Back in 2000, Bruce Schneier famously wrote: "People often represent the weakest link in the security chain." The line became foundational to a generation of security thinking. Two decades and billions of dollars in awareness training later, the data hasn’t changed much. According to the 2025 Verizon DBIR, the human element is still involved in roughly 60% of breaches. So, what happened?
That question kicked off Maro’s first-ever Cognitive Security Leadership Perspectives webinar. Host Gabe Zichermann posed a provocative challenge to open the panel discussion: maybe we’ve been addressing the wrong problem all along.
Cognitive security reframes the problem not as a lack of awareness but as a breakdown in how people process information and make decisions under pressure. It focuses on decision-making, context, attention, and intention. And it’s not a fancier way of saying security awareness training.
"Cognitive security is really about protecting people: the way they process information, the way they think, and the way they make secure decisions in the moment," explained Gwen Betts, Chief Experience Officer at Maro. She expanded, "A lot of human risk solutions today think that cybersecurity and people being able to respond to any sort of security event is more a knowledge problem. But what cognitive security posits, actually, is that it is a cognitive problem in large part because you have attackers who are actively trying to manipulate and target cognition."
This new framing assumes people are busy, overloaded, and working in environments that make secure decisions harder, not careless or intentionally malicious.
Panelists laid out the converging forces driving urgency around cognitive security right now:
"We're all in such a rush to get the things done that we need to get done. I’ve got three screens, IMs, Slack, e-mail. Making the right decision can go out the window," said veteran CISO Dennis Dayman.
What gets labeled as human error often arises from misalignment between the logic of security controls and the practical realities of work. Dennis illustrated this with a candid example: salespeople move data because their jobs demand speed, access, and responsiveness, not because they harbor malicious intent. "I understand that," he stated.
Cognitive security operates from that same premise. It doesn’t assume rational, compliant actors. Instead, it asks: what pressures, what friction, what mental model shaped this choice? Justin Pagano, security leader and longtime GRC practitioner, offered, "Security is a specialized domain. Just as you wouldn’t expect a gastroenterologist to perform brain surgery, you can’t assume that non-security professionals will know what the secure thing to do is."
The gap, therefore, is not one of motivation, but of design. Justin went further, adding that security teams must start from a position of trust: "Assume everyone wants to do the right thing. Our job is to make that easy."
That means security leadership must evolve from policing infractions to enabling secure choices. Dennis underscored this mindset shift: "My job isn’t to be the chief innovation killer. It’s to secure the company while helping it grow."
When the conversation shifted to phishing simulations, the panel's tone grew sharp. Justin was blunt: most simulations don’t work. Citing mixed scientific evidence and personal experience, "They can erode trust and make people resent the security team."
Gwen agreed and cited a prominent WSJ article from Dr. Karen Renaud about cases where simulations dangled the promise of bonuses, only to penalize those who clicked. The outcome wasn’t caution, but cynicism: "They create a perverse community compliance effect to any kind of security measure and engagement with the security team after."
The issue isn't that training is without merit; it’s how and when it’s delivered. Cognitive security moves the intervention into the moment judgment is required and when users are under stress, navigating ambiguity, or being emotionally manipulated.
As Justin explained, "It’s wishful thinking if we believe we're going to be able to give people training and they're going to remember the nuances of all these different topics throughout the year until their next training cycle starts."
This is what cognitive security enables: guiding people toward the secure path while they work. It’s memory-agnostic, it’s intention-aware, and acts in the moment of need.
The move toward cognitive security also necessitates a paradigm shift to measurement and the right signals needed to effectively reduce human risk factors. Dennis summed it up best: "The phishing click rate has always been the go-to KPI for years largely because it's easy to measure and makes for very clean board slides. Let's just be honest about it."
Justin quipped in agreement, "I would never bring a phishing related metric to our board. I would aggregate up the technical controls that are actually effective at defending against phishing."
Gwen followed up by teasing out two types of telemetry to care about and why: one set for real-time action (user disposition, attention state, stress indicators, etc.), the other to demonstrate long-term progress to the board. New metric entrants discussed included:
FYI: Maro makes human risk factors visible, measurable, and shapeable. From surface-level activity to the intent behind it, Maro gives security teams the insight and tools to guide behavior before it leads to a breach. Request a Demo →
In the final segment, the panel addressed a risk surface for which few organizations have formal playbooks: AI systems capable of manipulating users through cognitive exploits. Gabe cited a chilling stat: LLMs trained on personal context engaged in blackmail-like behavior in 80% of test scenarios and this was before they were connected to sensitive, real-world inputs.
What happens when autonomous agents begin to exploit human psychological vulnerabilities at a scale and speed no human could match? Dennis conceded with another nod to why cognitive security, why now: "We already had to worry about people being tricked," Dennis said. "Now we have to prepare for AI doing the tricking? I don’t know the right answer yet."
Security is moving beyond protection for just technical infrastructure. In today’s landscape, human behavior is the next big attack surface, and cognitive security is our best response. The organizations that understand this (and protect accordingly) will be the ones who thrive. And Maro can help them do that.
With Maro, security teams can shift left on human risk with the visibility to understand behavior, the context to assess usage by use case, and the precision to craft AI-powered policies that intervene at the moment risk emerges. The result? Stronger alignment between people and security, fewer incidents, and more freedom to innovate securely.