2025-08-04 –, Siena
Forget the tired “PEBKAC” jokes—your next breach won’t happen because people are stupid, but because their brains are running exactly as designed.
This session weaponizes cognitive science and a dataset of 1 million users experiences with phishing simulations and 170,000 people's answers to perceptual surveys to show how attackers hijack four predictable bugs in wetware: optimism bias (“not me”), Dunning‑Kruger (a dash of training → god‑mode confidence), and the newly quantified technology bias—the reckless belief that EDR, AI mail filters, or zero‑trust pixie dust catch everything. You’ll see why users who score high on tech bias click links 140% more often, and why click‑through rates double if phishing simulations pause for just three months. Then we flip the script: continuous “people‑patching,” instant dopamine‑hit feedback loops, and neuroscience-based hacks that drop real‑phish clicks 8× while tripling report rates. We'll also show how to prove the ROI for moving from security awareness to motivation, while also demonstrating how humans can show the flaws in your security stack, like how many phishes leaked past your e-mail filters
For decades, security pros have repeated the mantra: “People are the weakest link.”
This talk flips that myth on its head. Using one of the largest datasets of its kind—1 million users, millions phishing simulations, and survey responses from 170,000 people — we’ll explore how people aren’t the biggest problem in cybersecurity. They’re the greatest opportunity.
Human error is not random. It follows predictable patterns hardwired by evolution:
Optimism bias: “It won’t happen to me.” (+37% click rate)
Anchoring bias: First impressions override logic (now supercharged by GenAI-quality phish)
Dunning-Kruger effect: Overconfidence after shallow training = dangerous false certainty
Technology bias: 1 in 3 users believe firewalls and antivirus fully protect them—a belief that leads to 140% more clicks
These aren’t theoretical concepts. They show up in real phishing telemetry. People don’t click because they’re dumb—they click because their brains are conserving energy, operating on autopilot, or hijacked by emotional triggers like urgency and fear. Nearly 20% of clickers don’t even remember doing it. Another 17% say they were rushing. The amygdala moves faster than logic. Social engineers know this. It's time defenders did too.
The good news? These patterns are hackable—by us.
Backed by behavioral science and data, this talk outlines a new model of human defense: one based on motivation, emotional learning, and cognitive bias mitigation. It also introduces SCARF, a neuroscience-based model (Status, Certainty, Autonomy, Relatedness, Fairness) - a concept from the business world into cybersecurity - that helps us engage users on their terms—not ours.
We’ll cover what actually works:
Click rates drop 8x in 90 days with well-designed simulations programs
Report rates increase 2.5–3x when users get positive feedback and real-time coaching
Live phishing threats caught by users increase as trust in tools alone declines
Resilience decays fast: pause simulations for three months and click rates double
We’ll also explore failure modes: over-training leads to false confidence, and phishing users too often (more than once a month) tanks performance.
This session will give you a blueprint for building adaptive, motivated human firewalls using neuroscience, behavior modeling, and just the right dose of gamified reinforcement. Learn how to measure attitudes—not just knowledge—and why motivation is the real missing link in most security awareness programs.
Don’t settle for blaming users. Hack their biases. Trigger better defaults. Close the loop with feedback, not shame.
From weakest link to fastest sensor: this is how you patch the wetware.
David Shipley is an award-winning entrepreneur who loves working at the intersection of the liberal arts and technology.
In 2016, David co-founded Beauceron Security with an innovative approach to cybersecurity awareness This approach empowers everyone within an organization to know more and care more about their crucial role in protecting against cyber-attacks. Beauceron Security now serves more than 1,200 clients across North America, Europe, and Africa, and over 1 million people have benefited from their work.
Before co-founding Beauceron Security, David was the security lead for the University of New Brunswick and developed its incident response, threat intelligence, and awareness practice.
He is a Certified Information Security Manager (CISM), a former journalist, and a Canadian Forces veteran. He was awarded the Queen's Diamond Jubilee Medal and King Charles III Coronation Medal for his service to Canada and his work in cybersecurity.
David regularly contributes to the Cybersecurity Today podcast and appears frequently in the media to help explain cybersecurity stories.