(Lily Yeh | Image Credit: Olemedia/Getty Images)
Cybersecurity experts can be a little cynical. For example, on social media, comments like “you can’t patch stupid” or “the human link is the weakest in any cybersecurity chain” often appear after a CEO gets hacked or under a report about an employee falling victim to a deepfake scam. Those sentiments sidestep the core security problem: Humans are the only “link” that matters in the cybersecurity chain. With that in mind, we must all protect ourselves by encouraging others to adopt safer online behavior.
In this case, online behavior refers to good internet hygiene habits like creating long, strong, and unique passwords for all your online accounts and storing them in a password manager. Other good habits to build include backing up your data, enabling multi-factor authentication whenever possible, installing timely software updates, and recognizing and reporting phishing messages and other scams.
“How do we get from people being aware of and understanding a cybersecurity challenge to ultimately changing their behavior?” asked Oz Alashe, the CEO of CybSafe, a security awareness training company.
During a session at the 2025 RSAC Conference, Alashe and Dr. Jason Nurse, who researches cybersecurity at the University of Kent, answered the question by presenting research that shows how various psychological factors may affect a person’s cybersecurity hygiene habits.
People Understand Why Online Security Is Important
The CybSafe team surveyed over 7,000 participants from various age groups in seven countries about their cybersecurity habits.. The survey asked participants about their attitudes and behaviors toward cybersecurity at home and in the workplace. The final report shows that cybersecurity awareness campaigns are reaching people, but confusing or frustrating experiences with security tools keep people from putting that education into practice.
The good news is that the overwhelming majority of respondents considered online safety important and worth the effort. The not-so-good news is that almost half (46%) of the participants found online safety frustrating, and 44% found cybersecurity tasks intimidating.
(Credit: CybSafe/RSAC)Prevalent cybersecurity misconceptions also cause problems. For example, most surveyed said online safety is expensive to maintain, while 43% believed their devices are automatically secure. The biggest concern? 38% of survey participants said that losing private data online is unavoidable.
The CybSafe researchers said the data tells a story about people’s online behavior. “People feel that staying secure online isn’t possible or it’s frustrating,” said Dr. Nurse. “That influences their motivation.”
The survey group’s response to questions about multi-factor authentication (MFA) illustrates this idea. Even though a vast majority of survey respondents (81%) had heard of MFA, nearly a quarter (24%) either don’t use it or have stopped using it to secure their accounts. One survey participant even said, “[MFA] annoys the heck out of me!!”
The More You Know, the Better You'll Protect Yourself
People’s attitude toward online safety can affect their motivation to improve their cybersecurity habits. Dr. Nurse referenced the Knowledge-Attitude-Behavior (KAB) model during the presentation, which shows that when a person knows about a topic, that knowledge influences their perception of a risk, which then determines how they act. For example, suppose you are already familiar with how a social engineering scam works. When you receive flirty texts from an unknown number, you are more likely to block the number and delete the texts, thus preventing yourself from becoming a romance baiting victim.
That said, awareness campaigns and cyber education may not be enough to change people’s online habits. Last year, I spoke to whistleblower-turned-cybersecurity consultant Chelsea Manning and asked her how to get people to care more about cybersecurity. “In the 2010s, I tried to,” she said. “I think that people did care, but one of the problems we encounter now is a generational shift where older people are now thinking less about their digital privacy.”
(Credit: CybSafe/RSAC)The CybSafe team’s findings showed a different generational shift, particularly when interacting with AI tools. Gen Z appears less wary of AI than their older counterparts, with 46% of Gen Z survey respondents claiming they’d shared sensitive work information with AI without their employer’s knowledge. This is despite multiple reports warning that AI chatbots could leak confidential data. 14% of Baby Boomers said they've shared sensitive work information with an AI chatbot.
Employees Want to See Results From Their Actions
The CybSafe report also revealed that people get discouraged when they don’t see results from online safety behavior. For example, under half of the respondents (47%) said they regularly report phishing messages when they encounter them at work. Those who don’t report said they would start doing it if the action helped to stop cybercriminals, stop spam from appearing in their inbox, or if anything else would happen as a result of their report.
Not reporting phishing emails or refusing to adopt other data protection habits could be a sign of learned helplessness, a psychological condition where a person believes they have no control over a situation and stops trying to change their fate, even if offered a chance at escape or salvation. The phenomenon happens after a person repeatedly experiences negative, uncontrollable events. Companies can stave off learned helplessness among employees by offering follow-up information when a person reports a phishing email. Something as simple as a response from the IT department acknowledging receipt of a report can be helpful.
You can also encourage your IT security teams to engage with the rest of the company. Last year, Adobe's chief security officer, Maarten Van Horenbeeck, told me his team hosts formal and informal events with other departments throughout the year to learn about the security issues affecting each team. Van Horenbeeck also said he hires a mix of security veterans and people with different career backgrounds for key roles, because experts “don't always understand how a software developer works from beginning to end, and that lack of empathy can make things harder.”
How to Help Everyone Be Safer Online
The CybSafe team’s research shows that the key to getting more people to build better online safety habits is to meet them where they are. If you’re a business owner or IT professional, survey your employees to examine their cybersecurity knowledge and attitudes toward online safety. Using that information, you can develop practical cybersecurity training and workplace policies that give them valuable feedback on why their help is essential.
If you’re interested in improving your online safety habits, at home or work, start with our cybersecurity checklist. It’s filled with tips to lock down your online accounts and perform regular security checks to keep your personal information safe. If you’re looking for cybersecurity training programs for your workplace, check out the services listed on CISA’s website.