© Systems AXIS Limited,
2025.
axisfirst is a trading style of Systems AXIS Ltd. Head Office: AXIS House, 53/55 St Mary Street, Bridgwater, Somerset, TA6 3EQ. Registered Company 2370905 | VAT No. GB 515 8599 12
CYBER SECURITY
Human Psychology: Why Cyber Security Awareness Training Is Changing
Written By Lee Tebby
Every year, we are seeing an increase in the sophistication, severity and frequency of cyber attacks on businesses in the UK. Whilst it is often large multi-national companies or corporations that make the headlines, cyber criminals prey on smaller and somewhat easier targets in the SME market to.
Cyber security companies are recruiting and employing more technical anthropologists now more than ever before, in an attempt to incorporate greater amounts of human behavioural science into their cyber security awareness training (CSAT) platforms.
Scientists know that cyber criminals rely on 7 key psychology traits when planning and constructing a cyber attack which is why a one-size fits all approach is no longer the most effective defence against phishing emails, social engineering, voice based phishing and other scams that use deception or impersonation tactics to solicit personal information or extract funds from individuals in an organisation.
TRAIT 1: FEAR
If you have ever received a phishing email, the chances are that it has contained language designed to frighten or intimidate you, because the cyber criminals know that fear is a very powerful motivator and you are likely to behave in ways that they can exploit or predict. Fear impacts your decision making, judgement and your attention to minute detail. Ransomware attacks manipulate people into taking action and making rash decisions for fear of ever-worsening consequences.
Cybercriminals may also impersonate senior figures within your organisation, government agencies such as HMRC to convince their victims that there are financial implications for not taking action urgently.
Cyber security awareness training will educate your users to identify red flags such as urgency, language, exposure, aggression and punishment. It will equip your people with the presence of mind to report suspicious communication and to use clear communication channels to alert the relevant members of your management team. The purpose of CSAT is to raise awareness and empower users to resist the urge to click, respond or take impulsive action and to stop and think and to make better decisions in protecting your company from cyber attacks.
TRAIT 2: OBEDIENCE
Another commonly used tactic is to impersonate a trustworthy source such as the managing director of the business. You may have seen or heard stories of secretaries or junior team members being asked to make purchases or to transfer funds whilst the head of the company is otherwise disposed in a client meeting or on vacation. This can range from buying a number of low value Amazon gift cards to paying thousands to a known supplier.
Hackers know that they can persuade users if they believe that they need to obey authority which is heavily conditioned by social norms and coupled with a sense of urgency which creates stress and a complicit nature to follow orders increasing the likelihood that the victim will do as they have been asked.
Effective training designed to teach employees to avoid rushed decision making. Carefully evaluated actions and being alert to suspicious behaviour is part of the role of CSAT platforms such as KnowBe4. They highlight the most persuasion techniques and indicate the coercive language and authoritative tone used by cyber criminals in their successful attack strategies.
TRAIT 3: GREED
There have been an explosion of cryptocurrency scams over the past 5 years with investment fraud rising by over 100 percent year on year. It is no surprise that financial gain and our desire for money is closely linked to our tolerance for risk. Cyber criminals used inducements to exploit what people want or crave like money or privileged access to lure in their victims with promises of eliminating debt or get-rich-quick or other reward.
Social media is awash of sponsored advertisements, direct messaging and posts from property investment gurus, online trading experts and crypto specialists all offering a wealthy lifestyle for less than the price of a cup of premium coffee a day. Leverage is another tactic in the arsenal of a scammer because there are susceptible and vulnerable people who are looking for that magic bullet.
Implementing personalised training that is aligned to the vulnerability and susceptibility of your users which varies from person to person works to support the individual personality and characteristics of each employee. Real-world examples are a great way in which to highlight the ways in which scams operate and target natural tendencies and behaviours.
TRAIT 4: OPPORTUNITY
Much like the human desire to acquire more wealth or gain, we also have a fear of missing out (FOMO) and when a compelling opportunity is presented it has to be believable. With the rise in sophistication and authenticity of artificial intelligence, it is much harder to distinguish what is real from what is fake. This has contributed to the number of people falling for social engineering attacks. Research into our psychology shows that even when we are capable of identifying suspicious elements of a fraudulent message, unless the risks outweigh the benefits if we believe we have received a compelling opportunity, we are still susceptible to these attacks.
Business Email Compromise (BEC) is among the most effective and often works by implication especially with the opportunity to demonstrate the ability to carry out instructions and willingness to please our senior directors. This is a stark reminder that employees are in a risky position as the cyber criminals have greater abilities to create ever more convincing messages using AI and that human psychology can lead to dangerous behaviours.
This highlights the importance prioritising strong cyber security and adopting email phishing simulations on a regular basis to assess the vulnerability of your users withing the business. Testing how susceptible you are to these forms of cyber attack and providing evidence to support this enables you to tailor what training you provide to your individuals.
TRAIT 5: SOCIABLENESS
Trust plays a big part in human psychology which is why hackers are constantly devising new ways to mimic natural, organic conversations and convince their victims that they are talking with a trusted entity. They will aim to build rapport, develop a relationship and gain their trust in order to execute a scam using personal information, illusion of legitimacy or other visual cues. Social media is often the tool of choice where this type of cyberattack occurs as it enables a greater manipulation opportunity for naturally social human beings.
Social engineering can take months of preparation and planning before an attack takes place. Cyber criminals monitor your social media content looking for vital information such as important dates like birthdays, anniversaries, etc. They will also look at what content is being posted to try to locate addresses, places of work, who you bank with, etc in order to leverage this to strengthen interpersonal connection, establish trust and solicit more information in the future.
Protecting your employees from social engineering is about raising awareness around social sharing especially if this includes intellectual property, client information or insider knowledge of your organisation. The level of awareness will vary depending on personality traits and social habits of each individual and can have a major impact on their susceptibility to this type of cyber attack. Whenever there is a mention of sensitive information or money your users need to understand the need to verify and confirm with whom they are speaking and use multiple independent channels such as calling the bank directly or going via the official website.
TRAIT 6: URGENCY
With the emergence of artificial intelligence, deep fakes and more authentic voice and image generation tools, it is become easier for cyber criminals to convince their victims by imitating the appearance and voice of loved ones. This is one of the most effective tactics that will contain language to disorientate and pray on the need to evade a crisis through the taking on urgent action. When people think that their family are in danger or in an emergency situation, they will act more quickly and are prone to make mistakes. The goal is to limit your bandwidth to act rationally and calmly and to spot any red flags.
This is one of the most powerful psychological weapons in the arsenal as several vulnerabilities are at play; fear, social and urgency. It is extremely successful as it draws attention away from the malicious nature of the attack and inhibits the victim from normal behaviours.
Coercive or threatening language can be a trigger or an indicator that something is not 100% genuine, and regular reinforcement through cyber security awareness training can help employees run through a checklist in their head. The content is designed to help your employees to look beyond the initial request and determine the questions to ask themselves. Why does the person want them to take urgent action? How can they verify or check the authenticity of the message / communication? Would that family member use those words and express concern in that way?
TRAIT 7: CURIOUSITY
Our inquisitive nature and our curious mind are a basic feature of human cognition but can sometimes override the more rationale aspects of our psychology. Those creative and innovative people in our companies are often those who demonstrate a willingness to challenge the norm and seek answers to problems and in those circumstances being curious is valued and rewarded with solutions and competitive advantage.
Spear phishing emails are notorious for containing corrupt links and malicious software downloads. These attacks are carefully crafted and designed to pique our interest with content highly targeted to a specific individual within the organisation. Hackers know as people we will sometimes seek to satisfy our curiosity even when we expect negative consequences meaning some employees will click on a link in an email even when it may feel suspicious.
With regular phishing email simulations, users can be trained to identify the destination URL and sender details as well question whether if something is too good to be true. Cyber security awareness training can empower your employees to be a human firewall and a strong defence against such cyber threats. But how this is delivered and used is changing. There is a shift away from prescriptive method of training where somebody talks at you for several minutes to more engaging and interactive learning.
CSAT at Work:
If we look at the susceptibility of our 4 individuals; Nigel, Andrew, Emily and Veronica, we know that all 7 traits are in play within their organisation. But each requires different training content to educate them on specific tactics or to protect them from specific threats. A one-size-fits-all model would not keep everybody engaged and would not be effective for everyone.
Those susceptible to FEAR need some training on the red flags used by hackers. We should target this training towards Emily and Veronica so that can learn how to take a moment to stop and think rather than taking immediate action.
Andrew needs training that teaches him about coercive language and authoritative tone and how to spot these tactics and arm him with the relevant skills to check and validate any requests.
Real world examples demonstrate the practical ways in which our natural tendances can be used against us. Nigel is a good candidate for this style of learning, as it will detail how the scam was set up, how the victims were targeted, what tactics were adopted by the hackers and what the outcome was for the organisation. Many lessons focus on recent events and so it could be something which made headline news, or industry publications in which case, will be relatable and may make the threat feel more real to the users.
In Summary:
CSAT is changing, behavioural science helps SMEs to better protect their companies. There are vast differences in how these major psychological vulnerabilities manifest in each individual which is why one-size-fits-all is less effective than personalised learning. Cyber crime is more sophisticated and your awareness needs to cultivate that acute sense of the full range of tactics that cyber criminals employ. Across the entire organisation, personal responsibility, mental resilience and an understanding of the threats is needed at every level.
When you have a comprehensive understanding of how victims psychological vulnerabilities can be leveraged, you can use this knowledge to develop personalised and engaging training that addresses every individual profile to empower your workforce with the mental tools they need to fight back.
