Cyber Overconfidence Is Leaving Your Organization Vulnerable

  • By Erich Kron
  • Mar 24, 2025

The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced.

Overconfident Employees Live with a False Sense of Security
The survey revealed interesting disparities in confidence levels according to demographics:

  • By region: The UK and South Africa exude the highest confidence level, at 91%, compared to just 32% in France.
  • By gender: Men report higher scam-savviness than women, potentially because of their access to cybersecurity training or perceived digital literacy.
  • By age: Younger employees (25 to 34 year olds) feel the most confident about nearly all fraud types, except for more advanced threats such as deepfake scams, where their confidence aligns with that of 16 to 24 year-olds.

A deeper look at the survey results unfolds a different story. Higher cybersecurity confidence does not directly translate into lower victimization rates.

  • South Africa may have topped the confidence chart but recorded the highest rate of scam victims (68%).
  • Of the 86% of respondents confident of identifying email phishing scams, over half fell for a cyberattack: 24% succumbed to email phishing, followed by social media phishing (17%) and deepfakes (12%).

Why Does Cybersecurity Overconfidence Not Imply Better Cybersecurity?
Humans differ significantly in risk perception and self-assessment based on cultural differences, education, experiences, access to technology, and more. Exposure to cyber threats and media coverage of security incidents, corporate culture, historical context of cyber incidents, and socio-economic factors all play a role in our susceptibility to deception and manipulation when a cyberattack strikes. Furthermore, cybercriminals can exploit more than 30 susceptibility factors, including emotional and cognitive biases, situational awareness gaps, behavioral tendencies, and even demographic traits, leaving a thin chance for cyber-savviness to outsmart malicious tactics.

Let’s take a closer look at why employee overconfidence, more often than not, results in security blind spots:

The Dunning-Kruger effect: This cognitive bias causes individuals to overestimate their abilities. For example, the research revealed that while 83% of African employees are confident in their ability to recognize cyber threats, 53% did not understand ransomware, and 35% lost money to scams.

Excessive reliance on tools and tech: Too many tools add to a system's complexity, making management difficult and allowing security lapses to slip in. Uber’s 2022 breach exemplifies how its overconfidence in multi-factor authentication (MFA) led to critical notifications being overlooked, resulting in a successful attack. Attackers exploited MFA fatigue, overwhelming an employee with repeated authentication requests until the person felt compelled to accept one just to stop the barrage.

Optimism bias: Pride often comes before a fall. Assuming that “this won’t happen to me” has led to many a downfall. A case in point was the 2014 attack on Sony Pictures. Employees fell victim to phishing emails they believed they could identify. Sophisticated criminal tactics bypassed their defenses, leading to a newsworthy breach.

Professional negligence: Underestimating your adversary and overestimating the ability of technology to stop incidents can sometimes overshadow the importance of investing in alternative measures. The technical jargon cybersecurity vendors use to market their wares creates a false sense of confidence that the network is unbreachable. As a result, resources and capabilities are diverted to other business needs, neglecting the very areas that need them.

What Can Organizations Do To Combat the Ills of Overconfidence?
A false sense of security from cybersecurity overconfidence might pose a greater risk than hackers. So how can organizations avoid falling into the overconfidence trap?

Foster collaboration and transparency: Encourage users to report potential issues to enhance overall security. Fostering open conversations about cybersecurity helps users see themselves as partners rather than hindrances.

Simplify reporting procedures: Ensure that employees feel comfortable reporting threats. This will help create a healthier security culture and foster an environment where users feel safe reporting incidents without fear of reprimand.

Deploy continuous training: Facilitate a culture of constant learning, where employees are encouraged to upskill and stay updated on emerging threat scenarios. Phishing simulation platforms and other forms of training exercises can improve employee instincts and reduce the risk of human error.

Tailor security policies around employee needs: Adapting security policies and strategies that recognize the unique perspectives of different industries, locations, and age groups can go a long way in bridging the gap between overconfidence and competence.

Hire external experts: Security audits and assessments by outside providers can offer an unbiased view of the organization's cybersecurity posture. This can help subdue the overconfidence bias by providing a reality check.

Cybersecurity overconfidence can cause security blind spots. Employees assume they are fraud-savvy, leading to complacency or apathy, making them less vigilant. Rapid digitization and threat evolution have led to a scenario where what worked yesterday may not work today. That’s why organizations must regularly assess their cyber strategies and bridge the gap between real and perceived security competence through continuous learning, implementing regular phishing simulations, and enabling a transparent security culture.

Featured

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

Most   Popular

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.