At RSA Conference 2026, the most uncomfortable takeaway wasn’t about malware or misconfigurations. It was about the human brain. In a session that drew a packed room, Randy Rose, vice president for security operations at the Center for Internet Security, argued that phishing continues to succeed because attackers don’t just target systems—they target our decision-making. And too often, we meet them on autopilot.
Why Even Security Experts Still Click on Phishing Emails
Rose anchored his talk in behavioral science. He cited Daniel Kahneman’s model of two thinking modes: the fast, intuitive System 1 and the slower, analytical System 2. We spend most of the day in System 1 because it conserves energy. That’s efficient for life, disastrous for security. Phishing works by hijacking System 1 with urgency, authority, curiosity, or fear—then cashing out before System 2 kicks in.
Classic social psychology fills in the rest. Stanley Milgram showed how authority can override judgment. Robert Cialdini identified levers of influence like reciprocity, scarcity, and social proof. Add well-known cognitive biases—anchoring on a single detail, confirmation bias, overconfidence—and you have a predictable architecture of persuasion. Attackers are simply better at using it than we are at resisting it.
The punchline: this isn’t a knowledge gap. It’s a physiology and psychology gap. Even highly trained professionals can be lured into System 1 shortcuts, especially under time pressure, fatigue, or distraction.
How AI Is Stripping Away the Old Phishing Red Flags
For years, awareness programs told users to hunt for typos, odd phrasing, or mismatched logos. That advice is aging out. Generative AI now crafts fluent, brand-perfect messages at scale, localizes tone, and tailors pretexts using open-source intelligence. Deepfake audio and video add high-fidelity pressure—think a “CFO” on a video call greenlighting a transfer. In one widely reported case, a finance worker was persuaded via deepfake colleagues to move funds totaling tens of millions.
Meanwhile, infrastructure looks cleaner too. Attackers use compromised but reputable domains, valid certificates, and MFA-bypassing kits. The old telltales are evaporating, which is exactly Rose’s point: training users to spot artifacts is a losing game when the artifacts are disappearing.
The Numbers Behind Human Risk in Modern Phishing
The data backs the human story. The latest Verizon Data Breach Investigations Report attributes roughly 68% of breaches to the “human element,” including phishing and social engineering. Proofpoint’s State of the Phish has repeatedly found that a majority of organizations face at least one successful phishing incident each year. The FBI’s Internet Crime Complaint Center continues to list phishing as the top reported cybercrime by volume, while business email compromise remains the costliest, with losses in the billions.
Real-world breaches echo the theme. Help desk social engineering has enabled intrusions at major brands, MFA fatigue has felled tech giants, and vendor email compromise has rerouted legitimate payments. None of these required zero-days—only zero hesitation.
Rethinking Awareness Into Decision Hygiene
Rose’s critique of security training is blunt: too noisy, too artifact-focused, and not grounded in how humans actually decide. His prescription is to create “decision hygiene” that interrupts System 1 and invites System 2. Three practical moves stand out.
- First, institutionalize the pause. Build micro-delays into sensitive workflows—supplier changes, payment approvals, credential resets—so employees have permission to slow down. A 60-second rule and a short checklist (What is the request? What’s the rush? How can I verify in another channel?) changes outcomes.
- Second, require channel switching for high-risk actions. Out-of-band verification via a known phone number or internal ticket, not a reply to the same email thread, defeats many near-perfect spoofs. This counters authority and urgency triggers in one move.
- Third, train the “why,” not just the “what.” Teach common influence techniques and cognitive biases with concrete scenarios, then rehearse responses. Reflection exercises, post-incident reviews that analyze thinking (not blame), and team walk-throughs help employees recognize when they’re being steered.
Stacking Controls To Support Slow Thinking
Behavioral defenses work best when technology and process create the right friction. Phishing-resistant MFA such as FIDO2 passkeys reduces credential theft value. Conditional access and impossible-travel policies blunt token replay. DMARC enforcement, brand indicators, and removing external auto-forwarding shrink spoofing surface area. For high-risk roles, browser isolation or link detonation adds a safety net.
On the process side, set hard guardrails: no payment or banking changes without out-of-band confirmation; no emergency access granted without secondary identity proof; no password resets initiated solely from email. Help desks need scripts that assume adversarial pretexts and verify identity with signals attackers can’t easily fake.
The Mindset Shift Security Needs to Defeat Phishing
The uncomfortable truth from RSAC 2026 is that phishing still works because it exploits normal brains doing normal things under normal pressure. The fix isn’t shaming users or piling on more red flags. It’s redesigning decisions so System 2 shows up in the moments that matter, supported by controls that make the secure choice the easy default.
Phishers are optimizing for our attention, energy, and habits. Security leaders should do the same—by budgeting time to think, rewarding skepticism, and engineering workflows that favor verification over velocity. Slow is smooth, smooth is secure.
