The Theory and Practice of Cyber-Mindfulness
- Anna Collard
- Jul 29, 2024
- 72 min read
Updated: Oct 9, 2024
In a previous post about a year ago, I wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason behind why I, as a security awareness person with 22+ experience in cybersecurity, clicked on a phishing email. By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples. My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I subsequently decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. And here it is finally :)

You can also download the full thesis paper here:
Thesis Abstract
The main research question investigated in this study is which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online social engineering (SE) attacks. In line with this, the goal of the study was to gain a deeper understanding of the effectiveness of mindfulness training as a defence mechanism against SE attacks and which mindfulness interventions would be most effective. The research started with a literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories and these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation. The review of empirical literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.
Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, the study recommends a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda. The study concludes that mindfulness, when used complementary to existing awareness efforts, can significantly strengthen human defences against SE attacks. Driven holistically, where mindfulness becomes a core component of cybersecurity training programmes and a cultural shift towards more mindful and deliberate organisational behaviours is the most effective approach. The study recommends future research on the effect of mindfulness in existing cyber awareness programmes to collect empirical data based on real-life implementations.
Introduction & Problem Statement
Sixty-eight percent of the breaches reported in Verizon's 2024 Data Breach Investigation Report involved human elements (Verizon, 2024). Social engineering (SE), or "human hacking," manipulates people using psychological, personality, or behavioural weaknesses (Anderson, 2008; Albladi & Weir) to achieve unauthorized access to systems, data (Siddiqi & Pak, 2022), to deceive victims into scams (Atkins & Huang, 2013) or disinformation (Innes et al., 2019). SE attacks can be carried out through various channels including emails (phishing), phone calls (vishing), SMS (smishing), social media, chat apps, gaming platforms, and video conferencing, or a combination of the above.
The main difficulty in countering SE-based attacks is the absence of a consistent pat- tern or methodology (Siddiqi & Pak, 2022). Because SE exploits how humans assign meaning to content, it is difficult to rely on technical countermeasures only (Wash, 2020). Moreover, advancements in artificial intelligence (AI) have birthed "deepfakes”, further complicating the landscape with their powerful potential for misinformation and manipulation (Caldwell et al., 2020). Because SE attacks continue to successfully circumvent both technical and human defences, they are considered one of the leading cybersecurity threats today (Airehrour et al., 2018). Much research has been conducted to explore how to train people to recognise SE (Gardner & Thomas, 2014, Nachin et al., 2019, Petelka et al., 2019). Interestingly, the behaviour of most people is not inherently risky, with only 12% of users in average being categorized as high risk and accounting for 30% of all real-world phishing clicks and 42% of all malware events (Elevate, 2023).
Mindfulness, the practice of maintaining attention on the present moment with an open and non-reactive stance (Kabat-Zinn, 2017), has been posited as a countermeasure to the mindlessness that leads to vulnerability in SE attacks. The hypothesis for this research is that incorporating mindfulness into cybersecurity awareness training can improve attention control, awareness of mental states (meta-awareness), and stress management, thus decreasing vulnerability by strengthening resilience against manipulative tactics. This is especially crucial as cyber attackers increasingly employ advanced SE methods using generative AI and automation, highlighting the urgent need for research into psychological and behavioural defences within a comprehensive cybersecurity strategy.
The Objective of the Research
The choice of focussing on mindfulness as a defence against SE attacks is predicated on several key reasons. One is the growing threat of SE and the difficulty in countering SE-based attacks through technical means (Siddiqi & Pak, 2022, Wash, 2020). Furthermore, with the use of AI-enabled tools, SE can be easily automated, increased in sophistication, and performed on a large scale (Chetioui et al., 2022). The difficulty in defending against SE attacks and their effectiveness in manipulating people make them one of the most significant cybersecurity threats today (Airehrour et al., 2018). Acknowledging the human aspect is both a logical and necessary step to defend against the growing SE threat (Dobák, 2023). A multidimensional approach that values both hard and soft skills is required to achieve security maturity (Lugo et al., 2023).
Conventional security awareness training—although important and effective—misses an important step in cognitive processing. In his paper “How Experts Detect Phishing Scam Emails” the author shows that experts go through a three-stage process to identify SE attacks such as phishing emails. First, and only for messages they deem important, they engage in a “sensemaking process”, where they notice cues, discrepancies, or things that are not quite right (Walsh, 2020). As a second step, triggered by a level of suspicion, they investigate further to determine whether a message is an SE attempt or not. Most traditional cybersecurity training focuses on training users on the second step in the above process, providing training on how to recognise specific aspects of SE, such as what fraudulent URLs look like and how to identify them by hovering over the URLs. These are important training elements; however, they miss the critical first step of “sensemaking”, a tapping into one’s meta-awareness, such as emotional state, internal and external cues ("something seems off") that precede a deliberate slowing down and mindful investigation before reacting. This pre-selective approach addresses the limitation highlighted by Sasse, who pointed out that training asking users to spend time dealing with every incoming message is unrealistic for users who receive hundreds of emails per day (Sasse, 2023).
Mindfulness has been scientifically proven to enhance attention, cognition, emotional regulation, and stress management, which in turn could help individuals detect and counter SE tactics in cybersecurity (Bishop et al., 2004; Brown et al., 2007; Shapiro, 2009; Turkelson & Mano, 2021; Dunne et al., 2019). Mindfulness represents a novel, proactive, and user-centric approach to cybersecurity awareness that is accessible to a broad audience within the workforce without requiring extensive technical background or knowledge. This research is expected to contribute to the theoretical understanding of how mindfulness affects cognitive, behavioural, situational, and psychological processes relevant to SE susceptibility in organisational settings. The qualitative approach provides a nuanced understanding of how mindfulness practices are currently implemented in existing security awareness campaigns, how security awareness professionals perceive their efficacy, and the challenges they face in inte- grating these practices in their organisational settings. Practically, these findings hope to inform the development of more effective cybersecurity training programmes that incorporate mindfulness as a core element. The insights gained could also contribute to the formulation of strategies that recognise the importance of psychological readiness as a critical component of cybersecurity defences. Promoting mindfulness as a cybersecurity defence in the workplace will have ancillary benefits for employee wellbeing and productivity, as these practices are known to reduce stress and improve overall mental health. This would be particularly beneficial for cybersecurity leaders and teams, who are plagued by burnout, stress, and fatigue (Nobles, 2022).
Research Questions
General main research question (MRQ)
Which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online SE attacks?
Analytical sub-questions (theoretical SQ):
What habitual patterns of behaviour (e.g. distraction, lack of attention, impulsive decision-making, emotional reactions,) are known to affect an individual's susceptibility to SE tactics?
What theories in the existing psychological and cybersecurity literature can be integrated to explain the role of mindfulness in enhancing an individual's resilience to SE attacks?
Methodological sub-questions (empirical SQ)
How can mindfulness practices be effectively integrated into organizational security awareness and training programs?
What are the key elements that make mindfulness training effective in enhancing security awareness against SE attacks?
What types of challenges are experienced by security awareness practitioners when implementing mindfulness practices into their security awareness campaigns?
Existing Frameworks for Susceptibility to Phishing and SE
Multiple conceptual frameworks and models exist that provide insights into susceptibility factors to phishing and SE: Vishwanath et al., (2018) developed a framework that considers the cognitive, instinctive, and automatic actions that might result in someone being tricked by phishing (Vishwanath et al., 2018). This Suspicion, Cognition, and Automaticity Model (SCAM) assessed individuals on various parameters including their level of doubt, instinctive reactions, deliberate thought processes, beliefs about online risks, email habits, and their ability to control their responses. They found that the level of suspicion individuals applied was higher when they engaged in a thorough evaluation of an email. In contrast, scepticism was lower when they quickly assessed emails using mental shortcuts or heuristics. Individuals’ awareness of cyber risks impacted both above. Those who considered their online behaviour to be safe were more prone to rely on heuristic evaluation (Vishwanath et al., 2018).
The Lens model used the double system lens model, a method for analysing judgement, along with cognitive continuum theory to better understand the relationship between cognition and phishing susceptibility. The study pinpointed that an analytical approach was the most suitable type of thinking for categorising emails and that it corresponded with a reduced incidence of falling for phishing scams (Molinaro & Bolton, 2019). Musuva’s Elaboration Likelihood Model (ELM) involved testing 25 hypotheses and investigating the roles of cognitive processing and threat detection. The findings suggest that the ability to detect threats is the most effective factor in spotting phishing attempts. Individuals who put in the cognitive effort to scrutinise messages are less susceptible to such threats (Musuva et al., 2019).
In 2022, Yang and colleagues proposed a model called the multidimensional phishing susceptibility prediction model (MPSPM) to assess the likelihood of users falling for phishing attempts. Their study involved 1,105 volunteers who collected data on their demographics, personality, knowledge, security practices, and cognitive processes. Using machine learning methods showed high accuracy in predicting which users were more likely to be tricked. The study found a notable correlation between personality traits and vulnerability to phishing, with a particularly high connection between the trait of extraversion and susceptibility (Yang et al., 2022).
The Phishing Susceptibility Model (PSM) created by Zhuo and colleagues in 2023 organises susceptibility factors into three different stages of when they affect individuals during a phishing attack and the impact of situational, long-term, cognitive, in-the-moment, and external factors. The PSM, unlike other models, includes situational factors that influence susceptibility, for example, when the user is under a period of high stress. The PSM highlights the need for more research to understand susceptibility factors and improve protection against phishing susceptibility (Zhuo et al., 2023).
Proposed Framework for Susceptibility to Phishing and SE.
Human behaviour is complex and cannot be fully explained by a single or a few factors. Rather, it is an interplay of various elements that interact with each other. Although some factors may be more dominant, they all contribute to the susceptibility of an individual to SE attempts. A person’s likelihood of being deceived by SE tactics is determined by a mix of inherent traits and situational factors (Williams et al., 2017). Inefficient cognitive processing is often the reason individuals fall prey (Vishwanath et al., 2018), compounded by cognitive biases and their perception of risk, which are shaped by various influences, and these influences, in turn, shape them. An integrated approach that considers multidimensional features can offer deeper insights into vulnerabilities to SE (Yang et al., 2022). Multiple factors co-exist that influence decision-making, such as intense emotions, insufficient knowledge, capacity of working memory, inability to process information, mental operations and biases, time constraints, trust, personality traits, and persuasive communication modes (Jones & Race, 2015; Tsohou et al., 2015; Uebelacker & Quiel, 2014). A better understanding of these complexities can lead to more effective countermeasures (Luo et al., 2011), with susceptibility influenced both by individual characteristics as well as attackers' persuasion techniques (Vishwanath et al., 2011). For this thesis, findings from previous susceptibility models listed above were considered as a foundation for a new, comprehensive, but simplified model suitable for the objective of this research and described in detail in the next section:
Cognitive: dual decision making and heuristics, cognitive biases, attention and critical thinking, mind wandering, vigilance decrement & sustained attention and impulsivity (cognitive).
Psychological: emotional regulation, self-control, self-awareness, self-efficacy, susceptibility to persuasion, personality traits, social proximity, mood, and mental illnesses & conditions.
Behavioural: habitual patterns and autopilot, multitasking, IT knowledge & expertise, overconfidence, attitudes toward the organization / work commitment, access method, Problematic Social Media Use (PSMU).
Situational: stress, workload, fatigue and hunger, years of employment, position of power, quality of CSA programs, culture, distribution time, distraction and department.
Demographic: age and gender.
Cognitive Factors
Dual decision making and heuristics
Kahneman’s conceptualisation of System 1 and System 2 thinking has become an influential model for understanding the cognitive processes underlying human judgement and decision- making (Kahneman, 2011). The intuitive thought processes of System 1 are quick, rely on mental associations, and require minimal effort or conscious reasoning, largely drawing upon emotions and past experiences. Dual-process theories suggest that humans tend to default to this automatic style of thinking to preserve mental energy, favouring intuitive judgments over analytical reasoning because they are quicker and less demanding (Kahneman, 2011). Consequently, heuristic processing often prevails in how we handle information. However, while using heuristic shortcuts is time-saving, it often leads to lapses in rationality and a higher incidence of mistakes in decision making (Tversky & Kahneman, 1974).
Choices made using System 1 or heuristics, essentially mental shortcuts, tend to be impulsive and intuitive and are often more susceptible to being swayed by persuasive techniques such as those used in SE (Butavicius et al., 2015). People who possess a stronger capacity for deliberate processing, as opposed to instinctive responses, demonstrated greater ability in spotting phishing emails (Jones et al., 2019). Vishwanath et al. (2011) studied the cognitive process of checking emails using the Heuristic Systematic Model (HSM). The HSM suggests that more heuristic processing leads to lower suspicion, whereas more systematic processing leads to higher suspicion (Chaiken, 1980). Interestingly, evidence suggests that decision-making styles can be altered through training, indicating that repeated exposure to various types of SE can lead to the development of effective countermeasures (Vishwanath et al., 2011). This also underscores that theoretical education on SE threats alone is not sufficient (Schaab et al, 2016; Sasse et al., 2023).
Cognitive biases
Somewhat linked to heuristic thinking, cognitive biases are well-established and extensively studied phenomena in psychology and decision-making research. Researchers and behavioural scientists catalogued 200+ cognitive biases that result in inaccurate or irrational decision making (Friedman, 2023) or affect judgement and risky decision-making (Montibeller & Winterfeldt, 2015; Jones et al., 2019). Cognitive biases can impair a person’s ability to effectively make decisions, leading them to mistakenly believe that their reasoning is sound when it is not (Kahnemann, 2011). Ineffective cognitive processes and biases have been linked to online victimisation (Vishwanath et al., 2018).
Confirmation bias leads individuals to favour information that aligns with their existing beliefs, overlook inconsistencies or warning signs in phishing emails or SE attempts, and instead focus on information that aligns with their expectations (Atkins & Huang, 2013). Bias blindness refers to individuals failing to recognise their biases and claim their judgments to be objective (Williams et al., 2017). Optimism bias refers to the tendency of individuals to assume that bad things happen to other people and not to themselves (Weinstein, 1980). Optimism bias impacts people’s susceptibility to SE, as individuals believe that they will not be the targets of SE in the first place (Schaab et al., 2016). Research about the impact of cognitive biases on phishing susceptibility show that authority bias was more effective than others in deceiving participants (Sharma et al, 2023). SE often impersonates authority figures like CEOs, high- ranking company officials of trusted organisations, because targets are less likely to question it. Truth bias is a mechanism that allows individuals to process the vast quantities of sensory information they encounter daily in a quick and efficient way (Gilbert, 1991) tending to believe the information they receive (Bond & DePaulo, 2006). Constant scepticism would be mentally too exhausting, and truth bias leads people to trust emails from known sources, which can lead them to overlook signs of fraud (Elaad, 2003, Williams et al., 2016). The curiosity effect refers to people’s natural inclination to resolve their curiosity, even if it may have negative consequences. Cybercriminals exploit this bias by crafting phishing messages that arouse the recipient’s curiosity (Krombholz et al., 2015). Hyperbolic Discounting refers to the inclination to choose smaller immediate rewards over larger rewards that come later in the future, which can make people vulnerable to phishing scams offering "free trials" or "free coupons" (Krombholz et al., 2015; Sharma et al., 2023). The anchoring bias makes individuals rely too heavily on one piece of information (like the sender's name or subject line) and fail to critically evaluate other indicators of legitimacy (Iuga et al., 2016).
The recency effect is a cognitive bias that impacts judgement favouring recent events or knowledge, thus leading to potentially poor security responses. It causes people to focus mainly on the most recent events, often causing them to overlook other significant security alerts (Safi & Browne, 2023). The Dunning-Kruger effect, which demonstrates that people tend to overrate their abilities and often think they understand more about a subject than they actually do, can lead to an overestimation of one’s security knowledge (Kruger & Dunning, 1999). Multiple biases can work together simultaneously and distort an individual’s decision-making (DaSilva, 2023). Social engineers use multiple persuasion techniques to exploit cognitive biases such as those listed above and others to manipulate people.
Attention and critical thinking
Research identified that paying attention to the sender's identity, the quality of the grammar and spelling, the presence of urgency signals, and the email's title or subject line were all significantly correlated with phishing susceptibility (Vishwanath et al. (2011). This suggests that the more attention given to these elements, the less likely a person is to fall for an SE attempt. Deep contemplation or critical thinking (elaboration) was not significantly linked to response likelihood, possibly because participants relied on straightforward conclusions drawn from specific cues in the situation. Both thorough thinking and careful attention were connected to a reduced overall chance of falling victim to phishing in a study among college students (Jones et al, 2016). Musuva et al. (2019) observed that the level of careful thought and consideration (elaboration) influences the likelihood of detecting phishing threats, although its direct impact was not significant (Musuva et al., 2019). These findings suggest that while attention is important, deep elaboration and critical thinking may only play a small role in how susceptible someone is to phishing and warrants more detailed investigation.
Mind wandering
Mind wandering or daydreaming refers to the phenomenon in which one’s attention drifts to thoughts that are unrelated to current tasks and represents a breakdown in executive control (McVay & Kane, 2010). Individuals are more prone to mind-wandering when they feel bored, stressed, disengaged, or are not performing well in their current activity (Kane et al., 2007). Mind wandering is quite a common occurrence, with people’s thoughts drifting from their current task between 30% (Kane et al., 2007) and almost 50% (Killingsworth & Gilbert, 2010) of their awake time. Mind wandering is often marked by an absence of meta-awareness, which is one's moment-to-moment awareness of their own conscious thoughts (Schooler, 2011). Given that mind-wandering is linked with decreased task efficiency and that the content of emails might trigger mind-wandering, it stands to reason that a tendency to mind-wander in- creases susceptibility (Zhuo et al., 2023).
Vigilance decrement
Research in the field of vigilance has consistently shown that the ability to detect and respond accurately tends to decline over time, an effect known as the "vigilance decrement" (Warm & Parasuraman, 2008). Sustained attention to tasks, especially those requiring constant alertness, naturally decreases with task duration, even when high stakes are involved (Davies & Parasuraman, 1982). The onset of vigilance decrement, or the decline in attentional performance, typically starts within the first 15–30 min of an attention-demanding task. If a task is challenging, this decrease can occur within just a few minutes (Teichner, 1974; Nuechterlein et al., 1983).
In their paper “Vigilance Requires Hard Mental Work and Is Stressful” the authors sug- gest that the cognitive demands of sustained vigilance can impact performance and decision- making (Warm et al., 2008). Impaired decision making is related to phishing susceptibility. Signal detection theory (SDT) methods have been used to measure susceptibility to phishing, treating the task of identifying phishing attempts as one requiring continuous attention, similar to vigilance tasks (Canfield et al., 2016; Kaivanto, 2014; Lawson et al., 2020). Determining whether the findings on vigilance in controlled lab environments can be applied to real-world situations, like an office with high workloads and complex job demands, remains an open ques- tion that future cybersecurity research should explore.
Impulsivity (cognitive)
Impulsivity is defined as both a cognitive state (Baumeister et al., 1998) and a personality trait (Holtfreter et al., 2010). Cognitive impulsivity is characterised by an inability to compare immediate consequences with future events and an inability to delay satisfaction (Bakhshani, 2014). According to Patton et al., three factors contribute to impulsivity: 1. Motor activation or acting on the spur of moment, 2. Inattentiveness - not focussing on the task at hand, and 3. Not planning and thinking carefully (Patton et al., 1985). As a personality trait, it is marked by a tendency not to think things through before acting, engaging in risk-taking or thrill-seeking activities, and making hasty decisions, especially in emotionally charged situations (Whiteside, 2001). Impulsiveness in decision making is linked to a decreased ability to identify phishing threats (Parsons et al., 2013), whereas lower levels of cognitive impulsivity help people defend themselves against spear-phishing attacks (Butavicius, 2015).
Psychological Factors
Emotional Regulation
SE attacks that evoke emotional responses can interfere with the analytical and deliberate thought processes of System 2 thinking and drain working memory resources (Curci et al. 2013). Strong emotions can also skew or interrupt focus (Bodenhausen et al. 2000; Fredrickson & Branigan 2005). This may hinder the logical System 2 processes that would typically respond to the red flags raised by the intuitive System 1. Fear or excitement play a significant role in influencing a user’s normally rational behaviour (Conteh & Schmick, 2016). In situations where individuals are confronted with an email that seems familiar while they are in an emo- tionally charged state, they are more prone to reacting automatically or excessively trusting the sender (Roghanizad, 2021). In one study, emails triggering positive emotions had a higher success rate in prompting users to click on included links compared with those that elicited negative emotions (Tian & Jensen, 2019). This indicates the need for further understanding of the link between user interests, their emotional states, and the likelihood of falling for phishing scams.
Self-control
The absence of self-discipline and self-control is linked to impulsive actions, such as making unplanned purchases (Roberts & Manolis, 2012). This impulsiveness is similar to the susceptibility seen in people who have experienced scams and rely on quick judgement rather than thorough analysis. People with low self-control are more often victims of crime (Pratt, 2016). Resisting attempts to influence one’s decisions is a challenging task that demands significant mental energy and effort (Fransen & Fennis, 2014). Fatigue, recent mental exertion from decision making, or a lack of willingness or capacity to self-regulate can decrease self-control, defaulting to more automatic, heuristic-based thinking (Welsh et al., 2014; Vohs et al., 2008).
Links exist between self-control and the probability of being influenced online, particularly in social media contexts. Frequent use of Facebook, extensive networking, and a lack of self-regulation—was the most significant indicators for falling for online scams (Vishwanath, 2015). Increasing one's self-control, particularly in managing impulsivity, can lead to a reduction in the likelihood of falling prey to phishing attacks (Mayhorn et al., 2015; Neupane et al., 2016; Tjostheim & Waterworth, 2020). Individual standards and self-awareness or tracking of one’s behaviour are two factors that can influence self-control (Baumeister, 2002).
Self-Awareness
While it is possible for people to learn how to concentrate on themselves through experimental methods (Duval & Wicklund in 1973), the natural tendency for self-awareness has been connected to how likely an individual is to be influenced by others (Fenigstein et al., 1975). People with a strong sense of self-awareness, tend to rely more on their own understanding, values, and beliefs when making decisions. This tendency strengthens their ability to ward off influence and persuasion attempts (Hutton & Baumeister, 1992). In the context of SE or phishing scams, self-awareness may play a role in recognising and avoiding potential threats. For example, being aware of one’s own thoughts and emotions can help individuals identify when they may be more vulnerable to manipulation or deception. However, further research is required.
Self-efficacy
Self-efficacy refers to someone’s judgement of what can be done with their abilities rather than their actual abilities (Bandura, 1991). Self-efficacy has been linked to improving cybersecurity awareness attitude, knowledge, and behaviour and is an important factor in SE susceptibility (Arachchilage & Love, 2014; Zainal et al., 2021). Phishing detection self-efficacy and general technical understanding are higher in non-susceptible individuals, and susceptible individuals seem to be more frightened of cybercrime than non-susceptible individuals (Ribeiro et al., 2024). Individuals should not only be able to identify a threat but also perceive themselves as able to effectively defend against that threat. If they lack confidence in managing the threat effectively, they may choose wrong behaviours, such as avoiding or denying it rather than reducing the risk (Williams & Joinson,2020). This may explain why practical coping-based advice was considered more effective than threat-based messages in influencing online security behaviour across 2024 participants in five European Union countries (Bavel et al., 2019).
Susceptibility to persuasion (i.e. gullibility) & suspicion
An inclination towards gullibility is linked to the readiness to trust others (Bullée et al., 2015). Suspicion, a predictor of deception-detection, also referred to as trust’s “darker cousin” (McCornack & Levine, 1990, p. 219), is characterised as how doubtful one feels when dealing with a certain stimulus (Lyons et al., 2011). Dishonesty is a "social act" that requires an understanding of others’ thoughts and beliefs (theory of mind) and explains why in contexts and societies where deceit is more common, individuals tend to be more sceptical (Muñoz García et al., 2023). It has been observed that falling for scams is like making an erroneous judgement: it is not related to one’s intelligence but rather to temporary interruptions in logical decision- making processes (Fischer, 2013).
Suspicion and the tendency to trust has been identified as a key element in determining one's likelihood of being deceived (Vishwanath, 2018; Workman, 2008). A person’s inherent inclination to believe in the good intentions of others, known as dispositional trust, has been found to significantly increase susceptibility to SE attempts (Alseadoon, 2014; McKnight et al., 2004; Workman, 2008; Wright et al., 2009). The Distrust Scale (Tellegen et al., 1995) assesses a person’s propensity to distrust others. Even a moderate level of aroused suspicion can improve the accuracy of deception detection (McCornack & Levine, 1990). While scepticism and suspicion are not classified as traits within the Big Five personality model, they are considered advantageous for users in cyber and digital environments. Embracing a sceptical stance, akin to a "trust no-one" mentality (Zero Trust Mindset), promotes more cautious behaviour when dealing with online requests and communications (Frauenstein, 2020).
Personality Traits
Defined by Digman in 1997, the Big Five personality traits model, also known as the Five Factor Model, is a central framework in personality research that identifies the five main domains of human personality (Digman, 1997). The Big Five personality dimensions are Openness, which features characteristics such as openness to experience, imagination, and a broad range of interests. A high degree of Conscientiousness features high levels of thoughtfulness, good impulse control, and goal-directed behaviour. Extraversion is linked to energy, positive emotions, and the tendency to seek stimulation and the company of others. Agreeableness refers to the tendency to be compassionate and cooperative rather than suspicious and antagonistic towards others. Neuroticism is the tendency to easily experience unpleasant emotions such as anger, anxiety, depression, or vulnerability. In the realm of SE research, personality traits of openness, conscientiousness, and neuroticism are believed to significantly influence an individual’s vulnerability (Montañez et al., 2020). Conscientiousness and agreeableness have been linked to good cybersecurity behaviour (Shropshire et al., 2006; Shropshire et al., 2015). Conscientiousness, agreeableness, emotional stability (low neuroticism) and risk taking have been associated with how well a person will engage with and adhere to effective information security practices and awareness training (McCormac, 2017). Neuroticism has been identified as the personality trait most closely associated with the likelihood of responding to phishing emails (Halevi et al., 2013). In contrast, another study linked traits such as openness, extra- version, and agreeableness to an increased likelihood of users responding to phishing attempts (Alseadoon et al., 2015).
The 2022 multidimensional phishing susceptibility prediction model (MPSPM) study found a notable correlation between personality traits and vulnerability to phishing, with a particularly high connection for the trait of extraversion and susceptibility (Yang et al., 2022). Risk- taking propensity had the highest effect on increasing phishing susceptibility in a 2019 study (Abdelhamid, 2019). Overall, the literature results are not conclusive enough on how or which personality traits may influence one’s susceptibility to SE cyberattacks, and more research is required.
Mood
Studies have demonstrated that experiencing negative emotions can increase the likelihood of mind-wandering and result in less focus on the task at hand (Smallwood et al., 2009). This suggests that if individuals are in a negative state of mind before checking their emails, or if the email content itself is unsettling, they might be more susceptible to mind-wandering and paying less attention to the email content (Zhuo et al, 2023). Another study found that happy individuals are more likely to be gullible and less sceptical, making them more susceptible to deception (Forgas & East, 2008). Hence, cybercriminals often design phishing emails to pro- voke emotional reactions (Zulkurnain et al., 2015).
Mental Illnesses and Conditions
Studies have shown that individuals with higher psychological vulnerability are significantly more susceptible to fraud, with the most vulnerable being over twice as likely to fall victim to such schemes (Lichtenberg et al., 2016). People with mental illnesses may be more vulnerable to cybercrimes because of their cognitive impairments and difficulty coping with daily life changes (Monteith et al., 2021). Factors and cognitive biases that can increase susceptibility to cybercrime, such as impaired decision-making, are directly linked to mental health issues like depression and anxiety. Impairments in working memory and cognitive flexibility are predictive of phishing susceptibility (Gavett et al., 2017). In cognitive psychology, research sug- gests that individuals with schizophrenia or schizotypal personality disorder exhibit working memory challenges (Barch et al., 2003).
Even adults experiencing mild cognitive decline may be more prone to cybercrime than their peers with unimpaired cognitive functions. Many mood disorders are linked to working memory impairments, including depression, and social anhedonia (Blasiman & Was, 2018). Attention deficit hyperactivity disorder (ADHD) impacts working memory performance in adults and children (Alderson et al., 2012; Martinussen et al, 2005). A study across 240 students in 2021 highlights that having a non-avoidant personality and elevated levels of anxiety significantly raises the probability of falling for phishing scams, with anxiety traits outperforming other indicators (Stalans et al., 2023). Impulsivity and emotional instability have been linked to risky behaviour (Bakhshani, 2014) and susceptibility to cybercrime, SE and losing money online (Butavicius, 2015; Whitty, 2020). Mental health conditions can intensify vulnerability by weak- ening emotional management strategies.
Behavioural Factors
Habitual Patterns and Autopilot
Mass-communication theory explains that repetitive media consumption can lead to automatic, habitual behaviours that operate below the level of conscious awareness (LaRose, 2010). These automatic behaviours occur without thoughtful consideration of their triggers or even the actions themselves (LaRose & Eastin, 2004). This habit forming applies to various digital behaviours, such as checking emails, instant messaging, social media, viewing adult content, and online shopping (LaRose & Eastin, 2002; Vishwanath, 2014b; Sirianni & Vishwanath, 2012;). Specifically for email, the impulsive habit of checking and responding on autopilot and without much thought can make users particularly prone to phishing attacks, as their automated behaviours do not involve critically evaluating the content for red flags (LaRose, 2010).
Multitasking
Multitasking involves performing multiple activities simultaneously by frequently shifting focus from one task to another (Oswald, 2017). Switching tasks comes with a cognitive price tag. Not only does it require additional time to refocus oneself on the main task at hand, but linger- ing attention from the previous task can interfere with processing new information, ultimately impacting decision-making abilities. Research has shown an increased distractibility associated with heavy media multitasking, meaning that individuals who multitask with various media are more prone to distraction by irrelevant surroundings (Ophir, 2009). People who engage in media multitasking report increased difficulties with maintaining their attention, controlling im- pulses and refraining from unsuitable behaviour (Baumgartner, 2014).
Frequently engaging in media multitasking has been associated with multiple negative outcomes, including diminished academic achievement and cognitive abilities (Ophir, 2009), depression (Becker et al., 2013), and lapses in everyday attention (Ralph et al., 2015). A 2018 study investigated the link between media multitasking and risky cyber security behaviour. The study showed that participants who engaged in high media multitasking had more cognitive failures in everyday life and engaged in riskier online and cybersecurity behaviours compared to the low multitaskers (Hadlington & Murphy, 2018).
IT Knowledge & Expertise
Security non-experts typically consider fewer cues and rely on straightforward heuristics, unlike security experts who factor in additional context that might highlight security cues. Decision- making for non-experts is also more likely to be influenced by their emotional response, in contrast to experts who base their decisions on logical reasoning. Non-experts tend to depend on visual cues, which can be easily falsified. Experts are more able to pinpoint questionable elements within a message (Kumaraguru et al., 2006). This aligns with findings that experts tend to rely on recognising patterns to make decisions rather than evaluating each option in isolation (Klein & Calderwood, 1991). Non-experts' perception of risk is swayed by the perceived benefits of an action; the more beneficial an action seems, the more likely they are to undertake it and view it as having lower risk (Byrne et al., 2016).
However, contrary to the assumption that general IT knowledge or technical proficiency correlates with cybersecurity acumen, software developers experience cyber-attacks more frequently than their less technical counterparts (Ovelgönne et al., 2017). In addition, a 2014 study found no direct links between a person’s educational and technical background, internet savvy, or online time investment, and their ability to spot phishing sites (Purkait et al., 2014). Furthermore, while people may plan to behave securely, not all will follow through with these plans (Shropshire et al., 2015). The discrepancy between knowledge, intentions, and actual actions may stem from cognitive differences and various other factors. The above indicates that security domain knowledge is helpful in decreasing susceptibility, whereas general IT or programming knowledge does not affect susceptibility.
Overconfidence
The limitations in effectively transferring expertise can be further complicated by cognitive biases like the Dunning-Kruger effect, which demonstrates that people tend to overrate their abilities (Kruger & Dunning, 1999). The "illusion of knowledge" suggests individuals often think they understand more about a subject than they actually do, a fact that becomes evident when they are questioned in detail (Keil and Fisher, 2016). In cybersecurity, this can lead to an overestimation of one’s security knowledge. In line with the section above on knowledge, specific expertise in cybersecurity can indeed be valuable, yet general IT expertise does not automatically translate to effective cybersecurity measures. Kumaraguru et al. (2008) discovered that with anti-phishing training, technical staff were no better at distinguishing between phishing and legitimate emails than their non-technical counterparts (Kumaraguru et al., 2008).
Work Commitment (attitude towards the organisation)
Work commitment explains the different reasons why people are committed to their jobs (Meyer & Alien, 1991). An individual’s vulnerability to phishing attacks is linked to the type of work commitment they have (Workman, 2008). People with a strong sense of duty are prone to attacks that promise mutual exchange. Those who weigh the costs and benefits are susceptible to requests that escalate gradually. Meanwhile, those who are emotionally connected to their job are more likely to be influenced by attacks that have a personal or social allure (Workman, 2008). In a workplace study across 2650 email users noticeable variations emerged in how satisfied and committed employees felt, with those who had fallen for SE showing the least satisfaction and loyalty. It appears that employees who are discontented are more prone to fall for phishing scams and would particularly benefit from specialised cybersecurity education (Beu et al., 2023).
Access Method
The method by which individuals review their communication platforms can impact the amount of information they glean from them, thus affecting their phishing susceptibility. For example, individuals who are blind tend to be more adept at recognising phishing emails, possibly because listening to the content via screen readers reduces the potential distraction of visual elements, allowing them to concentrate on the text alone (Blythe et al., 2011). The way information is presented can shape a user's judgement and decision-making. The variability in lay- out and design across different email clients and devices (like smartphones versus computers), leads to differences in users ‘awareness of cues (Zhuo, 2023). Additionally, the use of mobile devices for everyday activities like email communication, chatting, and mobile banking can contribute to distraction and information security threats. Users might also not take appropriate actions to thwart these threats, thereby making them more vulnerable to phishing attacks (Sylvester, 2022). In a phishing test study, individuals who used a combination of both PCs and Macs performed worse than those using a single platform (Canham et al., 2022).
Problematic Social Media Use (PSMU)
Substantial research on the topic of problematic social media use (PSMU) exists (Durak & Senol-Durak, 2014; Meena et al., 2012; Wang et al., 2015). PSMU refers to habitual and ex- cessive engagement with social media platforms and has been linked to be a significant con- tributor to increased risk of falling victim to cybercrime (Andreassen, 2015). A direct correlation between the frequency of PSMU and the likelihood of experiencing SE exists: daily PSMU was linked to over a 40% chance of victimisation, whereas even weekly instances of problematic usage present a 30% risk. This pattern indicates that PSMU has a considerable and measurable impact on the probability of encountering cybercrime (Marttila et al., 2021). Patterns such as how often users log on, their inability to control their use, and how they manage online friendships can predict susceptibility to SE attacks (Vishwanath, 2015).
Situational Factors
Stress
The neurobiological and hormonal mechanisms that occur during a stressful event and their influence on human behaviour, have been extensively researched, highlighting a complex interplay that affects how we react in stressful situations (Lupien et al., 2009). Acute stress can significantly impact decision-making, leading to a greater reliance on heuristic or automatic mental processes (Starcke & Brand, 2012). Elevated stress levels can significantly reduce individual’s finite cognitive capacities (Diamond et al., 2007). This depletion of mental resources can affect various cognitive functions and overall mental performance, including the ability to identify SE attempts.
Working memory is vulnerable to acute stress (Schwabe & Wolf, 2013). One reason for this is that acute stress can alter attention, which is crucial for working memory (Al’Absi et al., 2002). Anxiety, which is closely linked to stress, consistently impacts working memory negatively because it consumes attentional resources with worrying thoughts (Blasiman & Wasa, 2018). Working memory and cognitive flexibility have both been linked to phishing susceptibility (Gavett et al., 2017). Research suggests that stress, along with a high email load, correlates with a greater risk of falling for phishing and scam emails. In the same study, it was also noted that most participants acknowledged high stress as a contributing factor to their vulnerability to SE (Rozentals, 2021).
Workload
Cognitive workload, specifically when dealing with electronic communications, can influence an individual’s ability to detect manipulative content. When one’s cognitive resources are focussed on primary tasks, secondary cues often get overlooked, a phenomenon known as in- attentional blindness (Pfleeger & Caputo, 2012). This tendency is intensified when individuals deal with a high volume of emails, leading to a more automatic response to each message, thereby increasing the risk of falling prey to phishing attacks (Vishwanath et al., 2011). Additionally, attackers actively exploit these vulnerabilities, especially in high-pressure environments like health care (van der Heijden & Allodi, 2019). Users’ self-perception of work and email overload is linked to increased phishing susceptibility (Jalali et al., 2020).
Finally, Canham suggests that repeated victimisation could in part be attributed to employees being overworked, leading them to be distracted or under a heavier cognitive load and less vigilant against deceptive emails (Canham, 2023). High email volumes can increase stress and anxiety (Rozentals, 2021), and it therefore follows that changing a user’s email habits to batch email processing a few times a day and paying more attention during those times could help reduce stress as well as phishing susceptibility.
Fatigue and Hunger
Research provides evidence for a bidirectional relationship among fatigue, hunger, and self- control. Fatigue and hunger can undermine self-control abilities, whereas stronger self-control is associated with reduced subjective experiences of fatigue and hunger (Pilcher et al., 2015; Baldwin et al., 2019). This interplay has important implications for decision making, impulsivity, and poor attention (Pilcher et al., 2015). Individuals who are fatigued or under time pressure may be more vulnerable to phishing attempts because their capacity for analytical thinking is compromised, making them more likely to default to intuitive judgement.
Years of employment
The length of employment at an organisation is a significant predictor of susceptibility to phishing, even when controlling for age, according to a study conducted by Beu et al., (2023) across 4000 Australian email users in 2021(Beu et al., 2023). This suggests that a lack of experience with the organisation’s processes, including typical email communication, is a risk factor for susceptibility to phishing attacks. However, it is also possible that employees who have worked at the organisation for a longer period are less susceptible to phishing due to previous exposure to similar simulations or more extensive cybersecurity training (Beu et al., 2023).
Position of power
Individuals holding positions of authority in an organisation tend to be more autonomous, less swayed by others’ input and more aligned with their own desires (Pitesa & Thau, 2013). Power enhances situational awareness through selective attention and processing flexibility, leading powerful individuals to respond based on factors like internal experiences, environmental properties and relevant information, unlike their less powerful counterparts who attend more uniformly (Guinote, 2007). This characteristic could translate into a decreased susceptibility to SE, as those in power may be less inclined to comply with deceptive requests due to their greater independence and self-reliance, but there has not been enough research confirming this conclusively. These findings align with Elevate’s 2023 study, where board members had the lowest prevalence of high-risk users. However mid-level managers were slightly more represented in high-risk user groups with 19%, compared to 13% non-managers (Elevate, 2023).
Quality of Cybersecurity Awareness (CSA) Programs
Cybersecurity Awareness (CSA) programmes spread knowledge about security desired behaviours and practices (Hanus et al., 2010) and usually consist of short, low-intensity awareness content (Katsikas, 2010). The retention of information from CSA tends to be immediate and short-term, with longer-lasting effects achieved through continuous reinforcement (Santa, 2010). Multiple academic studies demonstrate that lack of experience and awareness is a key factor contributing to increased susceptibility to SE (Alseadoon et al., 2015; Baillon et al., 2019; Diaz et al., 2020; Gordon et al., 2019; Pfeffel et al., 2019; Wang et al., 2017). Both direct and embedded training through simulated phishing exercises can improve detection skills (Baillon et al., 2019).
However, despite the recognised advantages of CSA, other reports suggest that train- ing alone may not be a comprehensive solution to the problem of SE and question the effectiveness of CSA programmes (Bada & Sasse, 2014). Moreover, conventional strategies of priming and cautionary advice have little to no impact on reducing individuals' susceptibility to phishing schemes (Halevi et al., 2013; Junger et al., 2017; Sheng et al., 2010). These issues might be related to ineffective methods, such as the use of standardised resources that do not consider the varied needs of different users, operating under a "one size fits all" approach (Furnell & Vasileiou, 2017). These findings highlight the need for a multifaceted approach to cybersecurity education that complements or enhances existing high-quality CSA efforts.
Culture
The “cultural theory of risk” posits that people’s understanding and judgement of risks and the way they perceive and assess danger are influenced by their societal structure and cultural backgrounds (Douglas & Wildavsky's, 1987; Tsohou et al., 2015). Theories that examine the impact of culture on phishing vulnerability consider how sociological elements influence peo- ple’s attitudes and behaviours (Butavicius et al., 2016; Posey & Canham, 2018). The influence of culture is a critical factor in SE attacks. The notion of organisational culture is particularly pertinent to cybersecurity within workplaces, affecting employee actions related to cybersecurity (Bullee et al., 2017). Certain industries consistently report better security cultures and higher security user awareness than others, such as financial services compared to educational and government sectors (KnowBe4, 2024).
Regional culture differences also impact susceptibility levels; for example, individuals from the United States exhibit higher levels of suspicion towards online communications than their counterparts in China and India (Tembe et al., 2014). Cultural backgrounds influence how employees from the United States, Sweden, and India respond to email phishing (Flores et al., 2015). Exploring the principle of authority as a persuasive tactic outlined by Cialdini (Cialdini, 2018) suggests that cultural differences in respect for authority can influence its effectiveness as a tool of influence (Bullee et al., 2015). Similarly, a culture’s emphasis on individualism over collectivism can be a key factor in an individual’s ability to discern between safe and risky emails (Williams et al., 2017).
Distribution Time
Cyber criminals follow certain patterns when sending out their phishing campaigns, based on the time of day or weekday they think might make users most susceptible (Hoheisel et al., 2023). Phishing is more prevalent around vacation seasons, and the frequency of people clicking on potentially dangerous links in emails tends to decrease in spring and summer and then rise in the fall (Gordon et al., 2020; Oest et al., 2020). According to research by Egress, 27% of phishing emails aimed at executives are sent out on Mondays, followed by Saturdays, which was the second most popular day. The least phishing emails are sent on Sunday (6%) and Wednesday (9%) (Egress, 2023). Another study confirms the above findings, indicating that people should be particularly careful on Monday mornings (Lastdrager, 2018).
Distraction
According to a study by Tessian in 2022, distraction was one of the main reasons why participants made errors, leading to cybersecurity repercussions. Of the participants, 48% reported that being distracted was the reason for falling for a phishing scam (Tessian, 2022). Distracted people are more likely to act hastily without fully considering the consequences of their decisions (Zaharon et al., 2021). Looking ahead into immersive, metaverse, and Augmented Reality (AR) environments, their built-in distractions, such as notifications in the user’s virtual reality, may impede people’s ability to notice attempted cyberattacks (Kalpokas, 2021).
Department
Phishing susceptibility can vary significantly across different organizational departments, with external-facing roles, being more exposed due to their frequent interactions with external communications. In Elevate’s 2023 analysis across 8 years’ worth of user data, different user risk behaviours were observed in different departments. For example, as seen in Figure 2, cus- tomer services staff seemed to be most susceptible to phishing simulations. but interestingly not to real phishing attacks. Medical lab, sales, and research & development (R&D) roles were linked to higher phishing rates, with marketing and R&D also featuring higher than others in the malware category. This points to the need for different training approaches for different business units.
Demographic Factors
Gender
Gender, age, and educational background are inconsistent variables in the study of phishing, often yielding varying results regarding their impact on an individual’s susceptibility to such attacks. In their 2018 study, the authors found that gender does not have a significant impact on susceptibility to SE (Albladi & Weir, 2018). Many studies found no significant relationship between gender and phishing susceptibility, and the existing research is inconclusive, with the number of studies that found males more susceptible being about the same as the number that found females more susceptible (Zuo et al., 2023).
Age
In phishing research literature, variables like gender, age, and education level are among the most debated regarding predicting who falls victim to phishing (Sheng et al., 2010). Some studies suggest that younger individuals are more likely to be deceived. Children experience significant growth in cognitive functions and behaviours as they mature, presenting complex challenges in ensuring their safe interaction with computers (Harris, 2006). Adults also undergo considerable but more gradual cognitive changes throughout life, including notable declines in working memory, capacity for problem-solving, and adaptive thinking, which can significantly affect daily activities (Park & Reuter-Lorenz, 2009; Salthouse, 2012). Ageing is also associated with an increased risk of neurological conditions like stroke and Alzheimer’s disease, which can impact cognitive functions (Hof and Mobbs, 2001).
These vulnerabilities, while not a part of normal ageing, are well known and can make older adults prime targets for SE tactics. During the Covid pandemic, the older adult population experienced a greater financial impact from online fraud, with a significant increase in losses reported in 2020 compared with that in 2019. Additionally, these demographics reported an uptick in being targeted by specific forms of cybercrime, such as tech support scams (Payne, 2020). Younger users, as opposed to their older counterparts, tend to be more vulnerable to emails that invoke a sense of urgency or appeal to authority. Conversely, older demographics are more likely to be influenced by emails that rely on the reciprocity principle or personal appeal. The level of awareness also fluctuates depending on the type of influence tactic and the context of the user’s life (Oliveira et al, 2017).
Previous research on mindfulness in cybersecurity
Traditionally, training methods relied on instructing individuals on the prescribed "rules" for identifying phishing emails. However, research by Jensen et al. (2017) revealed that mindfulness training could be more efficient through a training approach using mindfulness theory that teaches users to focus attention during message evaluation, increase awareness of context, and judge suspicious messages (Jensens et al., 2017). This finding was recently corroborated by Ngyuen et al. (2021), who demonstrated that, compared with rule-based training, mindfulness training enhanced trainees’ capacity to distinguish between phishing and genuine emails, as well as to recognise phishing attempts. Significantly, the study found that these benefits persisted for up to 10 weeks following the training session (Ngyuen et al., 2021).
In his paper “Mindfulness: The First Line of Defence in Cyberspace” Jarjoui describes the need for a more human-centric approach to defend against evolving cyber threats and the role of mindfulness in cybersecurity (Jarjoui, 2023). He posits that mindfulness could be a significant asset in digital security, providing end-users with enhanced defences against cyberattacks that target emotional vulnerabilities, exploit automatic behaviours, and manipulate cognitive processes. The recognised advantages of mindfulness, including heightened focus, self-discipline, mental clarity, presence of mind, adaptive focus and better cognitive functioning, can empower users to reduce the risk of cyber incidents (Bishop et al., 2004; Brown et al., 2007; Brown & Ryan, 2003; Roghanizad et al., 2021; Shapiro et al., 2010). In contrast to traditional awareness programmes, he suggests that a cybersecurity mindfulness programme (CMP) will provide a more profound and personally relevant concept, enabling individuals to cultivate their cognitive defences akin to a "human firewall" (Jarjoui, 2023).
Empirical research on the effect of mindfulness on phishing detection by Roghanizad et al. (2021) indicates that incorporating mindfulness into cyber awareness programmes could be beneficial and relevant in enhancing various cybersecurity practices. They used dual-processing theory to investigate how mindfulness helped users detect SE attempts and discovered that a brief session of focussed breathing exercises could aid in identifying sophisticated phishing emails. The study’s results indicate that mindfulness is particularly effective in increasing the detection cues in challenging phishing emails that appear to come from known sources, but not in easier-to-spot phishes, where users might rely more on heuristics to spot the cues. They suggest that mindfulness might be essential for activating security awareness, particularly when phishing attempts are covert and well-crafted, which may not automatically prompt an individual to adopt a cybersecurity-conscious approach (Roghanizad et al., 2021).
In his paper “How Experts Detect Phishing Scam Emails”, the author outlines how IT experts follow a three-stage process for identifying phishing emails and how the initial stage, the “sensemaking” step in the expert’s cognitive process, is an important but overlooked step in security awareness training (Walsh, 2020). The sensemaking is akin to mindfulness, where the expert’s meta-awareness activates System-2 thinking by becoming aware of cues in the content of the email or by their internal reaction “something seems off” to this email (p. 25, Walsh, 2020). While not specifically focused on cybersecurity or SE, in his book “Mindfulness in a Digital World”, David Harley explores the challenges and opportunities for reconciling digital interactions with mindful practice (Harley, 2022). Impulsivity (Butavicius et al., 2016, Parsons et al. 2013), lack of emotional control (Bezuidenhout et al., 2010), and distraction (Tes- sian, 2022) have also been linked to SE susceptibility.
Validated Benefits of Mindfulness
Stress Reduction
By far, the most researched benefit of mindfulness is stress reduction. Mindfulness training has been shown to lessen stress and enhance well-being among professionals in human ser- vices, a field particularly susceptible to burnout and overwhelm by job demands (Poulin et al., 2008). There is a growing body of evidence linking mindfulness with the improvement of stress, fatigue, emotional exhaustion, negative feelings, and anxiety (Brown & Ryan, 2003; Tang et al., 2007; Zeidan et al., 2010). A comprehensive meta-analysis, which examined 39 different studies on mindfulness-based stress reduction, suggest that mindfulness is effective in chang- ing emotional thought processes that contribute to various clinical problems (Hofmann et al. in 2010).
Neuroimaging studies have shown a link between mindfulness and reduced stress and improved reactions to potential threats (Brown et al., 2008). Individuals who engage in mindfulness tend to view situations as less stressful by adopting a more accepting attitude when dealing with tough challenges, resulting in a reduction in felt stress, anxiety and negative feelings as well as increased resilience to psychological stress (Britton et al. 2012; Farb et al., 2010; Hoge et al. 2013; Rosenzweig et al., 2003; Weinstein et al., 2009; Williams, 2010). Failing to mentally disengage from work and continually mulling over work-related issues can perpetuate stress (Sonnentag et al., 2008). Conversely, mindfulness nurtures what has been described as a wholesome form of detachment (Baer et al., 2012), anchoring one’s focus in the current moment.
Present moment & meta-awareness
Awareness of the present moment enhances the evaluation of both external and internal sig- nals, leading to more objective decision making (Hyland et al., 2015; Chambers et al., 2008). In contrast, depending solely on internal cues during information processing, a process known as internal encoding, is a feature of an automatic thought process in which judgments are based on heuristic shortcuts and cognitive biases instead of external evidence. Such internal encoding can result in the recall of incorrect memories from past events (Dehon et al., 2011). It is also linked to errors in which one clings to their existing beliefs despite a clear absence of corroborative facts (Hill et al., 1990). Mindfulness stands out for its ability to significantly in- crease self-and present moment awareness in contrast to the more automatic, unengaged default modes (Brown & Ryan, 2003). Correctly understanding the present moment is depend- ent on a sequential and deliberate examination of the information at hand, as opposed to jump- ing to conclusions (Shapiro et al., 2006). The decrease in dependence on automatic thought processes after mindfulness practices is backed by studies linking mindfulness with an en- hanced capacity to react based on new information (Frewen et al., 2008). Mindfulness is also known to bolster rationality by mitigating behavioural biases that can influence decision mak- ing.
In a study covering 22 cognitive biases, individuals who practiced mindfulness exhibited less bias in 19 cases and achieved higher scores on 11 of 14 LMS (Learning Mindset Scale) questions. However, outcomes can significantly vary based on demographic factors like age, job or student status, and gender (Maymin & Langer (2021). Mindfulness can diminish biased thinking by promoting a conscious and deliberate thinking approach through expanding an individual's immediate awareness of information and augmenting their cognitive abilities (Hy- land et al., 2015). It is possible to enhance rationality and decision-making simply through increased mindfulness using the Langerian method of ‘noticing three new things’, without re- sorting to meditation, psychological training, or advanced education (Maymin & Langer (2021).
Mindfulness-Based Attention Training (MBAT), a short form of context-adaptable Mind- fulness training, holds promise to enhance cognitive performance, attentional stability, and meta-awareness by reducing mind wandering in organisational settings (Price et al., 2023). Research suggests that MBAT participants maintain better functional stability compared to those without training, decreasing mind wandering and enhancing meta-awareness (Jha et al., 2017). Contrary to the notion that all forms of meditation yield similar benefits, studies suggest that various techniques lead to different patterns of brain activity (Cahn & Polich, 2006; Lutz et al., 2008). For instance, mindfulness meditation has been found to specifically activate the middle prefrontal areas of the brain, which are key to self-awareness and metacognition, more than concentrative meditation practices like mantra focus (Cahn & Polich, 2006; Siegel, 2007b). It also promotes attentional processes (Valentine & Sweet, 1999).
Attention, focus and concentration
Both short-term and long-term mindfulness interventions have been associated with significant enhancements in working memory (WM), sustained attention, and concentration (Chambers et al., 2008; Jha et al., 2017; Zeidan et al., 2010, Wells, 2002). Notably, it's the aspect of mindfulness centred on acceptance has shown a stronger connection to WM capabilities (Ru- occo & Direkoglu, 2013), even more so than the component of being attentive to the current moment. The non-judgemental acceptance of thoughts is an exercise in cognitive control, which could explain its influence on WM abilities. Mindfulness boosts the attentional capacity required for effective information processing.
In a 2012 study where mindfulness-based stress reduction was rewarded and compared with passive control groups, only the group practising mindfulness exhibited improvements in working memory capacity (Jensen et al., 2012). A key element of mindfulness practice, such as mindful breathing, a deliberate focus on the rhythm of the breath, helps develop the skill of maintaining attention and fending off distracting thoughts. Regular practice can lead to improved concentration and reduced frequency of mind-wandering. Similar methods like mindful eating and body scanning also contribute to prolonged attention. This observation has been supported by numerous studies (e.g., Valentine & Sweet, 1999). Other theories propose that mindfulness training enhances the ability to self-regulate attention (Bishop et al., 2004). Furthermore, mindfulness has been identified to avert the decline of working memory capacity (Chambers et al. 2008) and to improve the management of attention (Brown and Ryan 2003), both of which are vital for the efficient performance of System 2 cognitive operations. Engaging in 20 minutes of mindfulness exercises over four days improved the precision and accuracy, though not the speed, of responses in tasks (Zeidan et al., 2010).
Researchers identified a beneficial link between mindfulness and people’s perceptions of safety at work in the context of nuclear power plant workers. The positive correlation was the employees' capacity to remain cognitively focussed on the tasks at hand. However, this positive impact was primarily observed with more complex tasks and among employees with higher intelligence. The studies also suggest that in situations where the completion of simpler and less complex tasks efficiently is prioritised over the accuracy of the work, practising mind- fulness might be counterproductive (Zhang et al., 2013; Zhang & Wu, 2014). Encouragingly,mindfulness practices have proven particularly beneficial for enhancing working memory ca- pacity in high-pressure contexts. For instance, research involving military members revealed that mindfulness training helped maintain their working memory capacity under conditions of elevated stress (Jha et al. 2010). Further evidence for the benefits of long-term mindfulness practice comes from studies showing that seasoned Yoga practitioners have a higher volume of grey matter in brain regions responsible for executive attention, WM, and self-regulation than beginners (Froeliger et al., 2012; Fox et al., 2014; Villemure et al., 2015).
Practising mindfulness is believed to enhance focussed awareness of current tasks by reducing the frequency of task switching and bolstering prolonged attention (Bishop et al., 2004). It diminishes the innate inclination to dwell on past events or engage in thoughts unre- lated to the task (Shapiro et al., 2007), thereby freeing up valuable cognitive capacity. Working memory and attention are crucial components of advanced cognitive functions and are vulner- able to decline through the normal ageing process as well as various medical conditions, such as attention deficit disorder. These factors have also been linked to increased susceptibility to SE. The enhanced attentional abilities and improved management of distractions in people who engage in mindfulness allows them to maintain their focus on the task at hand (Lutz et al. (2009). Mindfulness fosters greater scepticism which is key for recognising phishing attempts by activating System 2 thinking and safeguarding working memory, both conducive to analyti- cal processing and heightened suspicion (Wang et al. 2016).
Emotional regulation & self-control
People who engage in mindfulness training can better manage their emotions (Hoge et al., 2020), increase resilience in mentally demanding situations (Walker, 2016), and alleviate symptoms associated with depression and anxiety (Hoge et al., 2020; Baer, 2003; Khoury et al., 2013). Theoretical frameworks of mindfulness training propose that these emotional ad- vantages are likely supported by enhanced cognitive control, which is a recognised outcome of mindfulness practice (Chiesa et al., 2011; Jha et al., 2010; Nielsen & Kaszniak, 2006). Mindfulness training has been shown to enhance activity in brain areas critical for self-regulation (e.g., Hasenkamp et al., 2012; Lazar et al., 2005; Malinowski, 2013) and can reduce how strongly people react to emotional stimuli (Ortner et al., 2007). In addition, individuals who underwent mindfulness interventions showed notably lower levels of emotional exhaustion and higher levels of job satisfaction than those in the control group (Hülsheger et al., 2023).
Neuroimaging research has shown that mindfulness activates brain areas involved in managing stressful emotions and can lead to structural brain changes over time (Hölzel et al., 2009; Lutz et al., 2004). For example, Hölzel et al. (2009) identified a decrease in the amygdala grey matter density after mindfulness-based stress reduction programmes (Hölzel et al., 2009) and an increase in grey matter in the hippocampus, which is crucial for synaptic plasticity, creating new neurones, and emotional regulation (Hölzel et al., 2011). The findings highlight the brain’s remarkable capacity for structural regeneration, suggesting that consistent mindfulness practice can mitigate or even reverse long-term stress impacts, particularly in areas related to managing emotions (Fox et al., 2014). Mindfulness training not only boosts individuals' readiness to self-regulate but also makes the process more effective (Reina & Kudesia, 2020), as individuals trained in mindfulness are able to self-regulate using less neural activity and with less effort compared with those who have not undergone such training. (Brefczynski-Lewis et al., 2007; Chan & Woollacott, 2007; Jha et al., 2019; Kozasa et al., 2012; Slagter et al., 2007).
Numerous research findings indicate that mindfulness can diminish repetitive negative thinking. For instance, Chambers et al. (2008) conducted a study in which 20 individuals new to meditation were involved in an intensive 10-day mindfulness retreat. Following the retreat, the participants who meditated reported increased levels of mindfulness and a reduction in negative emotions when compared with the control group. Additionally, these participants noted fewer symptoms of depression and experienced less repetitive contemplation on nega- tive thoughts. Self-control is positively influenced by two elements of mindfulness—awareness of internal physical sensations and non-judgemental acceptance—by directing focus towards the emotional responses without instantly reacting to them. Mindfulness helps individuals be- come more attuned to early shifts in their emotions in a nonreactive and less impulsive manner (Elkins-Brown et al., 2016). It also diminishes impulsivity by bolstering an individual’s ability to self-reflect and develop coping strategies (Liang et al., 2024).
Adverse Effects of Mindfulness Practices
Meditations can occasionally lead to discomfort and may even worsen anxiety symptoms in certain individuals (Galante et al, 2021). And mindfulness meditation was linked to both tem- porary distress and lasting negative effects comparable with other psychological therapies. Implementing mindfulness practices require that potential harms be properly assessed and disclosed. Meditations and deep emotional introspection without clinical or professional guid- ance should be avoided in professional settings because they could trigger trauma survivors and/or individuals with disassociated mind states (Britton et al., 2021). There are many other short forms of mindfulness practice that do not require meditation or deep introspection and should be considered instead. For example, to prevent potential triggering in trauma survivors, asking people to focus on their senses or external stimuli rather than their feelings is a safer option to induce mindful states (Folett et al., 2015).
Results: Linking of theory and research question
The literature review demonstrates the complexity involved in addressing human susceptibility to phishing and SE because of the number of coexisting cognitive, situational, environmental, and psychological factors that influence decision-making, risk-taking, and impulses. It also explains why traditional security awareness programmes that address just one or a few of the factors, such as knowledge or awareness level, are not sufficient to effectively change behaviour (Bada & Sasse, 2014). The literature review showed how mindfulness benefits can positively address many susceptibility factors identified and provides an initial foundational theoretical framework for the main research question: investigating the effectiveness of mindfulness training as a defence mechanism against SE attacks within organisational cybersecurity awareness programmes. This literature study explored the theory behind whether mindful- ness practices could enhance employees' resilience to cyber threats by improving stress management, cognitive and attentional functions, present moment, meta-awareness, and emotional regulation. It cites validated studies and highlights areas where the research remains inconclusive.
Analytical sub-questions (theoretical SQ):
SQ 1: What habitual patterns of behaviour (e.g. distraction, lack of attention, impulsive decision-making, emotional reactions,) are known to affect an individual's susceptibility to SE tactics?
During the literature review, the researcher identified 33 factors influencing an individual’s vulnerability to SE tactics. Most of these factors are well supported by research, although some conflicting results or insufficiently large sample sizes left the theory inconclusive. The researcher developed a straightforward model to categorise these factors into cognitive, psychological, behavioural, situational, and demographic categories, as listed below:
Cognitive: Dual decision-making and heuristics, cognitive biases, attention and critical thinking, mind wandering, vigilance decrement / sustained attention and impulsivity (cognitive).
Psychological: Emotional regulation, self-control, self-awareness, self-efficacy, susceptibility to persuasion (i.e. persuadably or gullibility) vs suspicious thinking, personality traits, mood and mental illnesses and conditions.
Behavioural: Habitual patterns and autopilot, multitasking, IT knowledge & expertise, over-confidence, attitudes toward the organization/work commitment, access method, Problematic Social Media Use (PSMU).
Situational: Stress, workload, fatigue and hunger, years of employment, position of power, quality of Cybersecurity Awareness (CSA) Programs, culture, distribution time and distraction.
Demographic: Age, gender.
Existing literature explaining the role of mindfulness in cybersecurity
SQ 2: What theories in the existing psychological and cybersecurity literature can be integrated to explain the role of mindfulness in enhancing an individual's resilience to SE attacks?
The review of existing psychological and cybersecurity literature highlights the potential role of mindfulness in building resilience to SE attacks. Existing research advocates a human-centric cybersecurity approach, suggesting mindfulness as a defence against cyber threats to emotional vulnerabilities and cognitive processes (Jarjoui, 2023). Wash (2020) underscores the importance of sensemaking as the first step experts use when detecting phishing emails, while Jensens et al. (2017) propose mindfulness-based training to enhance message evaluation and judgement (Walsh, 2020; Jensen et al., 2017). Building on these insights, research from 2021 demonstrates the effectiveness of mindfulness in phishing detection (Roghanizad et al., 2021). Harley (2022) explores mindfulness in digital interactions, shedding light on impulsivity and lack of emotional control and how mindfulness can counter these (Harley, 2022). Reviewing mindfulness benefits reveals its impact on stress reduction, present-moment awareness, attention, focus, and emotional regulation. Studies indicate that mindfulness diminishes stress, enhances emotional resilience and mood, and can lower levels of anxiety, depression, and fatigue (Narayanan & Moynihan, 2006; Hoffman et al., 2010; Poulin et al., 2008; Farb et al., 2010; Williams, 2010; Rosenzweig et al., 2003).
It improves present-moment awareness and decision-making by promoting rationality and reducing cognitive biases and mindless states (Maymin & Langer, 2021; Shapiro et al., 2006; Hyland et al., 2015; Chambers et al., 2008; Brown & Ryan, 2003; Hollis-Walker & Colosimo, 2011; Frewen et al., 2008; Ostafin et al., 2012). It fosters emotional regulation and self-control enhances attention and working memory, which are crucial for cognitive functions, and improves focus, concentration, and accuracy (Jha et al. 2010; Zeidan et al., 2010, Valentine & Sweet, 1999; Bishop et al., 2004; Lutz et al., 2008; Froeliger et al., 2012; Fox et al., 2014; Villemure et al., 2015). Many of the listed benefits can directly impact and address factors linked to susceptibility to SE and phishing.
Based on the literature analysis above, it can be inferred that the documented benefits of mindfulness practices offer substantial potential to mitigate many of the human vulnerabilities and factors associated with susceptibility to SE (SE). Figure 3 visually illustrates this correlation.
Empirical Analysis
Linking of theory and empirical research
The empirical research confirmed many of the theoretical findings derived from existing literature, such as that cognitive biases, distraction, overload, and unconscious states make humans susceptible to SE. The experts interviewed also confirmed that mindfulness practices can address many factors influencing susceptibility to SE. The experts consider mindfulness and its related benefits, such as attentional control, emotional regulation, present moment awareness, and cognitive enhancements, as critical tools to improve staff cybersecurity awareness and overall cybersecurity posture. The interviews provided great insights into how to effectively implement and drive cyber mindfulness interventions in organisations, highlighting both challenges and suggesting approaches.
Logical conclusion based on the literature and empirical research
It can therefore be concluded that incorporating mindfulness practices into organisational settings can enhance cybersecurity awareness levels and improve defence levels against SE. However, implementing cyber mindfulness effectively does not come without challenges and requires an organisational culture shift as well as a holistic campaign approach that expands beyond the realm of cybersecurity and is more akin to a behaviour design and larger change management programmes. Challenges exist related to communicating across large and diverse user bases, gaining consistent adoption, addressing cultural or generational misconceptions about the term mindfulness, measuring its effectiveness, and influencing necessary stakeholders.
Collection and Evaluation of Empirical Results
Suitability of qualitative methodology and data collection method
Qualitative analysis allows the researcher to examine themes and patterns from interview texts and identify meanings in a subjective but scientific manner (Mayring, 2000). The inductive nature of qualitative content analysis makes it well-suited for exploring complex phenomena that require a deep understanding of human behaviour, psychology, perceptions, and motivations. Mindfulness in the context of cybersecurity awareness is a relatively novel and complex subject that can benefit from a nuanced exploration that qualitative methods provide and inform the development of new theoretical frameworks for cybersecurity. Interviews with experts from multidisciplinary backgrounds, such as cybersecurity awareness practitioners and cyber security and mindfulness experts, were conducted and allowed for the collection of specialised knowledge that is not necessarily publicly available or documented yet. Interviews are particularly suitable for exploring the “how” and “why” questions, allowing for a deeper exploration of the processes and mechanisms by which mindfulness training might affect susceptibility to SE attacks. Unlike surveys or questionnaires, interviews can provide subtleties of experiences and insights into the complexity of the expert’s knowledge. When interviewing recognised experts, their authority and credibility support the validity of the findings. There are limitations when using interviews, such as potential biases or limited generalizability of findings from some experts, which need to be considered in the analysis phase.
An inductive qualitative research approach is well aligned with the exploratory nature of this research and allows for the identification of new themes that might not have been anticipated, thus enhancing the data’s potential to surprise and inform. During the analysis phase, the researcher identified themes as categories that emerged inductively (Miles & Huberman, 1994). To ensure validity, the researcher applied triangulation using multiple experts to cross-verify the information and conclusions. To ensure the objectivity of this study, the researcher maintained and documented multiple iterations of the content interpretation and analysis. This detailed record of the research process and interpretation of data analysis provides an audit trail and enhances the credibility and reliability of the research.
Further reliability was achieved by ensuring consistency in the coding process, which involved the use of a category table, where each category was assigned to a relevant theme. Regular reviews of the data and its interpretations were conducted to ensure that the conclusions were supported by the data. While qualitative research is often flexible, certain processes can be standardised, such as the interview guide and questions. To ensure the protection and security of the research data, it is protected through adequate access control, encryption, secure storage, and anonymization of interviews. Recorded interview video files were deleted upon transcription of the content. Ethical guidelines were adhered to, including informed consent and the right to withdraw for each participant.
Sampling
The research question requires detailed understanding from specialised fields that may not have been documented before and is the reason why interviewees were selected from a diverse range of disciplines, with specialised knowledge in the areas of cybersecurity culture and awareness as well as mindfulness and human psychology. The sample size comprised 20 interviews comprising 18 domain experts and 2 end users. The sample was justified on the grounds of data saturation, which ensures that the researcher will continue to sample until no new themes are identified and sufficient data are collected to sufficiently answer the research question (Baker & Edwards, 2012; Guest, 2006).
Experts can often provide concentrated insights quickly because of their extensive knowledge, which enabled the obtaining of rich information in relatively short periods of time (30-45 minutes) and allowed for the respectful treatment of the limited time of the participating experts. To gain a rich understanding of both mindfulness and cybersecurity domains, the researcher conducted interviews with cybersecurity specialists, cyber security awareness practitioners, mindfulness experts, and two end users (students). The table below provides an outline of the different participants in the interview process:
Presentation of Empirical Results
Upon the first generalisation and reduction of the interviews, the researcher identified 97 categories. These were reduced during the following iterations to 54. Furthermore, six main themes emerged through the process, to which the categories and subcategories were logically assigned.
These are: Threats and vulnerabilities, Solutions and anti-dote, Organisational culture transformation, Campaign approach and Tools. Each of these themes and subcategories are described in detail in the following sections:
Threats and Vulnerabilities ("the Why")
The interview process confirmed findings from the literature review in the sense that experts felt that cybercriminals and social engineers exploited people’s vulnerabilities such as distraction, mindless states, and information overload. Mindless and unconscious states, intensified by information overload and a lack of self-awareness, render individuals particularly susceptible. Scammers and digital platforms alike, capitalise on these vulnerabilities by triggering unconscious biases and tapping into social motivations such as the desire to be seen and belonging.
In addition, the attention economy (Davenport & Beck, 2001) strategically fosters mindless states through dopamine feedback loops, which clashes with the goals of mindfulness practices. This design, with its goal of keeping individuals glued to their screens for as long as possible and in a as mindless, distracted state, leaves individuals more vulnerable. Social engineers exploit these vulnerabilities by pushing individuals into unconscious or emotionally laden states, where they can more easily influence thoughts and behaviours. This manipulation is facilitated by the human brain’s susceptibility to sensory overload and emotional triggering, which impairs the nervous system and decision-making. Distraction and busyness further intensify this vulnerability by diverting attention from critical thinking and self-awareness and making individuals more prone to errors in judgment and manipulation.
Solution and antidote (“the Why”)
Mindfulness and related concepts were highlighted as potential solutions and antidotes to the challenges listed above. Although not formally defined as cyber mindfulness, elements akin to mindfulness have indirectly been advocated (i.e. “Think before you Click”) in security awareness messages—such as avoiding multitasking, inattention, and distraction. Attentional control, single-tasking, present state awareness, emotional regulation, and non-reactivity were mentioned as desired mindfulness traits that could significantly benefit cybersecurity awareness and posture. Mindfulness was also highlighted as a performance enhancer across various domains, even beyond the workplace and cybersecurity, because of its benefits for mental function, stress reduction, and emotional regulation. It enhances productivity, prioritisation, clarity and focus. One significant benefit is the reduction in high-frequency heart rate variability (HRV), which is often associated with stress and anxiety. In addition, mindfulness strengthens neural networks and enhances neuroplasticity, leading to long-term brain adaptations that contribute to resilience—a type of muscle memory for mental strength.
The good news is that although mindfulness exists as a trait, it is also a skill that can be learned or improved upon through practice and dedication and promoted within organisational cultures and environments. In cybersecurity, mindfulness should be considered an essential practice as it helps combat complacency and the autopilot mode that often leads to security lapses. It improves accuracy because it enables individuals to operate more slowly and with fewer mistakes. This means shifting from reactive, automatic responses to more intentional, deliberate actions. Such self-control is vital in managing the complex and often urgent demands of cybersecurity.
Transforming organisational culture (“the How”)
Foster a culture of slowing down
Fostering a culture of intentional slowing down into organisational culture was highlighted by 74% of respondents as a necessary cultural transformation. It represents a shift towards a more mindful, deliberate mode of operation, which is especially crucial in mitigating cybersecurity risks in fast-paced environments. This change necessitates a strong commitment from executive leadership, who recognises the vulnerabilities created by a high-speed, reactive culture. It means breaking away from an immediate-response culture to emails, alerts, and other triggers to prioritise quality over speed. It could translate into focused work periods without the constant interruption of meetings, emails, or instant messages, allowing for deeper thought and higher-quality outputs. Permission to slow down means cultivating a culture where it is acceptable—even encouraged—to ask questions. Implementing policies such as limiting meetings to 25 min with mandatory breaks between them can prevent fatigue and promote a more attentive, engaged meeting culture.
Quote: “The military uses the mantra: slow is smooth, smooth is fast. We're making fewer mistakes because we're being more mindful about our work. In cybersecurity, that’s important, as you don't really get a lot of 2nd chances.”
Mindfulness culture for overall wellbeing
Establishing a mindfulness culture within an organisation extends beyond cybersecurity to en- compass holistic well-being in the workplace. It is typically driven by Human Resources (HR) departments, integrated into company values, and supported by leadership buy-in. This type of culture normalises mental health dialogue and offers mindfulness resources and activities, such as movement and breathwork classes, mindfulness sessions, and stress management workshops that integrate mindfulness into employees’ daily lives.
Practical, everyday actions, such as taking a moment for a collective breath at the beginning of meetings, can reinforce mindfulness practices throughout the workday and be reflected in how meetings are run, projects are managed, and teams communicate. Creating groups or clubs that focus on mindfulness practices can help sustain these activities and foster a sense of community and shared purpose. Mindfulness concepts should be integrated into routine communications, such as daily stand-ups or regular team meetings, to keep the principles front and centre.
Mindfulness Leadership Training
Mindfulness is increasingly recognised as a leadership skill, particularly when navigating the complexities of innovation. It enables leaders to be genuinely present and effectively engaged with their teams, fostering an environment of deepened self-awareness and enhanced critical thinking. By integrating mindfulness into leadership training, organisations can create a culture where thoughtful decision-making and attentive interpersonal interactions are the norm.
Executive support
Following on from the point above on leadership training, strong executive support and leadership buy-in are key success factors for organisational change. Leaders must actively demonstrate their commitment by incorporating mindfulness practices into daily routines and acting as visible role models who engage in these practices. Leaders who promote employee well-being and slow down the work pace, even in the absence of immediate tangible returns, help ensure the successful integration of mindfulness across the organisation.
Behaviour design to change culture
Behaviour design principles can help change organisational culture transformation by highlighting personal benefits, leveraging social motivation, simplifying tasks, focusing on small habits and integrating technology with mindfulness, supported by top-down and bottom-up approaches. Additionally, providing education on interoception (Price & Hooven, 2018), sensory awareness, bio-hacking, and integrating practical skills like time management ensures that employees have the necessary tools and knowledge to adopt and maintain these new behaviours effectively.
Distraction-free spaces and times
To enhance mindfulness in the workplace, it is beneficial to provide dedicated, distraction-free spaces and designated breaks. These contemplative spaces can be further equipped with tools like heart rate variability monitors to aid relaxation, particularly in high-stress environments, thereby supporting overall employee health and productivity.
Show business benefits of human-centric interventions
Human-centric interventions like mindfulness can enhance workforce returns, productivity, and focus while fostering resilience to cyber threats. When motivating a mindfulness approach, it is necessary to highlight the business and performance benefits to gain leadership support.
Embrace continuous improvement practices (Kaizen)
Embracing continuous improvement practices like Kaizen (Janjić et al., 2019) can significantly enhance workplace efficiency and accuracy through deliberate actions and mindfulness. By helping employees assess their state of mind and stress levels before and after mindfulness sessions, individuals learn to recognise and measure the tangible benefits of such practices.
Internal Ambassadors
Using internal ambassadors who can act as role models and articulate the long-term benefits of mindfulness to their peers and stakeholders was a key factor in successfully integrating mindfulness into the organisation. These individuals are already convinced of mindfulness’s benefits and are empowered with additional resources to effectively influence and engage others. Early adopters can significantly help create momentum that encourages wider adoption throughout the organisation. By creating pilot programmes with early adopters, these can be used as change agents.
Government Support
Governments should drive a collective sense of accountability in cybersecurity and digital literacy. By promoting improved education and incorporating mindfulness cultivation, governments can initiate changes that cascade down from organisations to individuals. This influence not only enhances cybersecurity awareness and practices but also instils a healthier, more resilient approach to managing cyber threats and fostering well-being within the digital workplace.
Campaign Approach – (“the How”)
Explain how it works and the benefits
When introducing cyber mindfulness or just mindfulness concepts, it is crucial to explain brain functions and their limitations, how and why the brain is affected by distractions, stress, and multitasking, and how the brain’s primary function is to survive rather than to think. Articulating the connection between mindfulness and cybersecurity and clarifying the importance of pausing and deliberation in cybersecurity contexts using scientifically validated research is key. Using visualisations and metaphors can simplify complex concepts, making them easier to understand and adopt.
Quote: “We often tell people what they should do, like being cautious with emails, but we don't instruct them on the method—like how to step back and breathe, for instance.”
Expression of mindfulness rooted in scientific and validated research
Explain mindfulness using neuroscience, validated research, and scientific language to outline its benefits for productivity and cybersecurity. Showing empirical evidence that links mindfulness practices with improved cybersecurity, such as the enhanced ability to combat phishing attacks, can illustrate its direct benefits. Validated benefits from other fields, like clinical psychology, should also be highlighted to underline the broad effectiveness of mindfulness. Psycho-physiology can be used to illustrate the brain-body connection.
Making the awareness training itself more mindful (and engaging)
Engaging learners by capturing their attention throughout the process is critical for keeping them interested. This is where mindfulness integrated into the training can help through techniques such as priming the mind before sessions to improve retention, while employing binaural beats during training can help relax and calm participants’ nervous systems, making them more receptive. Integrating gamification and simple logical concepts can also keep participants engaged and focused. Updating content ensures relevance and freshness and personalises it to the audience, encouraging more interest and a shift from autopilot to more conscious thought and attention.
Consistent practice, prompts and reminders
To transition mindfulness from a temporary practice to a permanent trait, consistent practice, prompts, and reminders are essential. These should be varied and come from multiple sources such as managers, HR, and leadership to keep them at the forefront of employees' minds. Using tools like Post-it notes, digital reminders, timers, and technology platforms with built-in nudges can help. For instance, stickers on laptops can remind employees to take a moment to slow down. Daily mindfulness exercises can be made into habits through a few weeks of regular practice. It is important to manage expectations because immediate results may not be obvious. Setting up email rules that trigger mindfulness reminders based on specific senders or topics can integrate mindfulness into daily email management routines.
Quote: “Teach people the state of mindfulness to enable it to become a trait, a way of being"
Focus on personal benefits
By focussing on personal benefits and how mindfulness positively impacts family dynamics, aids in parenting and emotional regulation, offers health and anti-ageing benefits, and contributes to professional development, the campaign can show that mindfulness is a valuable life skill. The Positive Emotion, Engagement, Relationships, Meaning, and Accomplishment (PERMA) model by Seligman was used to encourage participants to align cyber practices with broader life goals (Seligman, 2016). Emphasising these personal benefits can motivate deeper engagement with mindfulness practices, demonstrating that its advantages apply to all aspects of life, not just the workplace or cybersecurity.
Quote: "It's kind of like, leadership training for yourself, for your own life."
Emotional phishing awareness training
Emotionally triggering phishing examples can be used to enhance user understanding. By in-corporating these examples interactively in presentations or through e-training courses, participants are prompted to identify and describe their emotional responses. This method helps participants recognise the psychological tactics employed by phishers and practice their ability to respond with greater emotional insight.
Experiential learning
Practices like those enhancing heart rhythm well-being not only feel good but also encourage repeats. Presenting simple breathing exercises and movement strategies like changing seats or physical locations facilitates mindfulness that can easily be practised and experienced both in person and remotely.
Simple terminology to train principles
Employing simple, relatable language and practical steps that make mindfulness concepts easily accessible without necessarily using the term ‘mindfulness’ can prevent resistance. Instead, using phrases like "deliberate and focused thinking" or "performance enhancement" can demystify mindfulness. Alternative terms mentioned were "diligence," "vigilance," "slow and critical thinking," "productivity", “mental armour”, “cognitive resilience”, “cognitive defence” and “Zero Trust mindset”. Practical implementations could include naming sessions as "re-storative slow movement classes" instead of yoga, or "lunch and relax" events to emphasise productivity and focus. Describing cyber mindfulness with metaphors, like comparing thoughts to screen log events for cybersecurity staff, helps make the abstract concrete. Topics such as distraction avoidance and the impact of social media on dopamine levels can connect mindfulness to familiar daily experiences, enhancing engagement and practical application.
Small and incremental steps
Using small and incremental steps can ensure greater acceptance, particularly from time-poor audiences. Starting with minor actions, such as verifying emails or engaging in brief breathwork or gazing techniques, can make the introduction more accessible. Even a modest improvement, such as a 10% increase in digital mindfulness, can lead to significant impacts, incrementally promoting a more mindful and productive workplace environment.
Zero Trust mindset
A zero-trust mindset encourages people to always refer to trust verifiers before accepting digital content as credible. By combining scepticism with mindfulness, the strategy advocates a vigilant and cautious approach, ensuring that all interactions with digital environments are critically evaluated.
Scenario-based simulations
Using scenario-based simulations and drills, control over emotions and decision-making within a cybersecurity context can be practised in a nonthreatening and, in some cases, immersive VR environment. Visualisation techniques such as dialogue, goal setting and intentionality can be incorporated into these simulation exercises to debunk the myths surrounding multitasking and illustrate mindfulness’s impact on stress reduction and overall performance before and after training sessions.
Story-based approach
Story-based approaches that use role models, personal stories and relatable examples can enhance engagement. By showcasing elite athletes or respected internal or external experts as role models for mindfulness and sharing personal stories related to productivity, focus, and mental strength, the abstract concept of mindfulness is concrete. Incorporating short videos that depict common scenarios, like the repercussions of checking emails incessantly on one’s phone, or using infographics that personify ideal behaviours can convey principles of the de- sired state: reflective, calm and cautious behaviour.
Senses as a pathway to mindfulness
By assessing individual sensory profiles and their environmental stress factors, organisations can help employees self-regulate more effectively. For example, individuals with low sensory thresholds may become overloaded faster but often have higher levels of self-awareness. Those with high sensory thresholds can tolerate more stimuli but typically have less self-aware- ness. Grounding exercises, such as the five-sense technique can enhance the present moment awareness. Mindfulness transcends sensory awareness; it involves a deeper engagement with the present moment but focussing attention on one’s senses is a safe and effective way to ground oneself and become more centred.
Collaborate with different functions
Collaboration across different functions like HR, risk, security, marketing, and fraud teams can help drive behaviour change into an organisational culture. The objective is to integrate cyber-security into wider corporate wellness programmes. Surveys to evaluate behavioural changes and compare the mindfulness levels of different user groups can provide diverse insights and reinforce the personal and organisational benefits of a comprehensive security and wellness culture across different functions.
Quote: “We combined campaigns with other departments to get extra leverage”
Group work
Experts mentioned group-based workshops as the most effective. These can be supported with emails and other communication elements, and both individual and collective assessments. Group settings are preferred over one-on-one interventions because of their ability to unify teams and achieve common goals, tapping into the contagious nature of a calm state that often spreads among group members. Incorporating group challenges and leaderboards can boost motivation, and physical community get-togethers foster a sense of belonging and support.
Phishing simulation clicker training
Surveying users who fail phishing tests about the underlying reasons, such as distraction and multitasking, can increase their understanding of mindfulness. Renaming training for repeat offenders to "phishing refresher training" helps remove stigma. Analysing the root causes of security lapses and crafting personalised interventions that focus on mindfulness can help individuals manage their reactions to phishing incidents and is a more empathetic approach to security awareness.
Embed mindfulness into security awareness training
Embedding mindfulness within all security awareness programmes, particularly phishing simulations, can enhance emotional and self-awareness and encourage deliberate actions over impulsive reactions. Expanding the traditional "think before you click" advice with practical, mindfulness-based steps encourages employees to understand their emotional reactions, slow down, and apply intentional rules rather than reacting impulsively.
Quote: "I think any security awareness program needs to have mindfulness at its core."
Personalize training based on role and individual preferences
It is important to understand and support individual preferences, including training, communication styles, and mindfulness preferences. Training should be personalized based on user role, risk profile and personal preferences for training. Some prefer reading, others prefer to watch a video or play games. Blanket approaches such as generic content that is not relevant to the audience group should be avoided. Likewise, mandatory group relaxation or meditation sessions should be avoided, as they could be triggering for some, and instead, cultivate flexibility to accommodate different methods of achieving cyber mindfulness.
Techniques and practices ("The What")
Body feedback awareness and HRV training
Body feedback awareness is aimed at increasing mindfulness by teaching individuals to observe and respond to their physiological states, such as heart rate and breath. Focussing on the body is often easier for people new to mindfulness than on their thoughts or emotions. By using practical examples, like recognising "email apnea", which refers to the holding of breath when opening emails—concepts can be made relatable. Interventions might include brief periods of movement or breathwork to correct posture intuitively and realign mental focus, or designated restful breaks that mix walking and social interactions.
Additionally, wearable devices can provide haptic feedback on physiological changes, like heart rate or heart rate variability (HRV), which can help with self-regulation. This technical approach to calmness and mindfulness through HRV training is characterised by alpha brain- waves, which are linked to more effective processing, contrasting with the higher arousal states associated with rapid but less integrated thinking in beta states. A simple method for improving HRV is the 10-second breathing pattern technique, which helps to refocus and refresh. Training should include a simple three-step process: observe, stop, and breathe, promoting extended exhalation and natural diaphragm use to foster a calmer, more aware state.
Quote: “For example, the famous gymnast Nadia Comăneci, who achieved the first perfect 10, learned to adjust her alignment mid-somersault for perfect landings. Similarly, if you train yourself to continuously be aware of your posture while sitting, make sure it's correct. Over time, this awareness becomes second nature, allowing you to sense when your alignment is off."
Emotional self-awareness and non-reactivity
Training to recognise emotions as early warning signs enables individuals to employ self-regulation and control, thereby preventing rash decisions and enhancing security measures. Beyond its relevance in cybersecurity, this skill is a vital life competence. Somatic-type training, which calms the nervous system, can help individuals manage their physiological responses to stress, thereby promoting overall mental and physical well-being.
Quote: “Self-awareness is the result of mindfulness practice, not the starting point”
Meta-Awareness (cognitive bias, self- and situational awareness)
Self-awareness and cognitive bias training teach individuals an understanding of their personal biases and habits through a scientific lens. By tapping into personal incentives for self-improvement, this training encourages participants to thoughtfully respond to internal cues and biases rather than reacting automatically. Training for situational awareness focuses on developing the ability to remain calm under pressure and includes learning when to retreat from a situation, understanding how and when to ask for help, and maintaining vigilance to anticipate and respond effectively to potential threats or challenges. Training individuals to become aware of both their external (situational) and internal states (cognitive and emotional awareness) is called meta-awareness, a skill that is particularly useful in high-attention or high-pressure environments. Meta-awareness is particularly powerful in redirecting attention away from mind-wandering back to the present moment and task at hand and can be honed by the short-form type of mindfulness-based attention training (MBAT) developed by Jha and colleagues (Jha et al., 2017).
Quote: “How do you make people mindful of being mindful?” 60
Intentionality
The practice of intentionality is a crucial aspect of mindfulness and involves setting clear intentions and pre-planned strategies to guide behaviour and separate actions from impulsive reactions. Intentional visualisation can prepare individuals for calm and effective responses in stressful or challenging situations. Intentionally slowing down and setting specific goals—and measuring these outcomes—further embeds a mindful approach into daily activities.
Breathwork
Breathwork training serves as an effective intervention to boost self-awareness. This typically involves shorter 1- to 5-min sessions and 10-min breath concentration exercises, where longer exhales are emphasised to slow down the nervous system. Additionally, a 10-second breathing pattern technique, like the tactical breathwork technique and box-breathing practised by the US Navy Seals, can be taught to help individuals refocus and rejuvenate quickly. The power of breathwork extends to managing anxiety, regulating emotions, building mental resilience, and sharpening focus and concentration.
Movement
Desk movement routines demonstrated in short, easy-to-understand videos, can help maintain mobility and reduce the stiffness associated with prolonged sitting. One effective exercise is the "seated swimming" movement, which targets the mid-spine area. This exercise involves mimicking a swimming motion while seated, helping to engage and loosen the muscles around the spine and shoulders. Such movements not only alleviate physical discomfort but also enhance circulation and improve focus and productivity. Slow body movement or yoga sessions can be offered during lunch breaks or after hours.
Mindful eating
Mindful eating involves slowing down and directing focused attention to the sensory experience of eating, including the taste, smell, texture, and visual appearance of food. By cultivating awareness during meals, individuals can practice mindful states in social settings. By asking ambassadors to set up ‘lunch and relax’ routines they can help introduce and foster these mindful eating habits while increasing social connection.
Intentional slowing down
This involves countering the immediate-response culture by implementing deliberate practices such as checking emails only a few times a day, acknowledging messages but responding later, and using tools like Boomerang to delay email delivery. Reflective exercises encourage individuals to pause and reflect on the sender’s intention and their own reactions, fostering mindfulness and self-control. In addition, scheduling meetings for shorter durations, such as 25 minutes, with breaks in between, supports the practice of intentional slowing down.
Quote: “It all came down to slowing down. Now that I'm trying to intentionally be more mindful. simulated phishes seem so obvious to me.”
Single-tasking
This means avoiding multitasking and focusing on one task at a time. Implementing sprints of 30, 45, or 60 min can significantly boost productivity by providing dedicated focus to each task. Task rotation can be beneficial for changing mental states and maintaining a calm mind. Prioritisation is key to ensuring that important tasks are effectively addressed while minimising distractions from unrelated activities.
Tools
Mindfulness apps
Mindfulness apps offer a range of tools for enhancing focus, concentration, stress relief, and relaxation. These apps provide features such as guided meditation sessions, breathing exercises, and soothing sounds to support mindfulness practices. Additionally, they offer statistics on usage and benefits, allowing users to track their progress and understand the impact of mindfulness on their well-being over time.
Integrate mindfulness features into existing technology
Integrating mindfulness features into existing technology platforms involves incorporating pauses and prompts to encourage mindful behaviour. This can include email send delays and sentiment analysis, prompts to verify before clicking on links or visually appealing breathing exercises before virtual meetings. Additionally, providing tools for self-awareness and reflection supports emotional well-being and fosters team collaboration by sharing stress capacity insights in collaborative platforms like SCRUM or Slack dashboards.
Haptic feedback apps
Haptic feedback apps can offer instant and trend feedback on physiological stress indicators, such as HRV. They often come with practical applications like brief breathing exercises to alleviate stress.
Challenges
Consistency
One of the challenges listed lies in teaching individuals how to consistently integrate mindfulness into their daily lives, so that it shifts from being a temporary state to a more permanent trait, while not seeing instant rewards.
Perception & resistance to terminology
Resistance to mindfulness concepts within organizations can stem from various factors, including generational attitudes, cultural norms, and scepticism towards practices perceived as less empirical, like yoga. Some leaders may resist integrating new learnings, dismissing them as new-age thinking, while technical professionals in cybersecurity may resist change and reject terms such as mindfulness.
Some associate the term "mindfulness" with "woo-woo language" which can exacerbate resistance, leading to the exploration of alternatives like "mental fitness" or more scientific terminology rooted in neuroscience. Different cultural interpretations of mindfulness further complicate matters, prompting the need to define desired mindsets or practices rather than relying on potentially loaded terms. Strategies to overcome resistance involve framing mindfulness in terms of "slow thinking," "focus," and "productivity", and demonstrating its principles through practical activities to make it more relatable and less intimidating for everyone.
Prioritize tangible rewards
Implementing various tactics to maintain mindfulness awareness is key since teaching its benefits is one thing, but practical application is another. People often prioritise tangible rewards like income over the subtle, longer-term benefits of daily mindfulness practices, which require time and effort for their value to be fully recognised.
Many training programs are not engaging enough
There is a gap in existing training's effectiveness because it does not resonate. By embedding the principles of mindfulness in the training—without necessarily labelling it as such—we can demonstrate the behaviours that contribute to better security. Ensuring that training is entertaining and interactive to capture people’s attention and prevents them from simply going through the motions on autopilot without truly engaging.
Communication challenges
Maintaining momentum is challenging for a large workforce with limited permission to communicate. We must find a way to distil the information into concise, effective segments that can be delivered remotely and still be engaging.
Quote: “It’s tricky engaging an audience in an era where people are reluctant to read."
Time poverty
There's a common misconception that taking breaks detracts from productivity, yet mindfulness practices or short movement breaks can actually enhance focus and efficiency. However, the challenge lies in educating people about these benefits and persuading them to integrate mindfulness into their routines. Allocating time for mindfulness training within companies presents another obstacle, requiring efforts to convince CEOs and leaders of its importance for security awareness. Ultimately, ensuring that leadership perceives critical thinking and mindfulness training as essential components of security awareness initiatives is crucial for overcoming this challenge.
Measuring effectiveness
Measuring the effectiveness of mindfulness in cybersecurity poses challenges due to the difficulty in directly linking it to incident reduction and ROI. Emphasis should be placed on showcasing increased productivity through statistics and personal experiences, measured before and after surveys.
Influence
Expanding influence across the organization, different functions and executive levels is challenging. Additionally, effectively communicating the significance of "productivity thinking" or mindfulness to C-level executives is crucial for fostering a cultural shift where leaders recognise and support employees' engagement in mindfulness activities, even allowing time for short breaks.
One size does not fit all
Prescribing a one-size-fits-all approach to mindfulness is not feasible because it's a highly personal journey influenced by individual growth. We can't precisely dictate how mindfulness will work for each person due to the diversity of experiences and factors involved. Some practices, like meditations, can in fact be triggering or even harmful to some, such as trauma survivors so in professional settings meditations should be avoided.
Answer to the Empirical Subquestions
SQ: 1. How can mindfulness practices be effectively integrated into organizational security awareness and training programs?
The interviews provided insights into how to effectively integrate mindfulness training into organisational security and training programmes by listing suggestions on how to transform organisational cultures to embrace mindfulness holistically (a prerequisite for cyber-mindfulness) as well as how to effectively run mindful security awareness campaigns. To transform organisational culture towards mindfulness, it is essential to foster a culture of intentional slowing down, supported by executive buy-in and a shift away from immediate-response norms. This involves prioritising meaningful engagement over instantaneity, granting permission to ask questions and scheduling breaks.
Executive support is crucial, demonstrating commitment through daily mindfulness practices and advocacy for employee well-being. Behaviour design principles facilitate culture change by emphasising personal benefits, and social motivation, offering simple tools and integration into existing technologies. Providing distraction-free spaces and times and understanding individual preferences will further enrich the transformative process. Continuous improvement practices and internal ambassador programmes are imperative. Government support was mentioned to assist in promoting cybersecurity literacy and mindfulness, cascading positive changes from top-level policy down to individual practices. To effectively implement and run cyber mindfulness campaigns, organisations should focus on explaining how mindfulness works and its benefits, utilising simple terminology rooted in validated research to articulate its advantages. Engagement strategies like making cybersecurity training sessions more mindful and designed to capture attention can enhance effectiveness. Consistent practices supported by varied prompts and reminders are crucial for ingraining mindfulness into daily routines. Emphasising personal benefits, such as improved family dynamics and professional development, can motivate deeper engagement and sustained practices.
By embedding mindfulness into security awareness training and collaborating across different functions, organisations can integrate cybersecurity into broader wellness programs where they exist. Scenario-based simulations, emotional phishing awareness training and the PERMA model can align cyber mindfulness practices with broader life goals and enhance participants' understanding. Using the senses as a pathway to mindfulness, in group work, and experiential learning concepts mindfulness interventions can be implemented safely and effectively in organisational or professional settings. Offering tools such as mindfulness apps and integrating mindful features into existing technology platforms, like email or collaboration technology which people use daily can help support the behaviour design programme and facilitate habit building. All the above-mentioned approaches combined will foster a culture of mindfulness and greater resilience to cyber threats to organisations.
SQ: 2. What are the key elements that make mindfulness training effective in enhancing security awareness against SE attacks?
The following key elements in enhancing security awareness emerged from the interview process: Body feedback awareness, including HRV training, promotes self-regulation through techniques like breathwork, utilising the senses as a pathway to mindfulness through grounding exercises, and a focus on observing and responding to physiological states, such as heart rate. Emotional self-awareness and non-reactivity training will help individuals recognise emotions as early warning signs, enhancing self-regulation and control, while meta-awareness training, including cognitive bias and situational awareness training, teaches an understanding of personal biases and habits, promoting thoughtful responses to both external and internal cues. Intentionality training involves sharing how to set clear intentions and pre-planned strategies to guide behaviour, while breathwork serves as an effective intervention for all of the above, and managing stress and anxiety. Movement routines help maintain mobility and reduce stiff- ness while promoting present moment states, and mindful eating cultivates awareness during meals. Intentional slowing down counters immediate response culture and single-tasking enhances productivity while preventing multi-tasking and distraction. The Zero Trust mindset advocates a vigilant approach to digital interactions, referencing trust verifiers before accepting content.
The above-mentioned training and key elements will have to be introduced by a com- panywide campaign following principles highlighted by the experts outlined in the section before, such as explaining benefits using scientific research, making the training itself more mindful & engaging, promoting consistent practice through frequent prompts and reminders, highlighting personal benefits, using simple terminology and small and incremental steps. Story-based examples, collaboration, group work, experiential training and supporting individual preference, employing internal ambassadors for change makers and gaining executive support are additional key success factors that help make the training more effective.
What types of challenges are experienced by security awareness practitioners when implementing mindfulness practices into their security awareness campaigns?
Multiple challenges surrounding cyber-mindfulness implementation within organisations were identified. These include difficulties in getting people to consistently integrate these practices into their daily routines and prioritise the somewhat intangible mindfulness benefits over more immediate tangible rewards. Another challenge is improving the effectiveness of training programmes to ensure they resonate with participants and address internal communication hurdles, particularly in larger, international organisations.
A major challenge raised by 68% of the participants is overcoming the perceived resistance to the term “mindfulness” and different cultural perceptions that resulted in scepticism and negative connotations. Other challenges mentioned were combating the misconception of time poverty by emphasising the productivity benefits of mindfulness practices, allocating sufficient time for training, measuring its effectiveness, expanding influence across different organisational levels and leadership, providing empirical evidence specific to cybersecurity, and acknowledging the individualised nature of mindfulness journeys, which defy a one-size-fits-all approach.
Conclusion and Outlook
This study indicates that integrating mindfulness practices into broader cybersecurity awareness and corporate culture can help people improve their ability to defend against phishing and SE. Figure 3 provides a visual overview of the findings from the research, including the literature review about susceptibility factors and relevant mindfulness benefits addressing these factors (Why). The qualitative analysis provided insights into the types of mindfulness interventions and techniques that could be used to train people in corporate environments (What). It further provided expert suggestions on how to effectively implement and run these interventions as campaigns (How). Most participants (70%) highlighted the need to shift from a culture of immediacy to one favouring slower, more thoughtful reactions. This contrasts with the fast-paced nature of modern life, which is largely driven by digital platforms and the attention economy that thrives on fast reactions and distraction. The findings advocate for a shift in how organisations approach cybersecurity education. Instead of relying solely on conventional training that focuses on specific threats and rules, integrating mindfulness into cybersecurity training programmes can provide a more holistic defence mechanism.
As previously mentioned by Sasse, it would be impractical to ask users to review every single email notification meticulously and mindfully due to time and cognitive limitations (Sasse, 2023). This is not the intention of a cyber mindfulness programme. Regular mindfulness practice enhances meta-awareness, situational and self-awareness as well as cognitive function (Cahn & Polich, 2006; Brown & Ryan, 2003; Frewen et al., 2008; Jha et al., 2017; Ostafin et al., 2012; Price et al., 2023; Valentine & Sweet, 1999). This overall heightened awareness and performance enables individuals to become more attuned to internal and external cues signalling potential manipulation and shift towards more analytical, System-2 thinking as and when needed. Certain triggers—like emotional content, urgent demands, or specific body reactions or sensations—should prompt a shift to a more attentive, mindful state. Devel- oping the ability to tap out of the default heuristic mode into more mindfulness states if needed (‘automatic mindfulness’), can be supported by frequent mindfulness practice as well as exposing individuals to scenarios that mimic real-life SE manipulations using emotional-laden content or cognitive bias training. Meta-awareness, the ability to be aware of internal and external states, has been shown to reduce mind wandering and improve attentional control in organisational settings (Price et al., 2023). This allows individuals to redirect their attention to where it matters quicker than non-trained users.
Training interventions do not need to be intensive 8-week-long mindfulness courses as typically associated with Mindfulness Stress Reduction Training (MBSR), but could be offered to a wider audience via flexible and short-form training modules targeted at organisational settings, like the Mindfulness-Based Attention Training (MBAT) developed by Jha et al., (Jha et al., 2017), simple ‘focus on new things’ techniques such as the Langer method (Langer, 1978), short desk-based breath and movement methods, HRV-based techniques or a combination of all of the above. Long meditations and deep emotional introspection without clinical or professional guidance should be avoided in professional settings because they could trigger trauma survivors and/or individuals with disassociated mind states (Britton et al., 2021).
To effectively integrate mindfulness practices within organisational settings, a transformative shift in organisational culture is needed, fostering intentional slowing down, with executive support promoting employee wellbeing over immediacy. Structured campaigns need a few key factors to run successfully, such as: explaining training content in the context of the organisational objectives, (i.e. improving cybersecurity, attentional control, and performance) and explaining benefits for both teams and individuals. The training itself should be engaging, using simple terminology to train principles, without necessarily using the term mindfulness. It should be implemented in small and incremental steps and highlight personal benefits. Frequent prompts and reminders that can be built into existing technology, such as nudges in email clients, can foster and encourage consistent practice. Integrating mindfulness concepts into security awareness training, such as emotional phishing awareness training for frequent clickers and advocating for a Zero Trust mindset, can help enhance cybersecurity campaigns and awareness efforts. Group work and experiential learning, using scenario-based simulations and story-based examples, tapping into the senses as a pathway to mindfulness, and collaborating between different functions were further suggestions made to successfully implement mindfulness or cyber mindfulness campaigns. The study highlights the dual benefit of mindfulness not only in enhancing cybersecurity defences but also in improving overall employee wellbeing and performance, thus contributing to a more positive work environment.
However, the study also acknowledges the challenges involved in integrating mindfulness into company-wide cultures and cybersecurity programmes. It calls for organisations to undertake substantial cultural shifts to embrace these practices fully. This includes developing a supportive environment that encourages the practice of mindfulness, ensuring that such training is accessible and appealing to all employees, and promoting a culture that values deliberate responses to potential threats. Overcoming cultural biases and terminology resistance
72
around "mindfulness" remains a challenge. Exploring alternative framing like "focussed thinking", “mental armour”, “cognitive resilience”, “Zero-Trust mindset” or "productivity mindset" may increase acceptance. Measuring mindfulness effectiveness versus general security awareness programmes is needed to justify resource allocations. In conclusion, a cyber mindfulness programme promotes a more integrated and human-centred approach to cybersecurity. This approach not only enhances the protection against SE attacks but also increases well-being and performance through improved mental resilience and cognitive agility. Overcoming identified challenges requires a holistic approach beyond cybersecurity and commitment from executive leadership towards a culture that embraces mindfulness and well-being.
Future outlook and research directions
Although the results are promising, they also open several questions and opportunities for future research on mindfulness as a cybersecurity awareness tool. Future studies could conduct longitudinal research to track the durability of mindfulness training effects over time to determine the sustainability of the benefits. Developing quantitative measures to assess the real-world impact of mindfulness on cybersecurity behaviours is essential. Such metrics should go beyond the use of simulated phish-prone percentages, which are influenced by too many criteria, for example by including large-scale qualitative user survey data. Research into the effectiveness of mindfulness across different cultural settings within global organisations could provide insights into tailor-made training that caters to different audiences. Furthermore, optimal ways to integrate mindfulness with traditional cybersecurity training and the potential of digital mindfulness applications and virtual reality (VR) to deliver training could be examined. Expanding research to see how mindfulness could impact other areas of cybersecurity, such as insider threat mitigation or secure coding practices, could broaden the applicability of mindfulness in cybersecurity and other domains.
Limitations
The researcher acknowledges that she may have missed factors influencing people’s suscep- tibility to SE, such as substance abuse or others. The study relied on a relatively small sample of 20 expert interviews, which provided rich insights, but which may not be fully representative across industries and organisational cultures. The efficacy of mindfulness practices was inferred from a literature review of research across different domains like psychology and neu-
roscience and although some empirical studies of the impact of mindfulness on SE susceptibility in cybersecurity exist, more research is necessary to study the effect in larger real-world organisations and outside of lab or student environments. Interviewer and response biases are possible limitations of the qualitative interview process.
References
Please download the full thesis paper as 30 pages are too much to put on here.