Good people, bad cyber decisions

There’s a concept in cyber psychology known as the online disinhibition effect. It’s explored in depth by Mary Aiken in The Cyber Effect, and it describes something most business owners recognise instinctively:

Online, we:

• Act faster

• Rely more on habit

• Take shortcuts we wouldn’t take face-to-face

• Miss subtle warning signs

Not because we’re careless — but because digital environments remove friction.

There’s no pause, no eye contact, no moment of reflection. Everything feels routine, even when the consequences aren’t.

Why this hits SMEs harder than large organisations

SMEs are built on strengths that also create cyber risk:

• High trust

• Fast decision-making

• Flat hierarchies

• Leaders deeply involved in day-to-day operations

Founders and senior leaders are often:

• Approving payments between meetings

• Responding on mobile devices

• Making decisions late in the day under cognitive load

This makes leadership inboxes, finance approvals, and “quick yes” moments prime targets — not because leaders are naive, but because the environment encourages speed over scrutiny.

Ironically, the people with the most experience and authority are often the most exposed.

This isn’t a training problem

Many organisations respond to cyber incidents with more awareness training.

Training has its place — but psychology tells us something important:

People don’t fail to follow rules because they don’t know them.They fail because:

• They’re under time pressure

• The request looks familiar

• The behaviour feels normal

• The risk feels abstract

In other words, the system sets them up to fail.

A human-centric way to think about cyber risk

From a cyber-psychology perspective, reducing risk isn’t about blaming individuals.

It’s about designing work so that safer behaviour is easier than unsafe behaviour.

In practice, that means leaders asking different questions, such as:

• Where do we reward speed at the expense of reflection?

• Which decisions are routinely made under pressure?

• What insecure behaviours have quietly become “just how we work”?

These questions are often far more powerful than any checklist or policy.

A question for founders

If you run or lead an SME, here’s a useful place to start:

Not because people are careless — but because the environment encourages it.

That single reflection often reveals more about real cyber risk than any technical audit.

Why Brynley Knight focuses on human risk

At Brynley Knight, cyber security is viewed through a behavioural lens.

Because before a system fails, a human decision usually comes first — shaped by pressure, context, and the way work actually happens.

Understanding that human layer is where meaningful, sustainable cyber resilience begins.