For years, cyber security has been framed as a technical discipline – patches, firewalls, controls, and compliance. Yet, every major breach continues to remind us of a simple truth: cyber security is fundamentally about people protecting people. The most sophisticated technology in the world cannot compensate for poor decision‑making, cognitive overload, or a culture that treats security as an afterthought.
CISOs who integrate psychology into their programmes gain a strategic advantage. They build environments where secure behaviour becomes intuitive, not forced. An organisation where people feel empowered, and not policed–where culture becomes its strongest control.
Embedding basic psychology into your security strategy does not have to be difficult. In fact, leveraging psychological factors in your organisation’s cybersecurity program can both be an effective and cost-effective approach to reduce human risk. Below we describe eight principles to start with.
Encourage Wanted Behaviours, Not Blame
Traditional security awareness often focuses on telling people what not to do. Psychology tells us this is ineffective. Humans respond far better to:
- A clear rationale–why something [should] matter[s] to you
- Positive reinforcement to encourage wanted behaviour
- Simple, actionable steps that enhance what is termed people’s sense of “self-efficacy”
For example, most cybersecurity awareness programs will tell people to not click on links and not download files and enable macros, or else they will be punished by a cyber incident. In reality, people do not follow through such recommendations because in at least 90% of the times when they do click on a link in an e-mail or download an attached file, these behaviours do not lead to an actual cyber incident.
Indeed, academic studies have shown that most people who click on simulated phishing links do not actually provide confidential information on the website, but visit the link to check the legitimacy of the e-mail and website1. Moreover, most major e-mail providers offer a form of “safe link” redirection to prevent users from opening suspicious websites2. Thus, instead of advertising punitive messages such as “do not click links”, leverage people’s common sense of double checking certain types of messages (e.g. unsolicited requests and offers) with someone outside of their immediate (job) context to ensure they stay safe online. It is a more intuitive, non-technical way to establish communication norms in your organisation that also fosters trust and collaboration, rather than isolated, rash decision-making.
Reduce Cognitive Load
Smart computing devices dominate modern life, from our professional to private contexts. This means we continuously receive notifications of tasks and alerts that require constant context switching. Especially professionals in operational cybersecurity are prone to overwhelm, burnout, and decision fatigue due to the high and growing volume of (potential) cyber-attacks. Such high cognitive load can lead to all sorts of mistakes rooted in psychological biases and other mental shortcuts.
CISOs can reduce this by:
- Enforcing systematic, blameless team evaluation processes
- Simplifying policies
- Implementing security-by-design and automating low‑value tasks
- Prioritising workload balance, e.g. through rotations to reduce fatigue
- Providing mental‑health support and clear escalation paths
These psychologically informed measures help build a sustainable, constructive organisational culture set to reduce employee turnover rates in the most critical heart of your organisation’s cyber defence teams. At the end of the day, a resilient team is a high‑performing team.
Use Nudges to Shape Secure Behaviour
As cybersecurity professionals, we are biased to think in terms of risk. Most people’s daily work settings, however, do not align with this mentality–and some may argue they are not truly responsible for preventing cyber incidents after all. Cyber risk communication, therefore, will be received better when they are perceived to benefit people’s primary job tasks. The concept of “nudges” from behavioural economics can offer a powerful framework to influence secure behaviour without coercion. User interaction tracking is already done in many major software stacks. They allow for implementing timely reminders before risky user actions and delivering micro‑training at critical decision-making points. For example, think of warnings in mobile banking applications to remind users of the possibility of frauds and scams at the moment of setting up a financial transaction. Indeed, such nudges can work, because they align with natural human tendencies rather than fighting them.
Build a Culture of Psychological Safety
People will not report mistakes if they fear punishment. Yet, early reporting is one of the most effective breach‑prevention mechanisms.
CISOs should:
- Celebrate early reporting
- Avoid naming and shaming, and instead encourage open dialogue
- Train managers to respond constructively to employees concerned with suspicious activity or a potential cyber incident
An idea to encourage early reporting is to reward employees who have accurately reported three or more phishing e-mails with a “cyber hero” award and financial reward. Furthermore, reassure employees who suspect they may have unintentionally shared confidential information with a third party that the organisation will take care of it and that they should not be concerned about their job security provided they complete appropriate cybersecurity trainings.
Such practices will help build psychological safety and transform employees from passive risk points into active defenders.
Understand Attacker Psychology
Cybercriminals exploit human emotions such as a sense of urgency, fear, and curiosity that lead to successful social engineering attacks. CISOs must understand these psychological levers to design effective defences.
Incorporate:
- Realistic, job-relevant social‑engineering simulations in cybersecurity training programs
- Training to guard people from emotional manipulation
- Guidance on recognising one’s own cognitive biases
For instance, a study employing a red teaming approach for wider organisational phishing detection training has shown highly promising results, since it engaged employees with cybersecurity matters in a much more intuitive way than conventional training programs. Here, teaching people to think like attackers helped them become nearly three times less likely to fall for a simulated phishing campaign than their conventional training counterparts3.
This result exemplifies how leaning into people’s psychology can lead to more effective cyber defences. A possible mechanism to explain this is that such “adversarial training” exposes people’s own cognitive vulnerabilities that cybercriminals would otherwise seek to exploit.
Tailor Security to Different Personality Types
Not all employees behave the same way. Some are cautious, others are impulsive; some are detail‑oriented, others are big‑picture thinkers.
A mature programme uses:
- Persona‑based training
- Role‑specific risk profiles
- Adaptive learning paths
Psychology helps CISOs meet people where they are, not where policy assumes they should be. Currently, cybersecurity training programs tend to be of a “cookie cutter” format-and not tailored to the many specific contexts of organisations’ diverse workforce. This is a glaring gap (and commercial opportunity) that CISOs can help address.
Conclusion
When we talk to other CISOs about the importance of psychology in cybersecurity, we always come back to one simple truth: our biggest vulnerabilities and our greatest strengths both live in the minds of the people we want to protect. After years of leading security programmes, winning awards, and researching security behaviours, we have learned that mere technology will not save us. What makes the real difference is understanding how people think, why they make certain (insecure) choices, and what pressures shape their behaviour. When we design controls, we should not just be thinking about risk—we should be thinking about cognitive load, emotional triggers, trust, and culture. If we ignore psychology, we end up building security that looks good on paper, but fails in practice. When we embrace it, we create environments where secure behaviour becomes the norm. That shift—from policing people to empowering them—is where the real transformation happens.
CISOs who embrace psychology move beyond compliance and technology. They build programmes rooted in human behaviour, emotional intelligence, and cultural transformation. This approach not only reduces risk—it creates an organisation where security becomes an intuitive responsibility and source of pride.
The future of cybersecurity belongs to leaders who understand people as deeply as they understand technology. Psychology is not a soft skill; it is a strategic capability.
Dr. Sarah Y. Zheng is a Senior Research Fellow at the UCL Dawes Centre for Future Crime, working on identifying how criminals can exploit emerging technologies to create new crime and security risks. Her PhD shed light on the psychological aspects of why people fall for phishing attacks and how to protect them better with adversarial training and trust-based e-mail security nudges. Prior to this, she developed machine learning models for fraud and phishing detection, and AI applications for large enterprises. With her background in neuropsychology and technical skills, she is on a mission to defend the human element in technological developments.
Tarnveer Singh FBCS FCIIS is an award-winning Chief Information Security Officer (CISO) and experienced Technology Leader with two decades in the profession operating across a range of sectors and clients. Tarnveer has experience in a wide breadth of security and technology roles throughout his career. He has been recognised for his thought leadership as an Author and as a Technology Researcher.
Purchase “The Psychology of Cybersecurity” here > https://www.routledge.com/The-Psychology-of-Cybersecurity-Hacking-and-the-Human-Mind/Singh-Zheng/p/book/9781041005704>>
References
1 Lain, D., Kostiainen, K. and Čapkun, S., 2022, May. Phishing in organizations: Findings from a large-scale and long-term study. In 2022 IEEE Symposium on Security and Privacy (SP) (pp. 842-859). IEEE.
2Li, F., 2020. Shim shimmeny: evaluating the security and privacy contributions of link shimming in the modern web. In 29th USENIX Security Symposium (USENIX Security 20) (pp. 649-664).
Oest, A., Zhang, P., Wardman, B., Nunes, E., Burgis, J., Zand, A., Thomas, K., Doupé, A. and Ahn, G.J., 2020. Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th {USENIX} Security Symposium ({USENIX} Security 20).
3Zheng, S.Y. and Becker, I., 2023, October. Phishing to improve detection. In Proceedings of the 2023 European Symposium on Usable Security (pp. 334-343).