2025-11-17 –, Westin - Partenkirchen
Social engineering attacks aren’t about breaking technology—they’re about breaking people. This talk dives into the powerful intersection of cybersecurity and psychology, revealing how attackers exploit instinctive human behaviors to deceive, persuade, and manipulate. Drawing from real-world examples and backed by scientific research, we’ll explore the psychological mechanisms behind successful social engineering attacks. We’ll examine how these same psychological principles can be repurposed to build resilience, not just awareness. You’ll learn why traditional security training often fails to change behavior and how to replace it with effective, science-backed techniques: psychological inoculation, decision friction, cultural reinforcement, and behaviorally designed systems.
This talk dives into the intersection of cybersecurity and psychology, revealing how attackers
manipulate natural cognitive processes to deceive, persuade, and exploit. The session explores the
psychological mechanisms that drive social engineering success. From authority bias and urgency to
social proof and reciprocity, we will unpack how these influences override rational thinking and
trigger automatic, emotionally-driven reactions—often in otherwise alert, intelligent individuals
But how can we use it to our advantage?
We will explore how these same psychological principles can be repurposed to build resilience, not
just awareness. You’ll learn why most traditional security training fails to change behavior, and how
to replace it with techniques rooted in behavioral science, such as psychological inoculation, decision
friction, and cultural reinforcement. By leveraging human psychology not as a weakness, but as a
strategic advantage, we can train users to recognize manipulation, respond with critical thinking, and
ultimately become active participants in defense.
This section explains why traditional awareness training fails, how to cultivate "psychological
antibodies" in your target audience, and how to use human behavior to our advantage:
- Behavioral Design in Security Systems
Design interfaces and workflows that guide users toward secure behavior by default.
Techniques such as visual warnings, intentional delays, and just-in-time education can
redirect risky actions before they occur.
- Psychological Inoculation Training
Expose users to real-life phishing simulations and explain the tactics used against them. This
builds "psychological antibodies“ mental defenses that help users recognize and resist
manipulation attempts in the future.
- Empowered Vigilance Through Culture
Create an environment where employees feel safe to question suspicious requests and are
encouraged to report anomalies. In one case, a junior staff member’s skepticism of a high-
level email request prevented a major fraud incident—because the organization rewarded
curiosity over blind compliance.
- Leveraging Social Proof for Good
Use peer influence to promote secure behaviors. Sharing success stories and public
recognition of users who catch phishing attempts can shift norms and create a security-
conscious community.
Some interesting questions/discussions might be:
- Can we train people to think like attackers—just enough to spot manipulation before it
happens?
- Why do we still think awareness equals protection—when attackers exploit behavior, not
knowledge?
The overall takeaway should be a better understanding of the mechanisms behind our behavior in
case of a social engineering attack and the importance of specialized trainings in order to build
resilience.
Human-Centered Defense, Social Engineering Psychology
Hello :) My name is Julia, I'm 25 years old and a student of IT-Security at university. I am currently writing my bachelor's thesis on Security Awareness Trainings.
In my free time I love to game, play volleyball or go travel the world with my friends.