2 minutes reading
About Gustavo Mastroianni
Gustavo is originally from Brazil and has 18 years of experience as an Information Technology professional, mostly focused on Networking, Wi-Fi, and Cybersecurity. He holds well-recognized industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Chief Information Security Officer (C|CISO), and Certified Wireless Network Expert (CWNE #225). For the past years, he has been focused on Cybersecurity, understanding business risks, aligning them to today’s world threat landscape, and recommending the proper security controls to bring these risks to a level where the business feels it is acceptable. As the Chief Information Security Officer at SIA (Schools Insurance Authority), he is overseeing and managing the organization’s cybersecurity program, making sure processes are being followed, technologies are orchestrated, and people are being trained.
Why Awareness Isn’t Enough: The Impact of Operational Stress
Traditional security simulations often fail because they test employees in a “calm environment,” which does not reflect the reality of a modern workplace. The central theme of Gustavo’s address is the critical difference between “training performance” and “breach likelihood”. He argues that social engineering succeeds not because people lack awareness of red flags, but because of operational pressure, authority bias, and urgent deadlines. When an employee is under the stress of a quarter-end deadline or receives an urgent request from a C-level executive, their usual judgment can break down, leading them to bypass verification protocols.
Key Points:
- “If we test people in a calm environment, you’re not actually measuring the pressure that is coming from a phishing email”.
- “It’s the difference between training performance and breach likelihood… how we can measure pressure contact responses beyond pass and fail”.
- “It has to be a continuous monitoring, a continuous evaluation. That’s how you’re going to improve your human risk behavior”.
Metrics that Matter: Time-to-Action and Authority Bias
To accurately assess an organization’s security posture, Gustavo suggests moving away from binary results and toward “time-to-action metrics”. These metrics track how long it takes a person to report a phishing email, how long they take to verify if an SMS or WhatsApp message is legitimate, and how quickly they escalate suspicious activity to the IT or cybersecurity department. This data provides a more granular view of how effectively an employee can handle a threat when the clock is ticking.
Gustavo also highlights the danger of “authority pressure”. When a request appears to come from a CEO or CFO, it creates a psychological weight that makes it harder for an employee to say “no” or take the time to verify the request. Furthermore, departments like accounting or IT are often under constant pressure to make payments or keep systems running, making them high-value targets for attackers. To combat this, Gustavo advocates for continuous, stress-based evaluation and the use of gamification to keep security top-of-mind, ensuring that employees are conditioned to react correctly even in high-pressure situations.
Discuss Your Organization’s Human Risk Challenges – Book a Meeting
