When Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa, describes the moment she clicked on a phishing email, it’s not a confession you’d expect from a 23-year cybersecurity veteran.
“I was sitting in an Uber, chatting to the driver, packing my bag, looking out the window, doing a million things, and checking my emails at the same time. And I kid you not, right then I got an Uber-themed phishing email — and I clicked on it.” Luckily, it was a simulation sent by her IT team. The “punishment”? Completing the very training she had written herself. “That was when I realised: this isn’t about lack of knowledge or training. An internal survey found 53% of the mistakes we’d made happened when we were multitasking or distracted.” The answer, Anna believes, is digital mindfulness.
Mindfulness might sound like an odd fit for cybersecurity. For some, the term conjures up yoga mats and meditation retreats — a long way from the fast-paced, high-stakes world of network security. Others may worry it’s too “soft” to tackle AI-driven phishing or ransomware. But Anna’s research shows that practical, evidence-based mindfulness techniques can directly reduce the cognitive vulnerabilities criminals exploit. This isn’t about becoming Zen; it’s about recognising when you’re at risk of making a costly mistake, and having the tools to stop yourself.
“An internal survey found 53% of the mistakes we make happen when we’re multitasking or distracted. Other surveys, such as Tessian’s Psychology of Human Error report, confirm this stat as well.”
Why knowledge alone won’t save us
Anna’s cyber psychology master’s research identified 33 factors that make people susceptible to online manipulation and social engineering. Traditional rule-based awareness training, she says, often addresses only one or two of them: lack of knowledge and lack of knowing what to do in a specific situation.
“We’re not training people effectively in terms of all the other factors that criminals purposefully exploit — cognitive biases, impulsivity, personality vulnerabilities.”
These vulnerabilities don’t go away with better technology — in fact, AI makes them easier to exploit at scale, generating messages and scenarios precisely tuned to trigger our biases.
For example, humans are prone to what psychologists call heuristics: mental shortcuts that help us make quick decisions but can lead us astray.
“Criminals understand cognitive biases and design their attacks to take advantage of them. That’s why simply telling people to ‘hover over the link’ isn’t enough.”
Even in environments where people are well trained and aware of phishing tactics, errors still happen. Not because of ignorance, but because of the brain’s tendency to act on autopilot when under pressure, overloaded, or emotionally triggered.
Mindfulness as a cybersecurity tool
Anna mapped mindfulness techniques — not ten-day silent retreats, but simple, situational practices — against those 33 susceptibility factors.
“Mindfulness can positively impact 23 of the 33 factors that make us vulnerable to manipulation. It can reduce impulsivity and help us spot when our biases are being exploited.”
At the heart of this approach is meta-awareness: the ability to recognise and regulate your own cognitive and emotional states in real time. In practice, that means noticing when you’re stressed, rushed, or unusually confident, and choosing to slow down before you click, reply, or share.
Grounded in neuroscience and behavioural science, Anna’s approach is designed for the messy reality of busy, distracted workdays. As her research shows, these techniques can protect people in those exact moments when traditional awareness training falls short.
She calls it second-nature vigilance. “It’s like when I fly from Cape Town to Johannesburg, a more dangerous place. Without thinking, I become more vigilant: I put my handbag on the car floor; I check my surroundings at red lights. I’m not stressed, but I’m unconsciously more alert. We need the same online.”
In other words, the aim is not to be hyper-aware at all times — that’s unrealistic and exhausting — but to build habits and cues that prompt us to slow down and engage our ‘slow thinking’ mode at the right moments.
“Mindfulness tells you: this is a critical context because someone’s asking you to transfer money or you’re handling sensitive data — time to be vigilant.”
Micro-practices that build digital vigilance
Anna’s toolkit focuses on simple actions that help interrupt autopilot and bring attention back to the present moment:
Single-tasking: “Multitasking is terrible for our productivity, mental health, and vulnerability to manipulation. Our brains cannot do two cognitive tasks at once.”
Timed breaks and movement: Use 30–45 minute focus blocks, then walk or stretch. “It snaps the brain out of a frazzled state and releases feel-good chemicals.”
Intentionality: Before a meeting, take a breath and picture how you want to feel afterwards.
Sensory grounding: Use nature sounds, binaural beats, or scents and textures to reset focus: examples from Anna’s clients include scented stress balls and mini Zen gardens.
Focus training: Try black dot gazing — stare at a dot without blinking, then close your eyes and hold the image still.
Trigger awareness: Notice a racing heart, a burst of excitement or sudden pressure — these can be signs of manipulation.
These small habits might not look like cybersecurity measures, but they directly reduce risk factors. Built into daily routines, they become as instinctive as fastening a seatbelt.
Overcoming resistance
The biggest challenge is misunderstanding about mindfulness means.
“People say, ‘You can’t be mindful and think slowly all the time.’ Of course not — that’s not what this is. It’s about knowing when to slow down, so you automatically become more vigilant in certain situations.”
Terminology matters. “Some people cringe when they hear the word ‘mindfulness’. So instead I talk about a zero trust mindset and cognitive resilience, and sell it like that.”
Cultural sensitivity is also key. In some parts of the world, mindfulness is associated with religion or spirituality and can be controversial. “In those cases, I stick to scientific language and focus on the cognitive benefits.”
Making it work in universities and research institutions
In academic environments, where budgets are tight and faculty may be sceptical, Anna recommends framing digital mindfulness as a way to build cognitive resilience, improve focus, and support mental wellbeing — not just as a cybersecurity measure.
She draws parallels with how mental health campaigns have gained traction on campuses: “They succeeded when there were institutional champions, the practices were simple and accessible, and they were embedded into existing activities.”
“Make it relevant and science-backed; offering them micro-interventions that support better thinking, learning, and living in a digital world.”
Her suggestions include:
Start with the science: Share evidence from neuroscience and behavioural research to win over academic staff.
Digital mindful moments: Two minutes of conscious breathing or device-off time at the start of lectures or meetings.
Empower ambassadors: Identify faculty or students already passionate about mindfulness or digital wellness.
Integrate into existing programmes: Add to wellness initiatives, orientation weeks, student support services, or mental health campaigns.
Use digital nudges: Micro-learning videos, QR-code posters, educational discounts for focus tools, and automatic calendar reminders to pause between meetings.
Reframe the message: Position it as a way to reduce burnout, improve productivity, and enhance teaching effectiveness and academic performance.
Gather feedback: Use quick polls or surveys to see what’s working and adapt.
Tell stories: Use internal champions or admired figures to normalise the practices.
What it looks like in practice
Higher education can draw inspiration from corporate examples. For October — both International Cybersecurity Month and International Mental Health Month — a global engineering giant redesigned its awareness programme to include mindfulness principles.
“It’s very powerful when HR and security teams work together. Run campaigns together, piggyback off each other, use storytelling: everyone has a story of being frazzled and clicking on a link.”
At a South African bank, security and wellness teams run joint roadshows. “The insurance company will test your heart rate, and next to them is the security team. People wonder, what’s one got to do with the other? And they explain: if you’re stressed, you click on stuff. It’s a great opportunity to communicate in a more positive and empathetic way.”
Even in academia, the model exists: Oxford and other universities already run mindfulness courses to help students manage stress and productivity — showing the concept can fit comfortably into education settings.
Measuring the impact
Anna warns against relying solely on phish-prone percentages: “You can manipulate results by sending an easy phish to make sure you hit the target.”
Better metrics include:
Reporting rates for suspicious emails
Aggregated phishing simulation trends over time
Survey data, especially asking clickers and non-clickers what influenced their behaviour.
Feedback like this can guide adjustments, even if causation is hard to prove.
Because measuring impact is such a challenge, Anna is now six months into a PhD exploring how digital mindfulness can strengthen cybersecurity.
She’s building a model — based on thousands of research papers — of which techniques most effectively reduce susceptibility to social engineering. The next step: test it with surveys and phishing simulations, providing hard evidence organisations can use to create more effective awareness campaigns.
A more human approach
Anna is clear: mindfulness isn’t a silver bullet. “You’ll never get 100% success in a security awareness campaign. Humans make mistakes.”
For her, the value lies in layering cognitive resilience on top of existing defences — and doing it in a way that feels empathetic, relevant, and rooted in everyday life.
Ultimately, the goal is meta-awareness — the ability to notice your own cognitive and emotional state in real time — and cognitive flexibility: the ability to respond appropriately and deliberately. As attackers increasingly use AI to personalise and accelerate social engineering, that split-second recognition can be one of the most important defences in our daily digital lives.
“The beauty of this approach is that it gives people skills they can use beyond the office or lab. It’s not just about avoiding a phishing link — it’s about being more aware, less frazzled, and better able to make good decisions in a digital world.”
About the author
Anna Collard is SVP Content Strategy & Evangelist at KnowBe4 Africa, where she champions security awareness across the continent. Founder of Popcorn Training, she holds an MSc in Cyber Psychology and is a PhD candidate at Nelson Mandela University. Named among the Top 20 Global Cybersecurity Women of 2024, Anna is a frequent speaker, award-winning leader, and member of the World Economic Forum’s Global Future Council Cybersecurity. Anna holds various cybersecurity certifications such as CISSP, CISA, ISO27k implementer and lead auditor.
GÉANT Cybersecurity Campaign 2025
Join GÉANT and our community of European NRENs for this year’s edition of the cybersecurity campaign: “Be mindful. Stay safe.” Download campaign resources, watch the videos, sign up for webinars and much more on our campaign website: security.geant.org/cybersecurity-campaign-2025/
This article is featured on CONNECT50, the latest issue of the GÉANT CONNECT Magazine!
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
