Cognitive Vulnerabilities: Why Humans Fall for Cyber Attacks

2 Nov 2023 09:05h - 09:45h UTC

Event report


  • Lucy Hedges


  • Prof. William H. Dutton
  • Philippe VALLE
  • Gareth Maclachlan
  • David Chow

Table of contents

Disclaimer: This is not an official record of the GCF session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed. The official record of the session can be found on the GCF YouTube channel.

Knowledge Graph of Debate

Session report

Gareth Maclachlan

Trellix, which was formed around a year ago, is the result of a merger between FireEye and McAfee. It is a global organization serving approximately 45,000 enterprises. Human exploitation in cyber threats revolves around three main tactics: familiarity, urgency, and personal or corporate cost. Cyber attackers use familiar elements to manipulate users into making decisions that benefit the attackers. They create a sense of urgency, forcing users to act quickly without thinking critically. Additionally, they exploit the personal or corporate cost associated with certain actions, making users more likely to react as desired by the attackers.

One common type of cyber attack is VIP impersonation, where attackers use a text message from a CEO or executive, requesting the recipient to perform unusual activities. However, this tactic is often ineffective as such activities are typically not part of regular business practices.

Credential phishing, on the other hand, is a common and highly effective cyber attack method. Attackers run campaigns focused on obtaining users' credentials, often using pop-ups or fake login pages that mimic reputable companies. The stolen credentials can be valuable to the attackers for further malicious activities.

Another approach used by cyber attackers is exploiting usual business activities. For example, they may send invoices or resumes through email, taking advantage of the fact that users are more likely to trust such communication as everyday business practices. By doing so, the attackers bypass users' natural suspicion towards email and successfully launch their attacks.

Security firms should focus on assisting customers in safeguarding their organizations from cyber threats. It is crucial to avoid blaming users for system failures, as this approach creates a culture of fear and discourages individuals from reporting potential threats. Gareth Maclachlan argues for a different perspective on cybersecurity, emphasizing the need to investigate how an attack bypassed the system, rather than blaming individuals who may have clicked on malicious links or fallen victim to other tactics.

Traditional phishing training methods may inadvertently desensitize employees to actual threats. Research suggests that employees feel they understand the risks and may miss genuine threats as a result. It is important to consider alternative approaches to phishing training, such as personalizing the training using AI and LLMs, to increase its effectiveness.

Recognizing and praising individuals who successfully identify and report genuine cyber attacks can encourage a behavioral norm of recognizing that security is everyone's responsibility. This proactive approach to positive reinforcement could decrease the likelihood of mistakes in the future.

Psychologists can also play a role in understanding and dealing with cognitive biases that impact data security. Gareth Maclachlan contemplates the role of psychology in this context and acknowledges his own biases in his perspective.

When considering digital transformation in regions like the Kingdom, it is essential to view security from a broader perspective beyond just enterprise security. Gareth Maclachlan highlights the large scale of digital transformation in the Kingdom and suggests that minds should open to consider security in relation to systems and spaces beyond individual enterprises.

During incidents, it is important to focus on learning from system failures rather than blaming users. This approach promotes growth and improvement in security practices.

Publicly celebrating and recognizing employees when they correctly report potential threats can contribute to a culture of security awareness and employee engagement.

Performing regular checks on all applications, particularly hosted software-as-a-service applications, is crucial to avoid compromise. Organizations can be compromised if a customer or individual uploads a hostile file.

In conclusion, the summary highlights the importance of understanding how cyber attackers exploit human vulnerabilities and the need for security firms to prioritize assisting customers in protecting their organizations. It emphasizes the significance of taking a system-focused approach to cybersecurity rather than blaming users for system failures. Additionally, the summary explores alternative approaches to phishing training, the role of psychologists in addressing cognitive biases, and the need for a broader perspective on security in the context of digital transformation.

Moderator - Lucy Hedges

The threat of cyber attacks in today's interconnected and digital world is larger than ever before. Cyber criminals are taking advantage of human cognitive vulnerabilities, exploiting weaknesses in human nature within cyber systems. They employ various tactics to exploit human fallibility and compromise cybersecurity.

To address these vulnerabilities, industry-industry collaboration is crucial. By working together, industries can explore elements of human error and gain insights into the psychological factors that make humans susceptible to attacks. This collaborative approach can lead to the development of effective strategies and measures to reduce cyber vulnerabilities.

One area where human vulnerability is evident is in the realm of social networks. Many people are unaware of the extent to which they reveal personal information on these platforms. This lack of understanding puts individuals at risk, as attackers can exploit this information for malicious purposes. Attackers are becoming increasingly sophisticated and can use personal data shared on social media platforms to impersonate friends and family members, effectively deceiving individuals. This highlights the importance of being selective and cautious with the information shared online.

Lucy Hedges, a cybersecurity expert, emphasises the significance of understanding and managing the information shared online. She shares anecdotes of individuals who have fallen victim to cyber attacks as a result of their personal information being exploited. While living in the online world can be beneficial, it is crucial to exercise caution and be mindful of the information we share.

Furthermore, there is a need for workplaces to promote caution and awareness towards potential cybersecurity threats, particularly those that come through emails. Hedges recalls an incident at her former workplace where a cyber attack occurred due to an employee interacting with a malicious link. It is essential for organisations to create a culture that encourages vigilance and provides training on identifying suspicious emails and other potential threats.

In conclusion, the threat of cyber attacks is ever-present in today's digital world. Human cognitive vulnerabilities are exploited by cyber criminals, and it is vital to address this issue through industry collaboration. Individuals must be cautious about the information they share on social networks, as attackers can use personal data for malicious purposes. Additionally, workplaces should promote awareness and caution towards cybersecurity threats, especially those via email. Being alert and proactive is essential in combating cyber vulnerabilities and protecting personal and organisational data.

Prof. William H. Dutton

The discussions focused on important themes such as cybersecurity and cognitive biases, highlighting several key points and arguments.

One significant issue that was discussed is the confirmatory bias, which is the tendency for individuals to believe information that confirms their existing beliefs. It was emphasized that this bias can be exploited, as people are more likely to accept and share information that aligns with their preconceived notions. This poses a challenge in combatting misinformation and propaganda, as individuals tend to seek out information that reaffirms their own opinions.

The emergence of cognitive politics was identified as a consequence of cognitive warfare. It was revealed that in the past, attitude shaping was common, but now the focus has shifted towards shaping beliefs about a particular subject matter. This manipulation of beliefs through cognitive tactics raises concerns about the trustworthiness of information on the internet and its impact on society.

Blaming users for succumbing to cyber threats was strongly argued against. It was emphasized that blaming individuals solely for falling victim to cyber attacks absolves others who are involved in cybercriminal activities. Instead, open communication and collaboration were suggested as necessary approaches to rectify and avoid future issues. By discussing suspicions or experiences with phishing or scams, people can collectively learn from each other's mistakes and work towards a safer online environment.

The adoption of a cybersecurity mindset was identified as an increasing trend among internet users. There is a growing awareness of the cybersecurity implications of every action taken online, as people are becoming more conscious of the threats and seeking to protect themselves. This shift in mindset is encouraging and demonstrates a proactive approach towards personal cybersecurity.

Addressing cybersecurity threats was viewed as an ongoing process that requires an ecosystem-wide approach. It was recognized that everyone, from the top to the bottom of an organization, has responsibilities towards cybersecurity. This highlights the need for collective efforts to ensure a secure online environment.

Psychologists were seen as playing a significant role in cybersecurity by educating users about their psychological tendencies. It was noted that human bias and the tendency to confirm existing biases play a significant role in the propagation of misinformation. Therefore, educating individuals about these biases can help them recognize and mitigate the impact of these tendencies on their online behavior.

While acknowledging the positive aspects of social media, such as networking and information exchange, it was suggested that more support should be given to smaller organizations and individuals outside the corporate sector. Data showed that smaller organizations and individuals in non-corporate sectors did not receive as much support as larger organizations and SMEs. Addressing this disparity in support is crucial to ensure that all entities have the necessary resources and knowledge to protect themselves online.

In conclusion, the discussions highlighted the need for individuals to take an active role in ensuring cybersecurity. The confirmatory bias, cognitive politics, and the importance of a cybersecurity mindset were all significant points of focus. Open communication, collaboration, and the involvement of psychologists were recognized as important measures in combating cyber threats. Notably, addressing cybersecurity challenges were seen as requiring a collective effort that involves individuals, organizations, and society as a whole.

David Chow

David Chow, an experienced IT expert, provides valuable insights into the complexities of cybersecurity, with a particular emphasis on the human aspect. He highlights the challenge posed by the human factor, stating that while technical aspects such as patching and network assessments can be effectively managed, the human element presents a bigger challenge. Exploiting cognitive vulnerabilities, such as appealing to emotions or curiosity, can be a significant avenue for cyberattacks.

Chow gives an example of potential scams that exploit human nature, such as seeking donations or manipulating curiosity. This underscores the need for individuals to be vigilant and aware of these cognitive vulnerabilities to prevent falling victim to such attacks.

Furthermore, Chow discusses the importance of background checks and personal security measures in mitigating cognitive vulnerabilities. Drawing from his experience at the White House, he explains that extensive background checks, FBI reviews, and financial assessments are crucial in making informed decisions and minimizing risks associated with those who may exploit cognitive vulnerabilities.

Regarding news consumption, Chow observes a clear pattern where different political administrations tend to prefer news channels aligned with their political ideologies, demonstrating confirmation bias. During Republican rule, Fox News, a conservative news channel, is the preferred choice, while CNN is commonly watched during Democrat rule. This highlights how political biases can shape news consumption and potentially influence public opinion.

Addressing user responsibility, Chow argues against solely blaming IT professionals for cybersecurity breaches. He conducted a phishing exercise that revealed the need for users to be more vigilant and take responsibility in ensuring cybersecurity. He emphasizes that everyone plays a role in cybersecurity and that it is a collective effort.

Chow also warns against excessive sharing of personal information on social media, as it can make individuals vulnerable to frauds and scams. He shares a personal experience of receiving a fraudulent text asking for an Apple gift card, which targeted him based on the information he had shared about his new job on social media. This highlights the importance of exercising discretion and being mindful of the information shared online.

In conclusion, Chow's analysis underscores the multifaceted nature of cybersecurity, highlighting the need to address the human aspect and cognitive vulnerabilities. Measures such as background checks and personal security are essential in mitigating risks. Awareness of confirmation bias in news consumption and the importance of user responsibility contribute to establishing a strong cybersecurity culture. Lastly, his experience with social media scams serves as a reminder to exercise caution and respect individuals' privacy when sharing personal information online.

Philippe VALLE

The analysis highlights several key points regarding cybersecurity and social engineering. One important aspect is the prevalence and impact of attacks based on human vulnerability, commonly known as social engineering. Attackers exploit the information available on social networks to gain the trust of their victims. This underscores the need for awareness and education to combat social engineering attacks. The analysis suggests that training sessions within companies could play a crucial role in educating individuals about social engineering techniques and how to identify and avoid falling victim to them.

However, it is also mentioned that blaming the user for cybersecurity breaches is counterproductive. Human error is an inevitable factor in any system, and it is unrealistic to expect individuals to be perfect in preventing all cyber threats. Instead, it is argued that a system-based approach should be adopted to address the root causes of cyber attacks. This observation underscores the importance of having robust cybersecurity measures in place, such as implementing multi-factor authentication and regularly updating access management policies.

The analysis further suggests that companies should establish quick incident reporting systems to effectively respond to cyber incidents. Time is of the essence in handling incidents, and prompt reporting can enable response teams to address the issues in a timely manner. This recommendation aligns with the notion that incident management should prioritize quick reporting and response rather than focusing on blaming individuals.

When it comes to application design, the analysis emphasizes the need for a balanced approach that considers both security and user-friendliness. Applications that are too difficult to access or operate may be bypassed, while those perceived as easily accessible may be seen as weak in terms of security. Therefore, application designers should aim to strike a balance between ensuring the security of transactions and providing a user-friendly experience.

Regarding data and application access, the analysis highlights the importance of clear and strong access management policies that focus on segmentation or zero trust. Defining who has access to what in terms of applications and data is crucial in controlling security, and monitoring access levels is considered good practice. Additionally, the implementation of multi-factor authentication is seen as crucial for organizations to enhance security and prevent unauthorized access. These measures can significantly contribute to safeguarding sensitive information.

An additional noteworthy observation is the need for regular updates to access management policies when people change roles within a company. As responsibilities change, so should access rights, ensuring that individuals only have access to the data and applications necessary for their current position.

In conclusion, the analysis highlights the significance of addressing social engineering attacks, the importance of implementing robust cybersecurity measures, the need for quick incident reporting systems, the balance between security and user-friendliness in application design, and the crucial role of access management policies and multi-factor authentication in maintaining data security.



David Chow

Speech speed

197 words per minute

Speech length

1660 words

Speech time

506 secs

Click for more


Gareth Maclachlan

Speech speed

202 words per minute

Speech length

1827 words

Speech time

542 secs

Click for more


Moderator - Lucy Hedges

Speech speed

201 words per minute

Speech length

1125 words

Speech time

336 secs

Click for more


Philippe VALLE

Speech speed

157 words per minute

Speech length

812 words

Speech time

311 secs

Click for more


Prof. William H. Dutton

Speech speed

151 words per minute

Speech length

1805 words

Speech time

716 secs

Click for more