The ABC of cognitive resilience
Protecting the human firewall against social engineering at scale
In the modern threat landscape, the security perimeter has shifted. It no longer sits at the edge of the corporate network or the physical gates of a facility.
Increasingly, it resides within the psychological frameworks of the workforce. While traditional security focuses on protecting data and infrastructure, a newer category of threat, cognitive warfare, targets the mechanisms through which people perceive reality and make decisions.
For security, risk and resilience practitioners, particularly those operating within high-stakes regulated environments, understanding this shift is not merely academic. It is an operational necessity.
To defend our organisations, we must engage with the core of social psychology: the ABC model of Affect, Behaviour and Cognition.
The battlefield of the mind: defining cognitive warfare
Cognitive warfare is the deliberate exploitation of psychological vulnerabilities to degrade an individual’s or group’s capacity for clear thinking. Unlike traditional propaganda, which seeks to change what people believe, cognitive warfare aims to change how they think. Its objectives are to erode institutional trust, foster internal division and undermine the collective sense-making required for coordinated action.
In a business context, this manifests as sophisticated disinformation campaigns, AI-enhanced social engineering (including deepfake-enabled fraud) and the weaponisation of internal cultural divisions to cultivate insider threats. As generative AI matures, the cost of producing convincing synthetic media has collapsed, making these attacks accessible to a far wider range of adversaries.
The ABC framework: how disruption occurs
Social psychology offers a well-established map of how adversaries can deconstruct internal resilience. By targeting the ABCs (Affect, Cognition and Behaviour), hostile actors can turn a unified workforce into a fragmented, reactive and vulnerable population.
-
Affect: The emotional trigger
Affect refers to our emotional state: feelings, moods and physiological responses. Cognitive warfare almost always begins here. Adversaries use emotionally charged content, amplified by algorithmic recommendation systems, to push targets into states of high arousal.
When people are angry, fearful, or highly anxious, what Kahneman terms “System 1” thinking, which is fast, intuitive and emotionally driven, takes over. This bypasses the slower, more deliberative processing needed for sound judgement. If an adversary can shift an organisation’s affective baseline toward distrust or fear, they have already won half the battle.
Employees in a state of emotional distress are measurably more likely to make errors, fall for phishing attempts and lose confidence in leadership.
-
Cognition: The mental map
Cognition involves our thoughts, beliefs and the mental shortcuts, known as heuristics, that we use to process information. While heuristics are essential for managing daily complexity, they are readily exploited:
- Schemas and stereotypes. Adversaries encourage negative internal stereotypes and reinforce “us vs them” narratives within organisations, fracturing the unified culture that resilience depends on.
- Confirmation bias. Targets are steered toward information that reinforces their existing assumptions, narrowing their perception and making them resistant to corrective evidence.
- Availability heuristic. By making certain threats (often false ones) appear more common or imminent than they are, hostile actors can trigger decision paralysis or cause resources to be misallocated.
-
Behaviour: The intended outcome
The ultimate goal of disrupting affect and cognition is to alter behaviour. When an individual’s internal model of reality is distorted, their actions become unreliable.
This can include:
- Unwittingly supporting external adversaries by sharing sensitive information or amplifying disinformation.
- Turning against internal leadership or established protocols in what might be described as “cognitive rebellion”.
- Becoming a vulnerable insider, someone whose compromised judgement makes them susceptible to manipulation, whether through social engineering, coercion, or ideological alignment.
The cost of incoherence
When the ABCs are successfully disrupted at scale, the result is organisational incoherence. A workforce that is not coherent, one that is internally fragmented, distrustful and reactive, is not resilient. Resilience is more than the ability to recover from a technical failure. It requires a shared sense of purpose, mutual trust and the capacity to act collectively under pressure.
An organisation consumed by internal friction, arguing over fabricated narratives and second-guessing leadership based on manipulated information, has already lost the ability to respond effectively to external threats. For security practitioners, this incoherence is the ultimate vulnerability. You cannot defend an institution whose members are actively working against one another.
The practitioner’s response: Strengthening the human factor
For security, risk and resilience professionals, the mandate must expand. The role is no longer limited to gatekeeping. It must include sense-making facilitation: helping people interpret ambiguous information accurately under pressure.
-
Move from compliance to competence
Karl Weick’s work on organisational sensemaking demonstrates that people navigate uncertainty by constructing plausible narratives from incomplete information. Security training must move beyond compliance-based instruction (“don’t click this link”) and toward competence-based development that equips people to ask: “Why am I being told this and why now?”
Concretely, this means building training programmes that teach the mechanics of manipulation: how deepfakes are produced, how recommendation algorithms amplify outrage, how cognitive biases operate in real time.
When people understand the method, they become less susceptible to the message. Research on “prebunking”, a form of psychological inoculation through advance exposure to manipulation techniques, has shown measurable improvements in resistance to disinformation.
-
Integrate cognitive threats into risk assessments
Crisis resilience professionals must accept that organisations are being targeted by multiple actors simultaneously. State-sponsored groups, criminal syndicates and competing commercial interests all operate with different objectives and methods. Strengthening the human factor means building this reality into threat models and risk registers, not treating it as a footnote.
Practical steps include running red-team exercises that simulate social engineering campaigns (not just technical penetration tests), monitoring for coordinated inauthentic behaviour targeting the organisation or its sector and establishing clear escalation paths for employees who encounter suspected manipulation attempts.
-
Build institutional trust as a security control
Trust is the stabiliser that makes all other defences effective. If employees trust their organisation’s transparency and integrity, they are significantly less likely to be influenced by external disinformation designed to alienate them. Conversely, organisations with low internal trust are fertile ground for adversarial exploitation.
Building trust requires visible leadership commitment to honest communication, particularly during crises. It also requires security teams to be seen as enablers rather than enforcers, partners in helping people navigate a complex threat environment, rather than a compliance function to be circumvented.
Conclusion: From data protection to judgement protection
Recent high-profile deepfake fraud cases have demonstrated a uncomfortable truth: organisations can invest heavily in technical security and still fail catastrophically when their people’s judgement is compromised. These incidents are not aberrations. They are early indicators of a structural shift in the threat landscape.
In the coming decade, the most critical security asset will not be the firewall. It will be discernment: the trained capacity to distinguish authentic information from manufactured deception, to recognise emotional manipulation in real time and to maintain clear thinking under deliberate pressure.
As practitioners, our role is to safeguard the cognitive integrity of our organisations. By grounding our approach in the ABCs of social psychology, we can build workforces that are not merely compliant, but coherent, critical and prepared for the threats ahead.
The defence of the organisation begins with the defence of the mind.
Dr Paul Wood MBA CSyP ChCSP CiiSCM CIISec FSyl RSES (Principal)
CEO, Emerging Risks Global
