WICCON 2025

Cybersecurity professionals have poured lots of time, money, energy (and hopes and dreams) into awareness campaigns. We roll out some phishing simulations, add e-learnings to our colleagues’ to-do lists, and organize the occasional escape room hoping to at least make the mandatory topic of security a bit more fun.

And yet, 95% of cyberincidents can be traced back to human error [1]. We still click. We still use weak passwords. We still ignore or delay updates. At the end of the day, it’s still people – like you and me – using those digital systems. Which is exactly why human behavior plays such an important role in cybersecurity.

Many security initiatives are built on a faulty assumption: that people behave rationally when informed. Surely, if someone knows that clicking a phishing link can bring the whole organization to its knees, they will make sure to avoid that… right?

But research tells us otherwise. Under time pressure and cognitive load, people often rely on quick, intuitive decisions (what psychologists call ‘System 1’ thinking), rather than slow, analytical reasoning (‘System 2’) [2]. It’s quick, but prone to mistakes. That’s why even well-informed employees can make risky choices in a rush to meet all their deadlines.

Behavioral science teaches us that knowing ≠ doing. It gives us the tools to take a look inside the real drivers of human behavior in cybersecurity. Hint: it’s not just about awareness. Decades of research from fields like behavioral economics, cognitive psychology, and usability studies have shown that our behavior is far more driven more by our context than by conscious deliberation.

External factors, like time constraints, attention overload, social norms, and default settings influence behavior, often without us even realizing it. And when people are juggling tasks, they don’t act not based on what they know, but on what’s easiest, fastest, or helps them get their work done in the moment. [3]

That’s why your colleagues reuse the same weak password across accounts. Not because they think it’s safe, but because they’re using 20 different tools, the password manager is confusing and adds extra steps, and they just need to get through their work in time. In that moment, they’re way more likely to pick what’s easiest, even if it’s less secure.

So sure, an escape room can be a fun way to raise the topic of awareness. And sure, awareness may be top of mind during it, or shortly thereafter, but it is not a ‘constant’ state of mind. It tends to fade over time, gradually pushed aside by daily routines and competing priorities. When was the last time you fired off some last emails at the end of the day before rushing out to pick up your kids from school? In that split second, awareness isn’t what’s top of mind – convenience is. And that’s when mistakes happen.

Many organizations still operate from what behavioral scientists call the ‘rational human model’: the idea that if we explain the risk, people will adjust. But this model just doesn’t match how we humans actually behave. It’s the reason why many traditional security awareness programs fall flat, and why it’s time for a new approach.

This talk reframes the human factor in cybersecurity from an awareness challenge, to a behavioral one. Instead of doubling down on training modules and phishing tests, we’ll explore how habits form, how environments shape decisions, and how behaviorally informed design changes can reduce risk more effectively than yet another “death by PowerPoint”.

By the end of this session, the audience will walk away with:
* An understanding of why awareness alone rarely leads to behavior change;
* A more realistic model of human decision-making to design interventions that actually change behavior – and not just tick compliance boxes;
* A behavior-first lens to help them rethink their campaigns, metrics, and prevention initiatives – saving time and by avoiding ineffective awareness campaigns.

A more realistic model of decision-making opens the door to smarter, more effective interventions that align with how people actually behave. It shifts the focus beyond tracking how many people click on phishing links, toward designing environments that support meaningful and measurable behavior change. Because in cybersecurity, success shouldn’t be measured by how much people know or how aware they are, but by what they do when it matters most.

Realism eats rationalism for breakfast ;)

References
[1] IBM Cyber Security Intelligence Index Report (2021)
[2] Kahneman, D. (2011). Thinking, Fast and Slow. London: Penguin Books.
[3] Bounded Rationality. Simon, H. A. (1955). A behavioral model of rational choice. The Quarterly Journal of Economics, 69(1), 99-118. https://doi.org/10.2307/1884852