Humans are not wired for the digital world. We respond to threats the same way we did when predators were chasing us – because we are wired for survival. Our landscape has changed, but our instincts have not. Today, the predator is more likely to be a carefully crafted email than anything in the physical world.
Consider a scenario where you receive a password reset email for your favourite social media account. It would be natural to feel a sense of panic – you need to react; someone may have your personal account.
In psychology, cognitive narrowing refers to the way stressful situations narrow the options we consider. We gravitate towards familiar, immediate choices, not necessarily the ones that serve us best.
You may not consider looking at the email headers while you are out with your friends. In fact, you may not even consider whether the email is legitimate at all. Instead, you will deal with the threat in the best way that you can – by resetting your password.
Threat actors know that pressure tactics work well. These tactics exploit human emotions that we are all susceptible to. For the password reset email, you may decide to act quickly and select a new password. Under stress, the password is likely something you have used before. By clicking the password reset link, you walk into a trap without knowing or considering it was one – a convincing password reset page on a phishing site.
Password reuse is partially explained by a concept known as familiarity bias. We prefer options that feel known and tested – selecting a familiar password carries far less mental load than creating a new one.
Email is one of the most targeted vectors for these attacks — and the numbers explain why. Research by Mailjet found that 55.2% of email users check their email first thing in the morning between 9 -11 AM. Another study by market.us indicates that 88% of users check their inbox several times each day. Email is a medium with usage that increases year over year.
As security practitioners, we encourage our employees to practice good password hygiene, but we often do not provide them with tools to do so. Many smaller organizations do not use a company-sanctioned key vault, and multi-factor authentication may not be deployed for VPN connections and applications. In many cases, security awareness training does not happen frequently enough to change behaviour. In our password reset example, a company could become fully compromised if the employee reused a password associated with a corporate account.
Most threat-actors are financially motivated. Ransomware groups will use stolen credentials to steal and encrypt data, while others may attempt to social-engineer finance departments into redirecting payments.
The scenario described above is not an edge case – it plays out across organizations daily. Administrators are fighting against human nature. So, what’s the solution?
Configure VPN connections to use multi-factor authentication and certificates: Certificates reduce the likelihood of successful MFA fatigue-type attacks (users are repeatedly prompted to accept MFA requests).
Implement a corporate key vault: A corporate key vault removes the burden of password memorization, making unique credentials practical for every account.
Disable password expiry: NIST SP 800-63B states that organizations should stop enforcing mandatory periodic password changes. While the recommendation may seem counterintuitive, users may choose simpler passwords when under time pressure.
Implement passkey logins: Passkeys remove human decision-making from the authentication process, eliminating the shared credentials and phishing risks that come with it.
Security Awareness Training: Behaviour change requires reinforcement. Training should be conducted monthly. Consider adding variety by changing the theme. One month could be phishing, another month could be social engineering awareness, etc.
Dark-web monitoring: Organizations should know when corporate credentials appear on the dark web. Early detection enables a timely response — reducing the window of opportunity for threat actors to weaponize stolen credentials.