skeptical. This is the Mere Exposure effect. Or if something is easy to process we believe it’s true – even if it’s false. This applies especially to emotional content. In social engineering, scammers often use negative or positive emotional content which is particularly powerful because it reaches our judgement system before logic has a chance to intervene.”
Instilling mindfulness
Collard explains that mindfulness addresses 23 of the 33 key susceptibility factors including personality traits.
“Practising mindfulness reduces stress, improves your cognitive abilities, and helps you regulate emotional responses to make you less susceptible to social engineering,” she says. “Another term for this digital mindfulness is zero trust mindset – by default not trusting anything until you can verify it. Digital Mindfulness – or zero trust mindset – means creating a healthy dose of scepticism and slowing down emotional reactions that make us fall victim to social engineering.”
She adds that multitasking negatively impacts cybersecurity, limits productivity, and even has mental health implications. “Organisations need to teach people to go back to single tasking mode, remove distractions, and develop self and meta awareness and the power of the pause,” she says.
To change employee behaviour, Collard says: “We can look to science. BJ Fogg – the father of behaviour design – came up with the Fogg Behaviour model that says behavioural change requires motivation, ability, and a prompt to do the behaviour.
“Organisations must equip employees with the tools they need to do the right thing – from password managers to teaching them how to breathe, as well as with nudges or prompts to change their behaviour,” she says. “Organisations can also build a digitally mindful security culture with education and awareness training on the latest scams, regular phishing simulations, and creating psychological safety around making mistakes and reporting when they fall victim to phishing attacks.
“Organisations need to combine advanced technologies with the human element to cultivate realtime situational awareness, adaptability, and resilience,” Collard says. “Security professionals know there’s not one silver bullet to mitigate cyber risk. You need defence in depth – from the technology through to educating, empowering, and protecting people. It needs a layered approach.”