top of page

The Theory and Practice of Cyber-Mindfulness

  • Writer: Anna Collard
    Anna Collard
  • Jul 29, 2024
  • 72 min read

Updated: Oct 9, 2024

In a previous post about a year ago, I wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason behind why I, as a security awareness person with 22+ experience in cybersecurity, clicked on a phishing email. By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples. My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I subsequently decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. And here it is finally :)



You can also download the full thesis paper here:



Thesis Abstract

The main research question investigated in this study is which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online social engineering (SE) attacks. In line with this, the goal of the study was to gain a deeper understanding of the effectiveness of mindfulness training as a defence mechanism against SE attacks and which mindfulness interventions would be most effective. The research started with a literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories and these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation. The review of empirical literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.

Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, the study recommends a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda. The study concludes that mindfulness, when used complementary to existing awareness efforts, can significantly strengthen human defences against SE attacks. Driven holistically, where mindfulness becomes a core component of cybersecurity training programmes and a cultural shift towards more mindful and deliberate organisational behaviours is the most effective approach. The study recommends future research on the effect of mindfulness in existing cyber awareness programmes to collect empirical data based on real-life implementations.

Introduction & Problem Statement

The Objective of the Research

Research Questions

Existing Frameworks for Susceptibility to Phishing and SE

Multiple conceptual frameworks and models exist that provide insights into susceptibility factors to phishing and SE: Vishwanath et al., (2018) developed a framework that considers the cognitive, instinctive, and automatic actions that might result in someone being tricked by phishing (Vishwanath et al., 2018). This Suspicion, Cognition, and Automaticity Model (SCAM) assessed individuals on various parameters including their level of doubt, instinctive reactions, deliberate thought processes, beliefs about online risks, email habits, and their ability to control their responses. They found that the level of suspicion individuals applied was higher when they engaged in a thorough evaluation of an email. In contrast, scepticism was lower when they quickly assessed emails using mental shortcuts or heuristics. Individuals’ awareness of cyber risks impacted both above. Those who considered their online behaviour to be safe were more prone to rely on heuristic evaluation (Vishwanath et al., 2018).

The Lens model used the double system lens model, a method for analysing judgement, along with cognitive continuum theory to better understand the relationship between cognition and phishing susceptibility. The study pinpointed that an analytical approach was the most suitable type of thinking for categorising emails and that it corresponded with a reduced incidence of falling for phishing scams (Molinaro & Bolton, 2019). Musuva’s Elaboration Likelihood Model (ELM) involved testing 25 hypotheses and investigating the roles of cognitive processing and threat detection. The findings suggest that the ability to detect threats is the most effective factor in spotting phishing attempts. Individuals who put in the cognitive effort to scrutinise messages are less susceptible to such threats (Musuva et al., 2019).


In 2022, Yang and colleagues proposed a model called the multidimensional phishing susceptibility prediction model (MPSPM) to assess the likelihood of users falling for phishing attempts. Their study involved 1,105 volunteers who collected data on their demographics, personality, knowledge, security practices, and cognitive processes. Using machine learning methods showed high accuracy in predicting which users were more likely to be tricked. The study found a notable correlation between personality traits and vulnerability to phishing, with a particularly high connection between the trait of extraversion and susceptibility (Yang et al., 2022).


The Phishing Susceptibility Model (PSM) created by Zhuo and colleagues in 2023 organises susceptibility factors into three different stages of when they affect individuals during a phishing attack and the impact of situational, long-term, cognitive, in-the-moment, and external factors. The PSM, unlike other models, includes situational factors that influence susceptibility, for example, when the user is under a period of high stress. The PSM highlights the need for more research to understand susceptibility factors and improve protection against phishing susceptibility (Zhuo et al., 2023).

Proposed Framework for Susceptibility to Phishing and SE.

Cognitive Factors

Psychological Factors

Behavioural Factors

Situational Factors

Demographic Factors

Previous research on mindfulness in cybersecurity

Validated Benefits of Mindfulness

Present moment & meta-awareness

Attention, focus and concentration

Emotional regulation & self-control

Adverse Effects of Mindfulness Practices

Results: Linking of theory and research question

Analytical sub-questions (theoretical SQ):

Existing literature explaining the role of mindfulness in cybersecurity

Mindfulness benefits mapped to factors of susceptibility to SE and phishing

Empirical Analysis

Collection and Evaluation of Empirical Results

Presentation of Empirical Results

Threats and Vulnerabilities ("the Why")

Solution and antidote (“the Why”)

Transforming organisational culture (“the How”)

Campaign Approach – (“the How”)

Techniques and practices ("The What")

Tools

Challenges

Answer to the Empirical Subquestions

Conclusion and Outlook

Future outlook and research directions

References

Please download the full thesis paper as 30 pages are too much to put on here.


Comments

Image by kylefromthenorth
Join My Mailing List

Thanks for submitting!

About Me
Anna 22 formal.jpg

I'm a creative security awareness content developer and founder with a demonstrated history of working 20+ years in the cybersecurity industry. Originally from Munich, Germany, I've been living in Cape Town, South Africa for the last 20+ years. Successfully grew bootstrapped startup Popcorn Training to US acquisition and scaled team in a hyper-growth environment under the new ownership as the regional MD of KnowBe4 Africa.

Since 2021 I've moved into an evangelist role at KnowBe4, driving cyber awareness across the African continent with a special focus on cyberpsychology, security culture, metaverse, Web3 security, and the intersection of mindfulness on cyber.

I'm a Member of the World Economic Forum’s Global Future Council on the Future of Metaverse for the 2023-2024 term as well as a member of the WEF Metaverse Initiative Governance Working Group and Security Skills Development Group. 

 

I'm a founding member and on the Mido Cybersecurity Academy advisory board, aimed at underserved communities in South Africa to bridge the cyber skills divide.

I'm a certified business analyst and have an MSc in Cyberpsychology from the University of Applied Sciences in Vienna. I hold multiple security certifications, including CISSP, CISA, CIPP/IT, ex PCI DSS QSA, ISO 27001 Implementer, and auditor.

Im also a Yoga Alliance certified Yoga Teacher Trainer (YTT 500) and certified Trauma Sensitive Yoga Facilitator.

Awards / Recognitions:

- Top 20  Women in Cyber of the World 2024 

- Top 100 Influential Women in Tech South Africa 2024
- Women in Cyber People’s Choice Award 2023
- IFSEC Global Influencer in Security for 2022.
- UK’s IT Security Guru 21 Most Inspiring Women in Cyber in 2021
- Top 100 Women in Cyber 2020 and 2021 globally by Cyber Defence Magazine.
- ISACA South Africa President Award for 2020
- Women in Tech Innovations Africa 2020 Award for Southern and Central Africa at Africa Tech Week
- Top 50 Women in Cybersecurity – Africa 2020

 

© 2024

  • LinkedIn
  • X
bottom of page