In a previous post about a year ago, I wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason behind why I, as a security awareness person with 22+ experience in cybersecurity, clicked on a phishing email. By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples. My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I subsequently decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. And here it is finally :)
You can also download the full thesis paper here:
Thesis Abstract
The main research question investigated in this study is which mindfulness training techniques as part of a wider organizational security awareness campaign, assist users in defending against online social engineering (SE) attacks. In line with this, the goal of the study was to gain a deeper understanding of the effectiveness of mindfulness training as a defence mechanism against SE attacks and which mindfulness interventions would be most effective. The research started with a literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories and these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation. The review of empirical literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.
Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, the study recommends a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda. The study concludes that mindfulness, when used complementary to existing awareness efforts, can significantly strengthen human defences against SE attacks. Driven holistically, where mindfulness becomes a core component of cybersecurity training programmes and a cultural shift towards more mindful and deliberate organisational behaviours is the most effective approach. The study recommends future research on the effect of mindfulness in existing cyber awareness programmes to collect empirical data based on real-life implementations.
Introduction & Problem Statement
The Objective of the Research
Research Questions
Proposed Framework for Susceptibility to Phishing and SE.
Cognitive Factors
Psychological Factors
Behavioural Factors
Situational Factors
Demographic Factors
Previous research on mindfulness in cybersecurity
Validated Benefits of Mindfulness
Present moment & meta-awareness
Attention, focus and concentration
Emotional regulation & self-control
Adverse Effects of Mindfulness Practices
Results: Linking of theory and research question
Analytical sub-questions (theoretical SQ):
Existing literature explaining the role of mindfulness in cybersecurity
Empirical Analysis
Collection and Evaluation of Empirical Results
Presentation of Empirical Results
Threats and Vulnerabilities ("the Why")
Solution and antidote (“the Why”)
Transforming organisational culture (“the How”)
Campaign Approach – (“the How”)
Techniques and practices ("The What")
Tools
Challenges
Answer to the Empirical Subquestions
Conclusion and Outlook
Future outlook and research directions
References
Please download the full thesis paper as 30 pages are too much to put on here.
コメント