2024-12-07 –, Track 1
This talk will delve into the critical findings from the speaker's Cyber psychology Master’s research thesis, exploring the human susceptibility factors to social engineering and deception. It will touch on how scientifically evidenced mindfulness practices can effectively 'patch' many (23 out of 33) of these human vulnerabilities. Additionally, we will share practical insights from a 1.5-year journey into implementing a cyber mindfulness campaign at Nedbank.
I previously wrote about how I failed a phishing simulation test during an Uber ride and how this led me to research human susceptibility factors to social engineering and cyber-mindfulness. I wanted to dig into the real reason why I clicked on a phishing email as a security person with 22+ years of experience in cybersecurity. (By the way, the Uber incident was not the only phishing test I failed - there were quite a few more examples). My theory back then was that it wasn't my lack of skills that made me click, but rather a distracted and multi-tasking state of mind. And some initial research confirmed this theory. Motivated by these findings, I decided to make this question the focus of my research thesis for my Cyberpsychology Master's program. The talk will provide the key highlights from the thesis, such as:
1. Findings from the literature review to identify factors contributing to susceptibility to phishing and SE. Factors found were classified into cognitive, behavioural, psychological, situational, and demographic categories
2. these were then mapped against validated benefits of mindfulness—such as improved attentional control, enhanced meta-awareness, reduced stress, and emotional regulation.
3. Existing literature covering mindfulness in cybersecurity specifically confirmed that participants who underwent mindfulness training were better in detecting phishing attempts compared to control groups, indicating a clear link between mindfulness practices and reduced susceptibility to SE tactics.
Through interviews with 20 experts in cybersecurity and mindfulness and using inductive qualitative analysis, themes and categories related to the integration of mindfulness in cybersecurity awareness programmes and general organisational settings were identified. While the interviews confirmed many of the theoretical benefits, they also uncovered significant challenges, such as resistance from employees to terminology, ensuring consistent adoption, difficulties in communication and quantifying the effectiveness. Based on the findings, I recommend a companywide culture shift to one that favours deliberation over immediacy and one that integrates mindfulness into the broader organisational and cybersecurity agenda.
Lastly we will also share some real-world examples of organisations that have embraced this concept, such as Nedbank.
Anna Collard is the SVP of Content Strategy and Evangelist for KnowBe4 Africa. She founded Popcorn Training, acquired by KnowBe4 in 2018, and holds a Master of Science in Cyber Psychology, alongside various security certifications such as CISSP, CISA, CIPP/IT, ISO 27k and PCI DSS QSA. Recognized among the Top 20 Women in Cyber (2024), she also won the Global Cybersecurity Women of the Year Award (2023). Anna is a member of the World Economic Forum’s Global Future Councils and co-founded the MiDO Cyber Academy Programme, focusing on closing the cyber skills gap in underserved communities
Christine Gordon-Bennett is a passionate, creative, energetic and enthusiastic cyber security awareness expert currently working in the CISO Office at Nedbank. She has a passion for helping people understand the value of safe cyber security practices and educating them on human behavioural changes to avoid being the target in a cyber-attack at work, and in their personal lives.
Christine has thoroughly enjoyed developing and implementing a comprehensive security awareness programme at Nedbank over the past 8 years. Cyberpsychology, understanding human behaviour and the role mindfulness plays in securing organisations and the community is a topic she is deeply passionate about.
Christine is Project Management Professional (PMP) certified and holds her Security Awareness Professional (SSAP) certification through the SANS Institute.