Mindfulness and cyber security behaviour: A comparative analysis of rational and intuitive cyber security decisions

Organizations invest heavily in technology solutions to enhance their cybersecurity, yet it is often human factors, like an employee clicking on a phishing link, that can derail even the most sophisticated security systems. Applying dual-process theories of cognition, we argue that a brief mindfulness practice may prevent habitual responding to phishing attempts by enhancing rational decision making and hence detecting phishing cues. To empirically investigate this idea, we manipulated mindfulness between two groups of participants in an experiment, and measured the ability to detect phishing cues that are easy or difficult to notice in emails from familiar or unfamiliar sources. Our findings suggest that mindfulness helps to detect more phishing cues when emails are difficult and from familiar sources, but not in any of the other experimental conditions. Subsequently, we draw theoretical implications for the role of human factors in cybersecurity behavior, and offer practical suggestions for security training.