top of page
  • Writer's pictureAnna Collard

The Theory and Practice of Cyber-Mindfulness

Updated: Jul 30

In a previous post about a year ago, I wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason behind why I, as a security awareness person with 22+ experience in cybersecurity, clicked on a phishing email. By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples. My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I subsequently decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. And here it is finally :)



You can also download the full thesis paper here:



Thesis Abstract

The main research question investigated in this study is which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online social engineering (SE) attacks. In line with this, the goal of the study was to gain a deeper understanding of the effectiveness of mindfulness training as a defence mechanism against SE attacks and which mindfulness interventions would be most effective. The research started with a literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories and these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation. The review of empirical literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.

Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, the study recommends a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda. The study concludes that mindfulness, when used complementary to existing awareness efforts, can significantly strengthen human defences against SE attacks. Driven holistically, where mindfulness becomes a core component of cybersecurity training programmes and a cultural shift towards more mindful and deliberate organisational behaviours is the most effective approach. The study recommends future research on the effect of mindfulness in existing cyber awareness programmes to collect empirical data based on real-life implementations.

Introduction & Problem Statement

The Objective of the Research

Research Questions

Proposed Framework for Susceptibility to Phishing and SE.

Cognitive Factors

Psychological Factors

Behavioural Factors

Situational Factors

Demographic Factors

Previous research on mindfulness in cybersecurity

Validated Benefits of Mindfulness

Present moment & meta-awareness

Attention, focus and concentration

Emotional regulation & self-control

Adverse Effects of Mindfulness Practices

Results: Linking of theory and research question

Analytical sub-questions (theoretical SQ):

Existing literature explaining the role of mindfulness in cybersecurity

Mindfulness benefits mapped to factors of susceptibility to SE and phishing

Empirical Analysis

Collection and Evaluation of Empirical Results

Presentation of Empirical Results

Threats and Vulnerabilities ("the Why")

Solution and antidote (“the Why”)

Transforming organisational culture (“the How”)

Campaign Approach – (“the How”)

Techniques and practices ("The What")

Tools

Challenges

Answer to the Empirical Subquestions

Conclusion and Outlook

Future outlook and research directions

References

Please download the full thesis paper as 30 pages are too much to put on here.


349 views0 comments

Recent Posts

See All

コメント


bottom of page