We used to treat security as an information problem: "If we tell them the rules, they will follow them." Behavioral Science proves that humans are irrational, emotional, and driven by habit, not just logic.
System 1 (The Animal)
- Fast, instinctive, emotional
- Reacts to Fear/Urgency/Greed
- This is what Phishing targets
- Example: 'Click here to stop payment!'
System 2 (The Engineer)
- Slow, logical, calculating
- Verifies senders and links
- Requires effort to activate
- Example: 'Let me check the URL.'
The Nudge Theory
Instead of blocking every action, "nudges" guide behavior. An external email banner that says "Caution: External Sender" is a nudge. It doesn't stop the email, but it prompts a moment of hesitation to engage System 2.
Key Takeaway
"To secure the human layer, we have to design for the human brain as it is (emotional, hurried), not as we wish it was (logical, patient)."
