Anyone who knows me knows I’m passionate about mindfulness.
Because I genuinely believe it makes us better humans. But also, because I have one of those brains that desperately needs it. I’m easily distracted and I start new ideas before finishing old ones. My attention can scatter in a hundred directions.
I wrote before how I clicked on a phishing test because I was multitasking and running on autopilot. And that moment really changed the direction of my career and my research. It made me ask: what if vulnerability online has less to do with what we know, and more to do with where our attention is? And what if mindfulness, not just awareness, could make us safer?
Therefore,when I came across a recent research paper exploring mindfulness, mood, and phishing detection, I was genuinely excited.
The study “The nexus of mindfulness, affect, and information processing in phishing identification” (Bera & Kim, 2025) examined how our mental state influences whether we detect phishing emails.
The researchers distinguished between two forms of mindfulness:
- Trait mindfulness: our general tendency to be attentive and aware.
- Domain-specific mindfulness: how mindfully we engage in a particular context, like email.
Both states are associated with improved phishing detection. People who were naturally more mindful performed better than those who are more mindless. But those with higher domain-specific mindfulness performed even more strongly.
That distinction matters. Trait mindfulness may be partly dispositional. Domain mindfulness, however, can be cultivated.
Processing Mode Matters
To explain this, the researchers used the Heuristic-Systematic Model (HSM) developed by Shelly Chaiken.
You may be more familiar with the idea of “System 1” and “System 2” thinking. The fast, intuitive reasoning versus our slower, analytical system 2 thinking, which was popularized by Kahneman in his 2011 book Thinking Fast and Slow. HSM builds on a similar distinction but adds an important nuance: both modes can operate at the same time and influence each other. Phishing is typically associated with the fast lane, urgency, authority, emotional cues, familiar branding to make us take heuristic shortcuts. But, HSM suggests that when we evaluate information, we often use shortcuts while also simultaneously engaging in deeper analysis. These processes interact with each other,and HSM proposes that we stop thinking once we feel confident enough or once we are satisfied that we have enough information.
Imagine receiving a suspicious email. You notice something slightly off, perhaps the tone feels unusual. That’s heuristic processing. You briefly analyze it more carefully, that’s systematic processing. But the moment you decide “It’s probably fine,” your brain stops investing effort. Even if you’re wrong. Phishing succeeds not just because we think fast, but because we might stop thinking too soon.
The study found that higher trait and domain mindfulness increased systematic processing and improved detection accuracy. Interestingly, people in pleasant, relaxed emotional states were worse at detecting phishing. Therefore, it’s not just stress or overwhelm that makes us vulnerable. It’s mindlessness.
From Awareness to Design
For years, security awareness has focused on knowledge, teaching people what phishing looks like, but this research shifts the question: What cognitive state is someone in when they read that email?
That moves the conversation from awareness to cognitive design. Security nudges, banners, second-chance prompts, contextual warnings are often seen as compliance tools. But they may also function as micro-interruptions. Tiny digital pauses. Instead of moving reflexively from “click” to “send,” a well-timed interruption creates a moment of awareness. Over time, meaningful interruptions may help cultivate domain mindfulness, sort of like a habit of looking twice.
However, there’s a catch.
The Habituation Problem
Humans adapt quickly. My colleague Roger pointed out that frequent warnings, especially when most aren’t about real threats, quickly become noise. At Microsoft, he observed that users who downloaded malware had often been warned multiple times before approving the action anyway. They clicked through every warning.
Google found something similar in its research on browser certificate warnings: users are habituated to these messages and experience "warning fatigue," and reflexively click through alerts to reach their destination. In response, Google simplified warnings and, in some cases, blocked access entirely.
More warnings do not equal more safety. Poorly designed warnings train people to ignore them. If domain mindfulness can be cultivated, it must be done through precision, not noise. Nudges must be meaningful, timely, and rare enough to remain salient.
This is where digital mindfulness and Human Risk Management intersect. It’s about understanding how humans process information under distraction, pressure, and increasingly, AI augmentation. The research reinforces what I’ve believed for years: both natural mindfulness and context-specific mindful engagement improve detection. Domain mindfulness can be strengthened through relevant training interventions,but we must also design systems that support human cognition rather than overwhelm it.
This is where the future becomes interesting. If vulnerability is partly about cognitive state, about whether we pause or proceed on autopilot, then the design of our systems matters, especially as AI agents draft and recommend actions on our behalf.
Capabilities such as KnowBe4’s Security Coach and Prevent, within a broader human and workforce risk management strategy, reflect a shift toward cognitive design: embedding contextual, in-the-moment guardrails that interrupt automaticity. In AI-augmented environments, the challenge isn’t just detecting malicious code, it’s preventing over-trust, cognitive offloading, and premature confidence. The future of cybersecurity won’t be built on louder warnings, but on intelligent, well-timed support that restores deliberation exactly when it matters most, while preventing habituation.
In our accelerating inboxes, notifications, and AI agents, the ability to pause, reflect and question when it matters, may become one of our most powerful defenses.
