Be cyber safe: Secure by choice, not by chance

Part 2 of 2

This is Part 2 of a two-part series. If you are new to the series, Part 1 – where we explore what mindfulness is and introduce the four-step ROAR process – is a good place to start. You can read it here.

I have now spent nearly 15 years in cybersecurity. Not as a technologist, but as a behaviour change expert, passionate about the human side of it. I help organisations transform tick-box compliance into vibrant, risk-aware cultures where people become the greatest security asset. People are often called ‘the weakest link’. They are not. People are the link.

Whether at work or at home, all of us have been on the receiving end of a scam, and many of us have fallen for one, including people who work in cybersecurity.

Why do we fall for scams? There is a disconnect between knowing what to do and actually doing it. It is because we are not fully present in the moment. We are running at a million miles an hour and we do not pause long enough to actually spot the threat. We do not ‘stop and think’ before we act. This is what Viktor Frankl called the space between stimulus and response, and it is in that space where our power to choose our response lives.

When a phishing email lands in your inbox, creating a sense of urgency – act now or else – the space between stimulus and response shrinks to seconds. And in those seconds, the difference between a secure choice and a catastrophic one comes down to one thing: have you trained yourself to pause and take a deep breath before you respond?

Why awareness alone is not enough

Here is where most organisations fall short. They invest in security awareness solutions, posters, e-learning modules, annual phishing tests, and then wonder why breaches keep happening. The answer is not that people are stupid. Awareness activities are only the first steps in positively influencing mindsets and embedding secure habits into an organisation's culture.

Research across IBM, Mimecast, Verizon and the World Economic Forum repeatedly shows that roughly 90–95% of cyber incidents involve a human-driven element: a click, a credential shared, a misconfiguration, an honest mistake in a moment of distraction.

What's more, heavy investment in technology creates a false sense of security. People will always find a way around clunky systems and procedures. The stats are proof.

The question is whether you have equipped your people with the confidence and competence to act securely in the moments that matter – the high-risk, critical touchpoints where people interact with systems and data, and where their choice of action can either be secure or put an organisation at risk. Here are some examples of risk mitigating behaviours:

• I stop & think before I click
• I report incidents and suspicions quickly
• I am open to challenge.

Awareness helps people to know what to look out for. Culture gives them the confidence to act on it. Training embeds the habits. This is the foundation of our Awareness, Culture and Training (ACT) approach. And sitting at the heart of ACT is the four-step ROAR process, a mindful response method to help people pause, make the right decisions, and respond securely to cyber threats in the moments that matter.

I almost fell for two scams recently

Let me tell you about the two phishing attempts I nearly fell for – days after MOAR! launched.

Two separate emails arrived within a short space of each other. One from a woman named Clara Everly, organiser of the Boxall Reading Challenge, with a community of 3,000 active readers. One from a man named Dan Aranda, organiser of the Around Fitzroy & Collingwood Book Club in Melbourne, with 1,800 members. Both had discovered MOAR! and wanted to feature it. Their communities would purchase and read the book independently, generating organic discussion, reviews and visibility. All I needed to do was register – or contribute to what Dan called a ‘Support Spotlight Package’.

The emails were polished. Warm, even. They referenced the book’s publicly available themes – ‘the tension between ambition and wellbeing’, ‘thriving without burning out’, ‘inside-out transformation’ – with enough fluency to feel credible. They described real, verifiable-sounding organisations. And they arrived at exactly the moment a newly published author is most vulnerable: when the book is out, the adrenaline is fading, and the question ‘will this reach the people it is meant for?’ is very much alive.

My first response to both was excitement.

That is the moment I want to draw your attention to. Not the scam itself – the moment before I paused. In that moment, the stimulus hit something real – my desire to get MOAR! into the hands of more readers – and I responded almost instantly.

Attackers are masters of manipulation. They exploit emotional triggers that bypass our rational brain and pull our decision-making down to an almost child-like level of impulsivity.

With Dan, I did not just glance at the email and move on. I engaged. He replied each time with warmth and patience – but every response said essentially the same thing, recycled in slightly different words. The hallmark of AI-generated correspondence. I was so drawn in that on the Friday I told him I would send my author photo and bio on Saturday. I did not get around to it. Life got in the way.

And then on Sunday morning, I woke up with an uncomfortable feeling in my gut. A feeling I have learned to trust and listen to. I put my phone down, made my coffee, and decided to do my due diligence before sending anything.

The four-step ROAR process creates the mindful response. Here is what it looked like when I finally applied it.

ROAR in action

1. Recognise – notice the anomaly, the pressure, or the red flag

This was my gut feeling on Sunday morning. Notice that it was physical – my body’s intelligence. Dan’s original email and replies felt constructed, not like a genuine expression of his thoughts. The timing was too neat. The enthusiasm too polished. Dan used the same phrases, the same reassurances, the same warmth – over and over again. A classic AI-generated spear phishing email.

2. Observe – pause, breathe and check context

I searched for Dan Aranda on LinkedIn. Nothing. I tried to verify the Boxall Reading Challenge. Nothing credible. When I asked Clara directly about costs, the fee appeared: $235.56. Dan’s approach was different and more sophisticated. He repeatedly referenced his ‘Support Spotlight Package’, describing it in elaborate detail, insisting ‘this is not a pay-to-promote placement’, while never actually stating what it would cost or why any financial contribution was required at all. The more he explained, the less clear it became. A classic AI-generated pattern.

When I asked Dan for a phone number to call him directly, he declined, saying the club preferred to keep all communication in writing. Another red flag.

A quick search found a Facebook forum where other authors had confirmed both as known scams.

3. Assert – act with confidence. If in doubt, don’t proceed

I told Clara directly: ‘I am going to decline this request; it is clearly a scam.’ I told Dan I would not respond without additional assurances.

4. Redirect – ask for help and report through the right channels

I reported both emails as scams.

A no-blame, speak-up culture where people can ROAR without fear of retribution starts with leaders. Specifically, with the psychological safety they create, or fail to create.

Psychological safety is the belief that you will not be punished or humiliated for speaking up. Without it, people will not ROAR. They will get the gut feeling, spot the red flag, and stay silent anyway. Building that safety is a leadership imperative and the foundation of a strong reporting culture.

Ready to go beyond tick-box compliance?

Successful organisations build safety cultures where people can thrive, innovate and adopt new technologies faster. Are you investing enough in the capabilities of your people?

Close the gap. Shift from promoting awareness to embedding secure habits:

• equip people with the confidence and competence to act securely in the moments that matter
• create a cyber risk-aware culture.

The same people-centric transformation that creates cyber risk-aware cultures also builds the psychological safety leaders need to accelerate digital adoption, drive innovation and improve employee wellbeing.

Our services include:

• strategic reviews
• ACT programme design and delivery
• security champions (in collaboration with Layer 8)
• exec-level awareness and training workshops
• resilience coaching for individuals and teams.

If you are a leader ready to turn people – truly your greatest asset – into your strongest defence, I would love to help.

Let’s chat. Book a discovery call.

Be cyber safe: Secure by choice, not by chance.