Phishing, one of the oldest forms of cybercrime, continues to exploit the most human of vulnerabilities: trust. Despite decades of improvements in email filtering and domain verification, attackers still succeed by manipulating perception. The new study by Anderson Kevin Gwenhure, published in Journal of Cybersecurity (Open Access, 2025), shifts the lens from technology to psychology, exploring how belief systems influence user behavior in the face of deceptive digital threats.
Drawing from health psychology, the research applied the Health Belief Model (HBM) - a framework typically used to predict preventive health behaviors - to a cybersecurity context. The model considers six factors that influence whether a person takes protective action: perceived susceptibility, perceived severity, perceived importance, perceived barriers, cues to action, and self-efficacy. Gwenhure's team surveyed 569 university students at Universitas Atma Jaya Yogyakarta, Indonesia, seeking to identify which psychological components best predict resistance to phishing emails.
Surprisingly, students who perceived themselves as vulnerable to phishing were not necessarily more cautious. Instead, those who viewed phishing as a serious threat - and believed that their actions mattered - were the ones who consistently adopted secure behaviors, such as checking sender addresses and avoiding suspicious links. Self-efficacy, or the confidence in one's ability to act, also played a decisive role. The study's structural model explained 64% of the variance in security behavior, underscoring that psychological awareness, rather than technical literacy alone, drives behavioral change.
In contrast, perceived barriers - such as the inconvenience of double-checking links or reporting suspicious messages - had little measurable impact. This suggests that when people believe they can manage a threat effectively, inconvenience ceases to be a deterrent. Similarly, simple reminders - known in psychology as "cues to action" - proved important triggers for safer behavior. Notifications, security prompts, or even informal peer reminders were often enough to initiate protective responses.
Interestingly, perceived susceptibility and perceived barriers were the least influential factors. The finding runs counter to much of the traditional cybersecurity messaging, which often emphasizes fear-based awareness campaigns - showing worst-case scenarios to motivate users. Gwenhure's results imply that fear alone does not foster resilience. Instead, motivation grows from internal coherence: the sense that one can understand, evaluate, and control one's digital environment.
The study's focus on Indonesian students also provided valuable insight into demographic and cultural nuances. Many participants used email infrequently or had never personally experienced phishing attacks. As a result, perceived susceptibility was low - students simply didn't imagine themselves as targets. Yet when they recognized the severity of what could happen - loss of privacy, embarrassment, or data theft - they became more attentive and proactive. This distinction between imagining risk and recognizing consequence highlights a key psychological gap that awareness programs must bridge.
From a practical standpoint, the research reinforces that effective cybersecurity training must go beyond information delivery. Simply teaching users to "be careful" is insufficient. Instead, programs must foster a sense of mastery - developing intuitive competence and confidence. Gamified learning, scenario-based simulations, and feedback loops can strengthen self-efficacy, translating knowledge into behavior. Institutions that promote regular awareness cues - such as reminder emails or visible threat indicators - can further anchor these habits.
On a broader level, the study positions behavioral cybersecurity as a critical frontier. As digital systems integrate artificial intelligence and personalization, the cognitive load on users intensifies. Attacks increasingly exploit emotional and social triggers - urgency, trust, authority - rather than technical loopholes. Understanding these mechanisms demands models that account for perception, motivation, and meaning. The Health Belief Model, though originally medical, offers a structured way to map these cognitive dynamics, identifying where awareness breaks down and how belief can restore balance.
From the lens of Seven Reflections' Dimensional Systems Architecture (DSA), phishing attacks reveal not only technological deception but also cognitive entropy. Each misleading message injects disorder into the user's mental field - testing the system's ability to preserve internal coherence amid external noise. In DSA terms, security behavior corresponds to the stability of the cognitive field under information stress.
Self-efficacy functions as a coherence variable: it sustains order by maintaining belief alignment between perception and action. When confidence weakens, the field destabilizes, and susceptibility rises. Conversely, awareness acts as an integrative force, re-synchronizing the field's logic and reducing entropy. Thus, the most effective cybersecurity measure is not the filter or firewall, but the individual's capacity to stabilize their own field - to remain aware, structured, and intentional when the informational environment becomes adversarial.
