Our recent research reveals a concerning discrepancy between employees' confidence in their ability to identify social engineering attempts and their actual vulnerability to these attacks.
While 86% of respondents believe they can confidently identify phishing emails, nearly half have fallen for scams in the past. This disconnect between perceived competence and demonstrated vulnerability, the "confidence gap", poses a substantial risk to organizations.
The Danger of Overconfidence
The survey research, titled "Security Approaches Around the Globe: The Confidence Gap," surveyed 12,037 professionals across the UK, USA, Germany, France, Netherlands, and South Africa. It found that South Africa leads in both high confidence and high scam victimization rates.
This is in line with our recent Africa Cybersecurity Awareness 2025 survey which revealed that while 83% of African respondents are confident in their ability to recognize cyber threats, more than half (53%) do not understand what ransomware is, and 35% have lost money to scams. These figures suggest that the Dunning-Kruger effect, which is a cognitive bias where people overestimate their ability, is alive and well in cybersecurity. Overconfidence can create a false sense of security, making employees more susceptible to advanced cyber threats.
Key Findings
- 86% of employees believe they can confidently identify phishing emails
- 24% have fallen for phishing attacks
- 12% have been tricked by deepfake scams
- 68% of South African respondents reported falling for scams—the highest victimization rate
Beyond Training: Fostering a Security Culture
The report highlights the importance of fostering a transparent security culture. While 56% of employees feel “very comfortable” reporting security concerns, 1 in 10 still hesitate due to fear or uncertainty. Interestingly South Africans felt most comfortable: 97% of South African respondents expressed some level of comfort in reporting their concerns, showing a level of trust in their security organisations.
Overconfidence fosters a dangerous blind spot—employees assume they are scam-savvy when, in reality, cybercriminals can exploit more than 30 susceptibility factors, including psychological and cognitive biases, situational awareness gaps, behavioral tendencies, and even demographic traits.
To combat the overconfidence trap in cybersecurity awareness, organizations should leverage the “prevalence effect” by maintaining a steady and meaningful exposure to phishing simulations. The prevalence effect is based on research which indicates that when phishing attempts are rare, users become less adept at recognizing them, leading to decreased detection ability. By regularly exposing users to simulated phishing attacks, organizations can enhance detection skills, reinforce vigilance, and mitigate the risks associated with overconfidence in their ability to spot threats.
To combat this, organizations need:
- Hands-on, scenario-based training: To counteract misplaced confidence
- Continuous education: To keep up with evolving cyber threats
- Prevalence effect: expose users to phishing simulation tests as frequently as possible
- Foster an adaptive security mindset: To respond effectively to new threats
The Bottom Line
The survey findings emphasize the critical need for effective human risk management. Personalized, relevant, and adaptive training that caters to employees' individual needs should be implemented while also considering regional influences and evolving cyber tactics. In the battle against digital deception, the most dangerous mistake employees can make is assuming they are immune.
“Security Approaches Around the Globe: The Confidence Gap,” is available for download here.
