Gwen Betts
//
September 3, 2025
What happens when a former FBI agent, a behavioral scientist, and a professional risk provocateur sit down to talk security in the age of AI?
Maro decided to find out.
The result was Securing Minds: The Behavioral Science of Cognitive Security, a thought-provoking webinar on human vulnerability in cybersecurity, moderated by Gabe Zichermann, entrepreneur and expert in behavior-driven change.
For an hour, Dr. Matthew Canham (who once led cyber investigations at the FBI and now heads the Cognitive Security Institute) and Dr. Karen Renaud (an academic at the University of Strathclyde and a leading voice in human-centric security) turned everything you think you know about human error on its head. They reframed security as something psychological, relational, and adaptive.
Cognitive Security Is Still Being Written
The first question seemed simple enough: What exactly is cognitive security? The answer: a concept still taking shape, but one we can no longer afford to ignore.
Canham invited a wider lens: cognitive security begins wherever information is processed, whether by humans, machines, or somewhere in between. With AI agents already interacting with real systems, their inputs, internal states, and actions have become new attack surfaces.
Karen brought the conversation back to behavior and highlighted the real risk: Autopilot. Most mistakes happen when people are running on mental shortcuts, what Daniel Kahneman calls System 1 thinking. Helping people recognize those moments and hit pause may be the key.
Her favorite micro-intervention? “Slow down and frown.” The simple act of pausing and furrowing your brow disrupts impulsive thinking and triggers reflection.
Canham, however, cautioned over reliance on that approach: “System 1 is an older cognitive process that happens faster. System 2 is more reflective, it’s what we feel when we hear inner dialogue. The misconception is that everything that happens in cyberspace is System 1 = bad, and if only we could get people to System 2. But it’s subversive because attackers actually manipulate more of System 2 thinking in practice.”
The takeaway: Threat actors explicitly manipulate System 2 by tricking people into rationalizing unsecure decisions, whereas risk-based scenarios arise from people leaning too heavily on System 1 thinking where mental shortcuts, inattention, and habit fragmentation open the door to errors and misconfigurations.
How are you designing your security practices to leverage systems thinking types effectively?
Attacks That Fool Even Your Better Judgment
But what about attacks designed to bypass reflection entirely? Canham warned of a new wave of AI-shaped attacks that do not rely on quick clicks. Instead, they build trust slowly, through long, emotionally nuanced interactions. He called it cognitive catfishing.
A chilling hypothetical scenario that is closer to reality than we think: after careful manipulation over months, a CISO begins to believe their own company is in the wrong and may take activist action, unknowingly becoming an insider threat.
Karen’s take: the response cannot be an annual, one-size-fits-all training. It has to be collective, continuous, and deeply connected. As she put it: "Up until now, cybersecurity has been compliance. Write the policy, make sure they know what to do, and they must comply. But that era is gone. Compliance only works when it reflects the threats. And those are no longer the threats."
The Takeaway: As social engineers harness agentic AI toward long-term psychological manipulation and relationship building, investing in a cognitive security solution becomes tablestakes to provide the continuous, adaptive defense compliance alone can’t deliver.
Learn how Maro's cognitive security agents defend your workforce's behavior →
Culture, Leadership, and the Hidden Costs of Shame
When the conversation turned to leadership, Karen called for a pivot away from punitive compliance models and toward aspirational leadership.
“Culture must stay alive.” — Karen Renaud
The most effective leaders spark movement and teach people how to think and what to do. Canham echoed Karen's point with a strategic angle:
-
Well-designed security not only guards, but frees cognitive space, sharpens focus, and lifts performance
-
Systems built with empathy and usability reduce incidents and create happier, more productive teams
One of the most powerful moments in the webinar came when the group tackled shame as a hidden risk factor. What begins as a reprimand can ripple into resentment. In that emotional breach, real threats get seeded.
Karen referenced research on the lasting damage of public humiliation. Canham illustrated the point bluntly: “Internal antagonism is a mess. When you have a culture of shame or negative intervention, you push someone further down the critical path to becoming an insider threat.”
Attack vectors are evolving. Breach communications, threat exposure, and public narrative are no longer separate events. They are increasingly targeted with coordinated moves from social engineering playbooks.
The takeaway: Frame investments in human layer defenses in the lens of business language: resilience, productivity, and performance gains that directly impact the bottom line.
The Insider Threat Starts with a Cry for Help
In the age of cognitive attacks, internal threats have become even more complex. Canham introduced the Critical Path Model, showing how personal struggles, emotional triggers, and toxic organizational responses can transform an employee into an active threat.
Sometimes, all someone needs is support, and what they get is punishment instead. Karen emphasized: most errors do not stem from malice. Exhaustion, burnout, and distraction can be just as dangerous. And the worst response? Punishment. It breeds resentment, and resentment becomes a risk factor, too.
The takeaway: psychological safety, listening channels, and sustaining a security culture of teaching over punishment.
How We Perceive Digital Risk
At one point, Gabe posed a brilliant provocation:
“Why do we panic when a child runs into the street, but not when we click a suspicious link?”
Karen’s reply was quick: “Because that is my kid. This is a work device.”
The emotional link is different, so the brain responds in diverse ways. Digital risks feel abstract: too new, too invisible, too filtered through layers of interface to trigger instinctive panic. And as AI agents take over more actions for us, Canham warned, our sense of risk may blur even further.
But are digital natives better at spotting risk? Yes… and no.
Karen noted that young people are remarkably good at identifying malicious intent online, even without fully understanding the technology. But Canham cautioned against overconfidence. Education and awareness remain critical at every age.
FYI: Maro makes human risk factors visible, measurable, and shapeable. From surface-level activity to the intent behind it, Maro gives security teams the insight and tools to guide behavior before it leads to a breach. Request a Demo →
One Final Question: The Magic Wand
To close, Gabe asked the panel: If you could change one thing in today’s organizations, what would it be?
-
Canham: scrap 19th-century org structures. Top-down policy no longer works. Security must be built with the people who use it.
-
Karen: replace management with leadership. Inspire, do not dictate. Teach, do not punish.
She also spotlighted accessibility as a security strategy. Exclusionary design, such as bad CAPTCHAs or impossible password rules creates friction, lowers compliance, and raises risk.
“When you improve accessibility, you improve security for everyone.” — Karen Renaud
The Future of Cognitive Security
At Maro, we see cognitive security as a living discipline, shaped in real time by real conversations like this one.
Curious to go further?
→ Follow Karen Renaud at karenrenaud.com
→ Explore the Cognitive Security Institute, led by Matthew Canham
→ And subscribe to our newsletter to stay close to the frontier of human-centered security.