In a previous post about a year ago, I wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason behind why I, as a security awareness person with 22+ experience in cybersecurity, clicked on a phishing email. By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples. My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I subsequently decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. And here it is finally :)
You can also download the full thesis paper here:
Thesis Abstract
The main research question investigated in this study is which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online social engineering (SE) attacks. In line with this, the goal of the study was to gain a deeper understanding of the effectiveness of mindfulness training as a defence mechanism against SE attacks and which mindfulness interventions would be most effective. The research started with a literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories and these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation. The review of empirical literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.
Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, the study recommends a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda. The study concludes that mindfulness, when used complementary to existing awareness efforts, can significantly strengthen human defences against SE attacks. Driven holistically, where mindfulness becomes a core component of cybersecurity training programmes and a cultural shift towards more mindful and deliberate organisational behaviours is the most effective approach. The study recommends future research on the effect of mindfulness in existing cyber awareness programmes to collect empirical data based on real-life implementations.
Introduction & Problem Statement
The Objective of the Research
Research Questions
Existing Frameworks for Susceptibility to Phishing and SE
Multiple conceptual frameworks and models exist that provide insights into susceptibility factors to phishing and SE: Vishwanath et al., (2018) developed a framework that considers the cognitive, instinctive, and automatic actions that might result in someone being tricked by phishing (Vishwanath et al., 2018). This Suspicion, Cognition, and Automaticity Model (SCAM) assessed individuals on various parameters including their level of doubt, instinctive reactions, deliberate thought processes, beliefs about online risks, email habits, and their ability to control their responses. They found that the level of suspicion individuals applied was higher when they engaged in a thorough evaluation of an email. In contrast, scepticism was lower when they quickly assessed emails using mental shortcuts or heuristics. Individuals’ awareness of cyber risks impacted both above. Those who considered their online behaviour to be safe were more prone to rely on heuristic evaluation (Vishwanath et al., 2018).
The Lens model used the double system lens model, a method for analysing judgement, along with cognitive continuum theory to better understand the relationship between cognition and phishing susceptibility. The study pinpointed that an analytical approach was the most suitable type of thinking for categorising emails and that it corresponded with a reduced incidence of falling for phishing scams (Molinaro & Bolton, 2019). Musuva’s Elaboration Likelihood Model (ELM) involved testing 25 hypotheses and investigating the roles of cognitive processing and threat detection. The findings suggest that the ability to detect threats is the most effective factor in spotting phishing attempts. Individuals who put in the cognitive effort to scrutinise messages are less susceptible to such threats (Musuva et al., 2019).
In 2022, Yang and colleagues proposed a model called the multidimensional phishing susceptibility prediction model (MPSPM) to assess the likelihood of users falling for phishing attempts. Their study involved 1,105 volunteers who collected data on their demographics, personality, knowledge, security practices, and cognitive processes. Using machine learning methods showed high accuracy in predicting which users were more likely to be tricked. The study found a notable correlation between personality traits and vulnerability to phishing, with a particularly high connection between the trait of extraversion and susceptibility (Yang et al., 2022).
The Phishing Susceptibility Model (PSM) created by Zhuo and colleagues in 2023 organises susceptibility factors into three different stages of when they affect individuals during a phishing attack and the impact of situational, long-term, cognitive, in-the-moment, and external factors. The PSM, unlike other models, includes situational factors that influence susceptibility, for example, when the user is under a period of high stress. The PSM highlights the need for more research to understand susceptibility factors and improve protection against phishing susceptibility (Zhuo et al., 2023).
Proposed Framework for Susceptibility to Phishing and SE.
Cognitive Factors
Psychological Factors
Behavioural Factors
Situational Factors
Demographic Factors
Previous research on mindfulness in cybersecurity
Validated Benefits of Mindfulness
Present moment & meta-awareness
Attention, focus and concentration
Emotional regulation & self-control
Adverse Effects of Mindfulness Practices
Results: Linking of theory and research question
Analytical sub-questions (theoretical SQ):
Existing literature explaining the role of mindfulness in cybersecurity
Empirical Analysis
Collection and Evaluation of Empirical Results
Presentation of Empirical Results
Threats and Vulnerabilities ("the Why")
Solution and antidote (“the Why”)
Transforming organisational culture (“the How”)
Campaign Approach – (“the How”)
Techniques and practices ("The What")
Tools
Challenges
Answer to the Empirical Subquestions
Conclusion and Outlook
Future outlook and research directions
References
Please download the full thesis paper as 30 pages are too much to put on here.
Comments