Assessing Human Behavior Across Social Engineering Attacks Beyond Email

In the modern threat landscape, security is no longer just about technical controls; it is about understanding the human element. During a recent panel discussion, experts Mr. Nikunj Rakesh (CISO, Threatcop) and Mr. Gustavo Mastroianni (CISO, Schools Insurance Authority) shared insights on how organizations can evolve their defense strategies by moving beyond simple compliance and addressing the complexities of human behavior under pressure.

Beyond Compliance: Categorizing Vulnerability with AI

Mr. Nikunj emphasizes that security managers must look deeper than just whether an employee completed a training module. He suggests that a governance structure should be based on understanding the behavior and perception of each individual to categorize them into different risk groups.

By categorizing employees, organizations can create specialized playbooks. For example, a “highly vulnerable” group might require a specific set of rigorous safety steps, while a low-vulnerability employee would follow a different protocol. Nikunj points out that AI has revolutionized this process, allowing security managers to move away from manually creating phishing content and instead focus on high-level strategy. AI can efficiently run campaigns, determine the best content for specific groups, and identify which individuals are most at risk, ultimately testing the maturity and effectiveness of controls rather than just “checking a box” for compliance.

The Pressure Paradox: Measuring Behavior Under Stress

One of the most significant hurdles in human defense is the difference between how an employee acts during training and how they act during a real breach. Mr. Gustavo explains that social engineering often succeeds because of operational pressure, such as quarter-end deadlines or urgent requests from leadership.

To get a true sense of security posture, Gustavo suggests moving beyond “pass or fail” metrics and focusing on “time-to-action” metrics:

• How long does it take for a person to report a suspicious email or SMS?
• How long do they take to verify if a call or WhatsApp message is legitimate?
• How quickly do they escalate the situation to their manager or the IT department?

Gustavo highlights that authority pressure—requests coming from a CEO or CFO—makes decision-making significantly harder for employees. Furthermore, accounting and IT departments are often targeted because they are under constant pressure to keep the company running or make payments. He warns that testing employees in a “calm environment” does not accurately measure their vulnerability; instead, organizations need continuous monitoring and evaluation under simulated stress to truly improve human risk behavior.

The “People Stack”: Correlating Behavior Across Channels

A major vulnerability in many organizations is the lack of a consolidated view of human risk. Mr. Nikunj notes that an employee might be highly professional and cautious on email but significantly less scrutinized when using platforms like WhatsApp or other collaboration tools.

He argues that organizations need to treat the “people pillar” with the same technical rigor as their IT infrastructure. Just as a SIEM (Security Information and Event Management) solution correlates logs from a tech stack, organizations should consolidate and correlate logs of human activity across all communication channels. By analyzing how a user behaves in different domains and at different times, companies can proactively identify loopholes before attackers exploit them.

Adapting to Next-Generation Threats

As attackers leverage evolving technology like AI to create new attack vectors, defensive strategies must adapt. Mr. Gustavo shares that his approach involves using phishing and deep fake campaigns to prepare employees for modern social engineering.

The success of these programs is tracked through human risk management platforms that utilize gamification and rankings. This creates a continuous feedback loop: as soon as an employee reports a phishing attempt, they receive immediate feedback or training, regardless of whether they were “successful” in the simulation. This ongoing engagement ensures that human defense remains as dynamic as the threats it aims to stop.