The Psychology of Trust in Cybersecurity: it’s not Paranoia, it’s Prudence

An innate trust in what’s familiar is a very human response. In the workplace, it’s almost a given that colleagues, internal systems, and corporate networks are all trustworthy.

But in today’s ‘everything-and-everyone-connects-from-everywhere’ world, this instinct can be dangerously misleading. The enterprise network is the most vulnerable it’s ever been—not only because cloud-first hybrid environments have vastly expanded the attack surface.

There are three other reasons we’re experiencing heightened vulnerability. First, there’s the greater chance of compromise as hackers are turning to AI to launch increasingly sophisticated social engineering campaigns. Second is how easy it is for a bad actor to move laterally through the network, unmonitored, using verified credentials to log in (not hack in!). Finally, there’s the danger to data: the alarming rise of ransomware or of data exfiltration (without any alarms being triggered).

This is bad news for any industry. Especially for those already ranked among the most attacked¹ of all global industries. Considering the sector’s high-value data and regulatory exposure, it’s no surprise to find Financial Services among that group.

Heritage status is a double-edged sword for established finance brands. They’ve amassed incredible experience that digital-first challengers can’t compete with; however, years and years of built-up, bolted-on security and performance updates to their legacy tech infrastructure have created complex, unwieldy environments. This means less agility and greater cyber-risk exposure. Complexity extends to the sector’s vast supply chain ecosystem—and the fact that every move within it is highly regulated.

There are clear challenges for the Financial Services sector, particularly for the bigger established legacy banks that are up against agile digital-first challengers. Organizations in this industry, and all highly regulated sectors for that matter, really need to double down on security—and fast.

This isn’t fearmongering; it’s about challenging the trust bias that, too often, becomes a risky default. It’s about championing security prudence to ensure that control and resilience are maintained.

The Human Bias Toward Trust
Ever heard about cognitive heuristics? Rooted in cognitive science, the term describes the mental shortcuts we take when we need to make decisions quickly or with limited information. There are different types of shortcuts but the one that we really need to be aware of in the digital workplace is the familiarity heuristic. This is about seeking out the familiar in the face of uncertainty. It’s a judgement bias that many of us have defaulted to.

In a corporate setting, a familiarity heuristic may see us giving trust without second thought. For example, instinctively believing internal emails are ‘safer’ than external ones, assuming our own company systems are secure by default, or believing our colleagues are less likely to pose a threat to our cybersecurity.

This assumption that what’s ‘inside’ is safe is exactly what cybercriminals prey on. Network breaches could be the result of an external threat. More often, they are due to staff credentials being compromised, unintentionally, and largely over email. In 2024, our ThreatLabz team examined 1.2 billion data transactions across apps and core business channels like email. The findings, shared in our 2025 Data@Risk Report, highlight the scale of the issue: sensitive company data (including source code and financial information) was leaked in nearly 104 million email transactions.

It’s telling that email phishing is still one of the most effective attack vectors, even in 2025 with all our knowledge about the perils of poor security hygiene. Again, it’s down to that human bias toward trusting the familiar: an internal email from a seemingly legitimate sender lands in the inbox of an employee who clicks on a link as directed, opening the door to a hacker. The attacker then moves laterally across the network—going undetected in a legacy security environment where trust is assumed rather than verified. The question is, can an entity’s trustworthiness ever be assumed?

Part 2 of this series on the psychology of trust in Cyber Security is here. If you want to learn more about Cyber Security in the FSI space download the ebook here.

¹Statista, Distribution of cyberattacks across worldwide industries in 2024. May 2025. Available at:
https://www.statista.com/statistics/1315805/cyber-attacks-top-industries-worldwide/