Episode 350: The Human Blind Spot in Cybersecurity with Robert Siciliano

Show Notes

In this episode, we host Robert Siciliano to examine why the biggest vulnerability in cybersecurity is so often not the technology, but the people using it. Drawing on decades of work in fraud prevention, identity protection, and security awareness, Robert argues that most organisations still treat cyber risk as a compliance issue rather than a human one. He explains why trust, routine, distraction, and fatigue continue to make employees the easiest route into organisations, even as firms invest heavily in technical controls.

We discuss why awareness alone does not change behaviour, why phishing simulations and annual training often fail, and why security needs to be taught as a decision-making discipline grounded in empathy and personal relevance. From the “human blind spot” and the “shame barrier” to password habits, two-factor authentication, business email compromise, and the idea of employees as a strategic human firewall, this conversation offers a practical guide to the human side of cyber risk.

We also explore how artificial intelligence is accelerating old threats and enabling new ones. From voice cloning and deepfakes to highly personalised scams, pig butchering, and the exploitation of loneliness and emotional vulnerability, Robert explains how criminals are learning to bypass not only technical systems, but human psychology itself.

Robert Siciliano is a security expert, private investigator, and public speaker. He is the CEO of Safr.Me and Head Trainer at Protect Now. His work focuses on fraud prevention, identity protection, personal security, and the human side of cyber risk. For more than three decades, he has helped organisations and individuals understand how deception works and how to become tougher targets in an increasingly complex threat environment.

The International Risk Podcast brings you conversations with global experts, frontline practitioners, and senior decision-makers who are shaping how we understand and respond to international risk. From geopolitical instability and organised crime to cybersecurity threats and hybrid warfare, each episode explores the forces transforming our world and what smart leaders must do to navigate them. Whether you’re a board member, policymaker, or risk professional, The International Risk Podcast delivers actionable insights, sharp analysis, and real-world stories that matter.

The International Risk Podcast is sponsored by Conducttr, a realistic crisis exercise platform. Conducttr offers crisis exercising software for corporates, consultants, humanitarian, and defence & security clients. Visit Conducttr to learn more.

Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. Dominic is the go-to business advisor for leaders navigating risk, crisis, and strategy; trusted for his clarity, calmness under pressure, and ability to turn volatility into competitive advantage. Dominic equips today’s business leaders with the insight and confidence to lead through disruption and deliver sustained strategic advantage.

Subscribe for all our updates!

Transcript

[00:00:00] Robert Siciliano: Most corporations have all the necessary infrastructure to make sure that the bad guys do not get in. It is hard to hack a bank. It is hard to hack a big company that has all the critical infrastructure to make sure that that does not happen. So how do they get in? They get in through humans. That is where the vulnerabilities are.

[00:00:14] Dominic Bowen: Welcome back to the International Risk Podcast, where we discuss the latest world news and significant events that impact businesses and organisations worldwide. And this episode is brought to you by Conductor. Conductor software helps you design and deliver crisis exercises without needing a big team or weeks of preparation. You can create a central exercise library with Conductor Worlds, and you can generate reports that support your governance and compliance requirements. So if you want flexible, realistic crisis exercises that are easy to adopt, then Conductor is worth a look.

[00:00:47] Dominic Bowen: And I have a quick favour to ask before we start today. If you are a regular listener, please subscribe and follow the International Risk Podcast. It is the simplest way to support the show, and it helps us reach more listeners who need this content. And my commitment to you is that it will keep improving every part of the podcast, from our guests to the quality of the research and the practical insights we provide. And if there is a guest you think we should bring on the podcast, or a risk that you want unpacked, send it through to us, and I promise we read all of your comments.

[00:01:16] Dominic Bowen: Please hit the subscribe or follow button now, and let us jump into today’s episode. Our guest today on the International Risk Podcast has spent years focused on the part of cybersecurity risk management that most organisations still underestimate. And of course, that is people. And at a time when 43% of UK businesses and about 30% of charities are reporting a cyber breach or an attack in just the last 12 months, and phishing is still the most common and disruptive method, the question is not whether people know cyber threats exist. The question really is why so many people and so many companies fail to act.

[00:01:51] Dominic Bowen: I am Dominic Bowen, host of the International Risk Podcast, where we discuss the topics that really matter. And in today’s episode, we are exploring that widening gap between awareness and actual behaviour, why trust and routine remain the easiest way into organisations, and what business leaders need to do when the organisation’s most dangerous vulnerability is also our greatest asset. And again, I am still talking about our people. Today’s guest is Robert Siciliano. He is a security expert and private investigator who serves as the CEO of Protect Now LLC, and his work focuses on fraud, identity protection, and the human side of cyber risk.

[00:02:30] Dominic Bowen: And I think today’s conversation will be really interesting for all of us. Robert, welcome to the International Risk Podcast.

[00:02:36] Robert Siciliano: Hey, thank you so much for having me. Much appreciated.

[00:02:38] Dominic Bowen: Whereabouts in the world do we find you today, Robert?

[00:02:40] Robert Siciliano: I am in Boston, Massachusetts.

[00:02:42] Dominic Bowen: Boston, Massachusetts. Nice. I have not been there, but I have heard good things about it.

[00:02:46] Robert Siciliano: Yes, this is where the Kennedys were born, for sure.

[00:02:49] Dominic Bowen: Well, look, we will jump straight in. I mean, the cybersecurity industry has spent years pushing awareness campaigns, but I think the results, at least what we see in our industry, are mixed at best. But if we look at Europol, if we look at FBI data, it is showing very clearly that cyber losses are still increasing. So I do not think the issue is a lack of information.

[00:03:10] Dominic Bowen: And definitely across Europe, the attack surface is not just digital infrastructure; it is human judgement. Now, with nearly half of all UK businesses reporting cyber breaches or attacks in the last 12 months alone, and the European Union’s Cyber Security Agency talking about AI-supported phishing now dominating social engineering activities, I wonder: are people overloaded, are they fatigued, or have they just become numb to the constant warnings? So when you look at vulnerabilities, when you consider what the real risks to companies are, are we dealing with awareness problems, or is this more of a behavioural execution problem?

[00:03:46] Robert Siciliano: I think it is more of execution. I think that employees understand risk, but they do not necessarily want to engage in risk management. They do not necessarily think that that is their job. I think a big part of the problem is something that I call the human blind spot. It all begins with biology, as odd as that might sound.

[00:04:05] Robert Siciliano: It is how humans are wired to begin with. We are what is considered, of course, an interdependent species, which means we are dependent upon each other for our survival. And the basis of that is that we need to trust each other, and that trust is our foundation. And so when we meet people in person, on phone calls, in emails, and in text messages, we biologically want and need to trust that the person we are interacting with has our best interests in mind, that they do not intend to hurt us. So our default is that we want to trust each other.

[00:04:38] Dominic Bowen: I think the trust is a really important point, because we are spending so much money on technical controls, and yet some of the biggest losses that companies are facing come from phishing. I was speaking to one of Europe’s largest construction firms yesterday, and they had a successful phishing attack conducted against them when someone clicked on an email: spoofing, of course, and business email compromise. And I think this is really important because it suggests that organisations are defending their infrastructure, and most organisations are much better at doing that today with cybersecurity, but they are still neglecting this decision-making behaviour and the trust, as you talked about it.

[00:05:12] Dominic Bowen: So from your perspective, Robert, why are these basic failures like clicks, skipped checks, and misplaced trust still such reliable entry points for cybercriminals?

[00:05:22] Robert Siciliano: Well, due to the fact that most corporations have all the necessary infrastructure to make sure that the bad guys do not get in, it is hard to hack a bank, it is hard to hack a big company that has all the resources and the critical infrastructure to make sure that that does not happen. So how do they get in? They get in through humans. They are hacking humans, plain and simple.

[00:05:39] Robert Siciliano: That is where the vulnerabilities are. But we are not speaking to the human at all when it comes to security awareness training. And we all have this human blind spot. And that blind spot is essentially a cognitive gap where biological trust overrides digital suspicion, leaving the door wide open for all kinds of social engineering and AI-enhanced deception that criminals use to bypass human logic.

[00:06:04] Robert Siciliano: It is that internal conflict between our evolved survival instincts and our modern knowledge, or lack of knowledge, of various digital risks. And we are not speaking to the human where they are at. We are trying to tell them, intellectually, what they need to look for and what they need to understand. But we are not addressing the human and their worries, their fears, their concerns, and how they view security to begin with. Most people do not actually believe in security.

[00:06:36] Robert Siciliano: And I know that that sounds odd, given that you and I do this for a living, but security actually kind of goes against our core beliefs as humans. Speaking to the human blind spot, when we trust by default throughout the day, week, month, and year, we are pretty much giving people the benefit of the doubt all the time. But when somebody does us harm, somebody hurts us physically or emotionally, we get scarred in some way. Somebody steals from us, and we are like, whoa, I did not expect that from you. Why would you do that to me? I would not do that to you.

[00:07:05] Robert Siciliano: And when that happens to us, we do not necessarily take those lessons and learn from them. We are just physically and emotionally scarred and hurt by them. And that, in and of itself, is not something that we ever want to deal with again. We would just rather not have to think about it.

[00:07:22] Robert Siciliano: And ultimately what we do is we kind of deny that it is going to happen to us again. We literally put our head in the sand, pull the covers over our head, and function at a level of denial that this cannot happen to me. When I get in front of a live audience, one of the things that I do is get into a dialogue with them. One of the questions I ask is: how many of you have a home security system? And usually it is maybe 15% of the room, if that. Like, 85% do not have a home security system.

[00:07:46] Robert Siciliano: And in the States we have about a million burglaries every single year. Okay, so why do you not have one? The most common answer I get is, I do not have a home security system because I do not want to live like that. And I say, what does that actually mean? They say, I do not want to have to worry. I do not want to have to think about those things.

[00:08:06] Robert Siciliano: I do not want a constant reminder in my house that there are bad actors out there. I just want to be free of that and not have to think about it. So what they are actually doing is choosing to function in denial that it cannot or will not happen to them, and they choose to do nothing about it. And so security is not a normal, natural thing. It is recognising risk.

[00:08:25] Robert Siciliano: It is recognising predators, sociopaths, and psychopaths. But we do not want to think about that.

[00:08:31] Dominic Bowen: And that all makes sense. And I think this will resonate with most of our listeners, Robert. And yet a lot of corporate and government security training still feels generic. It is generally conducted once a year and it is usually forgettable. And when I meet with executive teams and I start to ask them, tell me about how you are building a culture of security awareness, and tell me about how you are building a culture where people are leaning into risk, and where it is rewarded for people to lean into risk and to do it in a mature, healthy way, usually the standard response is either an awkward silence or, oh yes, once a year we get people to do a 15-minute IT security awareness training.

[00:09:03] Dominic Bowen: And I sort of put my head down in my lap and go, oh, okay. I need to come up with a polite, professional response. But we know, and this comes from the FBI and from Europol, and from the warnings on impersonation campaigns targeting senior officials and senior business leaders, that modern attacks are built around credibility, familiarity, and often urgency. So Robert, with that said, and based on everything you have just been describing, why are most organisations and government agencies still teaching cybersecurity as a policy issue, as a compliance issue, when they should be teaching it as a decision-making discipline?

[00:09:40] Robert Siciliano: Well, truly, they do not know any better and they do not think they have any other options. Security fatigue is caused by the compliance trap, as I call it. Bombarding employees with complex, impersonal rules triggers security aversion. And that compliance trap is the false sense of security felt by meeting regulatory requirements while the actual human behaviour remains unchanged and vulnerable. Phishing simulation, of course, is necessary.

[00:10:11] Robert Siciliano: It works to a degree. It is designed to fix the problem of phishing, and pretty much that is it. But what it fails to do is address the human, and it fundamentally does not make the employee care about security. What sometimes happens as a result is that we engage in blaming the victim, blaming the person who fell for the phishing email, shaming the victim. We have been doing that for hundreds of years.

[00:10:39] Robert Siciliano: That leads to what I call the silent failure. It is a compromise of the person’s brain, their wetware versus software, that triggers no technical alarms and often goes unreported due to what we call the shame barrier. The shame barrier is that emotional wall that prevents that victim from reporting the breach to begin with. But we can break this shame barrier by treating mistakes as data, not causes for termination. And we have been doing this phishing simulation thing for 15 years, maybe, and it ticks that box.

[00:11:12] Robert Siciliano: But due to the fact that the CISO and the C-suite executives are a bit overwhelmed and probably underfunded, they are herding cats, so to speak. They are doing what they can with what they have access to. But again, that is putting the cart before the horse. There are ways to go about it if they step back and look at it in a way that actually engages the employee where they are at in their own personal lives. And that is really where it begins.

[00:11:39] Dominic Bowen: Yes, I think the personal lives point is a really important one because so many of us are tired, and we see that in our colleagues. Everyone is rushing from one meeting to another, rushing to pick up their kids, rushing to have the meetings, rushing to everything that we have got on. And we are all constantly multitasking. How often do we go from one place to the next and just go, hold on, what am I even doing? Where was I going? The last 10 minutes just sort of disappeared from my mind.

[00:12:02] Dominic Bowen: We have got so many things going on. And you have described a growing behavioural backslide in personnel and risk management. What do you mean by that when you talk about this behavioural backslide, and why does it matter?

[00:12:14] Robert Siciliano: We are seeing adoption of two-factor authentication go down. Less than 10% of the general public is using a password manager. When I get in front of a live audience, I ask a series of questions. How many of you can honestly say that you are using a different passcode across all your critical accounts? If I get 15% of the room, that is a lot.

[00:12:37] Robert Siciliano: Next question. How many of you are using two-factor authentication? If I get 20% of the room, it is usually a little bit more. That is a lot. Which means 80 to 90% of the general public, consumers, and employees are using the same credentials across multiple accounts, not using two-factor authentication, and not using password managers.

[00:12:57] Robert Siciliano: And I have been doing what I do now for 30-plus years. What has changed in 30 years is that organised crime has taken over fraud. Hundreds of billions of dollars a year are being lost and stolen as a result. What has not changed is consumers and employees in risk management in that regard. They do not look at security much differently today than they did 30 years ago.

[00:13:23] Robert Siciliano: They are still using the same passcode across multiple accounts, they resist two-factor authentication, they are not using password managers, and they are simply overwhelmed. They are not engaging in the basic best practices. Like you said, we get home from work, we are tired, we are exhausted. But beyond that, it is security fatigue, and we have yet to address that. Truly, all security is personal.

[00:13:58] Robert Siciliano: Because in the US, realtors are murdered, you know, in vacant houses, with women working alone, visiting unoccupied properties, and so forth. They get murdered. And so I started my business doing that. Personal security is violence and theft prevention. And from that, I got hacked.

[00:14:13] Robert Siciliano: In the mid-1990s, in 1995, I had an IBM PS1 Consultant, which was the make and model of a Windows 3.1 machine with a 150-megabyte hard drive. I had to buy an additional card to plug into the computer because it did not just connect to the internet. You had to buy a whole separate card to connect to AOL, America Online. And I had the ability to accept credit cards via my computer. And I got hacked within a month of that.

[00:14:37] Robert Siciliano: And when that happened to me, I lost thousands of dollars in credit card fraud back in 1995. And I did not know that that was a thing. That was a brand new thing for me. And when I talked to my credit card company and bank about it, they were like, oh yes, that is becoming an issue. And so when that happened to me, as devastated as I was that I lost thousands of dollars, I was intrigued by what they did and how they did it.

[00:14:59] Robert Siciliano: If they could steal thousands of dollars from me through AOL, what else could they do? And so I started to teach the real estate agents not just about personal protection as it related to violence prevention and theft prevention in the physical world, but now also in the virtual world. Since that time, I have always believed that all security is personal. It begins with the individual and managing risk from physical harm. But what is more personal than your own identity?

[00:15:28] Robert Siciliano: Identity theft. So when you teach personal security from the perspective that all security is, in fact, personal, it is the core belief that people protect what is important to them. People protect what they love. And by doing that from that perspective, you create more secure employees at work. Whenever I walk into a room and I get on the platform because I am hired by a company that says, we just want our people to care about security.

[00:15:55] Robert Siciliano: That is all we want. I walk into the room and there are a hundred people like this. For those of you listening, I am crossing my arms. They are not open to me, and they are looking at me with a scowl on their face, and they are like, okay, security guy, tell me something I do not already know. And as I begin to ask them questions and point out, did you know that one to two million homes are burglarised every single year?

[00:16:13] Robert Siciliano: And this is why you should have a home security system. And that there are 15 billion passwords on the dark web, and there have been something like 300 billion records compromised in the past 20 years. And they are like, oh, that is why I am not supposed to use the same passcode across multiple accounts. Oh, that is beginning to make sense to me. And so, as we are engaging in a dialogue, which is what security awareness training should be, versus a monologue, their arms begin to go down by their side or on their lap, and they begin to physically lean into the conversation.

[00:16:42] Robert Siciliano: They go from a scowl to their eyes beginning to open up a little bit. And as their arms go down, their hands begin to go up and they start to have questions. Because now they want to know. They are like, oh, this is not about protecting my company, this is about protecting me. This is important to me. I did not know that this programme was going to be like that. Now I am interested because it is about me.

[00:17:06] Robert Siciliano: And the example that I give is when you and I are on a flight and the flight attendant is providing us the safety instructions and she starts talking about the oxygen mask. I will ask you, what does she say to do in regards to the oxygen mask?

[00:17:21] Dominic Bowen: Of course, you help yourself before you help the person beside you.

[00:17:24] Robert Siciliano: Exactly. Because you cannot possibly help others until you take care of yourself first. Now, some people might say, well, that is selfish. Well, yes, human beings are designed to be selfish. It is important to be selfish.

[00:17:39] Robert Siciliano: You and I are better husbands, we are better fathers, we are better employees. When you and I take care of ourselves first, we are required to get a good night’s sleep, to eat good food, and to nourish our body with fluids in order to be good with everyone else in our lives. Right? And when it comes to our security, it is the exact same thing.

[00:18:04] Dominic Bowen: And so when we think about solutions to that, noting that people are filled with fear, often overwhelmed, and in many cases fatigued, is the solution to this psychological or technical? Where do we find the solution to this?

[00:18:19] Robert Siciliano: Through empathy. I would call that psychological. It begins with actually engaging in a dialogue with your employees, with your people. I do not know that your C-suite executives ever actually sit down with their co-workers and have a dialogue in the way that they could or should.

[00:18:39] Robert Siciliano: What I do know is that I constantly hear from the CISO, why is it that my people keep thinking that email is from Amazon? I keep telling them it is not from Amazon. They keep clicking the email thinking it is from Amazon. How many times do I have to tell them it is not coming from Amazon? It is because they do not actually recognise risk, because they do not truly believe in security to begin with.

[00:19:05] Robert Siciliano: So in this process, I explain to them, okay, so I am a guy that has, it is actually true, about 20-plus security cameras. So if this guy has 20-plus security cameras, what is your reaction to that? What might you think is my belief system? I wake up every day like, what is my outlook? Guy has 20 security cameras.

[00:19:24] Robert Siciliano: He must be what?

[00:19:25] Dominic Bowen: Well, you are talking to a security and risk professional, but I would say that suggests you have obviously got some issues and things you want to protect, because that is a lot of external cameras. There must be some internal cameras. Maybe you work from your home office. Maybe you have got documents, client information, and bank account information that you want to protect.

[00:19:40] Dominic Bowen: And then my mind instantly went to, how does he monitor all that? That is a lot to monitor.

[00:19:44] Robert Siciliano: What might the general public say?

[00:19:46] Dominic Bowen: I think the general public would say, oh, he is crazy, he is overwhelmed, he is paranoid. And actually I have said that twice. I have done a few speaking gigs around Europe this week alone, and on both of those I used the line, good security is not about paranoia, it is about professionalism. But people see it as paranoia, and it is not. It is about professionalism.

[00:20:04] Robert Siciliano: So what is paranoia? And that is the most common answer that I get. The reality of it is that the medical community considers people who suffer from that awful disease to be overwhelmed with their own mind and body. They believe truly that others are out to get them.

[00:20:22] Robert Siciliano: And that is what paranoia actually is. But when we as a culture, when we as a species, for that matter, look at security, putting systems in place and managing and reducing risk, and we associate security in any way with paranoia, why would you ever want security in your life? You want nothing to do with security. So when I ask a question like, why do you not have a home security system?

[00:20:46] Robert Siciliano: And people say, well, I do not want to live like that. I do not want to have to worry. I do not want to be looking over my shoulder. I do not want to be paranoid. It is as if installing the hardware, installing the technology, is going to make you mentally ill. But that is a lot of people.

[00:21:01] Robert Siciliano: That is how most of your employees look at security.

[00:21:05] Dominic Bowen: It is quite interesting, the concept around what you are talking about with people putting their head in the sand, because I have always thought about preparedness, whether it was in the police force and they teach you how to fight. We do not want our police officers to fight, but they are taught how to fight so that, if the occasion comes when they need to, they have got that confidence. And it is the same with the military, or the same with, you know, 10 years ago, people who were preppers being considered freaks and paranoid.

[00:21:43] Dominic Bowen: Whereas nowadays, and certainly in Europe, and definitely in Sweden, if you do not have at least a month’s worth of food and water at home, you are considered irresponsible. So it has really flipped on its head now. And it is not because people are paranoid, but because there is a recognition that if you have an alarm system, and most people in Sweden have alarm systems, and most people would have a month’s worth of food and water in their home, it is not because they are paranoid, but because it means they do not have to worry.

[00:22:05] Dominic Bowen: They do not have to worry because they have got the alarm, the food, and the preparation in place. So I always find it quite interesting when people are like, oh, I do not even want to think about it. I feel like that is the time when you really do need to think about it.

[00:22:09] Robert Siciliano: Well, that is it. I find that Europe in general is a bit more advanced than over here in the West. We often have our head in the sand. We generally live in safe environments, and so we feel safe, and risk is not something we even want to think about. We kind of take it for granted.

[00:22:27] Robert Siciliano: In Israel, since the mid-1990s, their building codes have required by law that they build safe rooms made out of concrete because they live under threat. Security is a top-of-mind issue for them. The way that you and I think, military- and law-enforcement-wise, is what I consider a strategic human firewall. Over the past 30 years, I have developed this methodology that revolves around making humans tougher targets.

[00:22:54] Robert Siciliano: Just changing your behaviour ever so slightly. Any time you get a phone call, an email, or a text message, or even when you meet a human being, your radar is a little more in tune. You are looking for red flags. You can often tell almost immediately in a subject line or even the name of the person sending the email that something is off, and you think, yes, no, I am not going to engage, because you pay attention. Most people do not do that at all.

[00:23:21] Robert Siciliano: But you and I have what I call this strategic human firewall. I would say that maybe 5 to 10% of us walking around have that, but I would say 90-plus% truly do not. So the strategic human firewall is basically a mindset. It is a governance that is designed to block deception. It is a proactive governance that turns humans, employees, and citizens from passive targets, which most people are, into active detection layers.

[00:23:51] Robert Siciliano: They react to phone calls, emails, and text messages emotionally. The strategic human firewall moves them from passive targets into active detection layers. You are kind of looking for it. You see it coming down the pike, so to speak. You anticipate it to a degree. You do not worry about it, you are not in fear of it, but you just see it. Intellectually, you recognise it.

[00:24:10] Robert Siciliano: It is the shift from, pretty much, I trust what I see all the time, I give the benefit of the doubt, people are generally good, to I verify everything. I am paying that much more attention. Cognitively, I am aware of what is happening when my emotions might get involved in a phone call, an email, or a text message through manufactured urgency. And when you verify everything, you gain a higher level of what I call security appreciation. From my point of view, security awareness is dead.

[00:24:40] Robert Siciliano: Security appreciation is the shift from knowing, which is from your neck up, in your head, to appreciation, which is caring. It is truly from the heart up. To change minds, you need to change hearts. And so when employees appreciate how security protects their own lives, again, all security is personal.

[00:25:01] Robert Siciliano: Behaviour changes permanently. And I call this the security appreciation gap. It is that chasm between an employee’s intellectual understanding of risk, which again is awareness, and the emotional commitment to act on that knowledge, which is appreciation. And from that we get what I call the kitchen table effect. It is the multiplier effect, where successful training ends with the employee teaching those concepts to their family at home, cementing those lessons for life.

[00:25:36] Robert Siciliano: Try teaching phishing simulation training to your family around the kitchen table. It is not going to happen. But when you engage them in protecting their child’s digital footprint, their identity, managing their passcodes, how to easily set up two-factor authentication, and the basics of home and physical security, all of a sudden they are like, hey, I want more of this in my life. This is actually a good thing. And that is an easy thing to do once you understand what the human resistance to security is to begin with, and then how to break it down and challenge that person’s belief systems around what security is versus what it is not.

[00:26:16] Dominic Bowen: And Robert, I want to unpack that with you, but just first I will remind our listeners that if you prefer to watch your podcasts, the International Risk Podcast is always available on YouTube. So please do go to YouTube and search for the International Risk Podcast. And if you like our content, please subscribe and like it. This really is important for our success.

[00:26:38] Dominic Bowen: Now, Robert, what you were talking about is this belief that all security is personal. I think that is a really great way to get the message across. So what is it that people need to do better? What is it that you want them to learn? What are the top two or three things that you want people to really personalise and understand in order to protect their digital lives, to protect their families, and to protect their own identities?

[00:26:54] Robert Siciliano: Well, of course, our default to trust means that we are just sort of banging through life with phone calls, emails, and text messages, and then we just emotionally react and respond. Whereas I am saying, stop. Let us move around our understanding of security, as we have already discussed, and start to engage in the principles of recognising risk. Okay, what is the actual motivation of this phone call, email, or text message? What are they trying to accomplish?

[00:27:23] Robert Siciliano: Is this really who they say they are? Let us use out-of-band verification. Let us make a phone call. Let us actually knock on the office door of the person down the hall who supposedly sent me this text message or this email. Let us change the paradigm from automatically trusting all of our digital communications to saying, you know what, trust is overrated. Let us actually flesh this whole thing out.

[00:27:47] Robert Siciliano: And that does not really take all that much time. It is just a matter of cognitively understanding what makes me at risk, intellectually recognising what risk actually is, and doing something about it. Not worrying about these things, but putting basic strategies in place that are designed to reduce risk.

[00:28:04] Dominic Bowen: And the United Kingdom’s National Cyber Security Centre has assessed, unsurprisingly, that artificial intelligence has already made cyber intrusion much more effective and much more efficient as well, especially through social engineering. Now, when we are already seeing text, voice, tone, and authority replicated at scale, it really is quite frightening for many businesses and makes many people almost sigh and think, what can we do about this? And when we are seeing deepfakes, cloned voices, and these AI-written messages become so cheap and pervasive, and when things like invoice replication and falsified credentials are so much easier to do today, this means that trust becomes eroded.

[00:28:45] Dominic Bowen: So I would love to hear from you, with what you are seeing with companies, what you are seeing with people, and what you are doing with your training. What has AI actually changed in the last couple of years? What is genuinely new versus old-fashioned social engineering, just with a new AI label?

[00:29:00] Robert Siciliano: Obviously, for all the reasons that you said, it has stripped away all of the clumsy red flags of traditional fraud. In the past, as we know, criminals relied on blunt-force phishing, mass-blasting emails riddled with scammer grammar. Today AI allows for high-precision impersonation at scale. And now criminals are using what I call neural puppetry to create perfect lies. By scraping just seconds of audio or even a single photo from a person’s social media, they can use voice cloning to impersonate a trusted source like a spouse, a CEO, an attorney, a co-worker, or a politician.

[00:29:38] Robert Siciliano: At this point, I would argue with near-total accuracy. And what is worse is AI is normalising the dialogue to build rapport and exploit what I call the loneliness loophole. Number one, AI removes the manual labour of social engineering and allows a single predator to pilot thousands of digital puppets simultaneously, bypassing technical firewalls and hacking the human brain.

[00:30:09] Robert Siciliano: But it is that loneliness loophole that truly has me the most worried. I am sure you are fully aware of organised crime in certain parts of India and Southeast Asia, with compounds hundreds of acres in size and the use of victims of human trafficking as the actual perpetrators of these various crimes. The UN says there could be as many as 300,000 victims of human trafficking perpetrating fraud. They are the ones sending us the wrong-number text messages and so forth.

[00:30:36] Robert Siciliano: And what truly has me worried is that we are not even preparing our employees to effectively manage passwords and two-factor authentication and protect their own identities. And now we have got AI and deepfakes and voice cloning, which have already been effective in stealing millions and millions, even billions, of dollars. What happened in Hong Kong with the $25 million that was transferred by a CFO as a result of a Zoom call involving artificial-intelligence face overlay and spoofed emails is the boilerplate, the template, for the next level of fraud.

[00:31:15] Robert Siciliano: And then you have pig butchering. I am one of those people who gets called in by the wealth manager because his clients are getting hooked by these scams and liquidating their finances, refinancing their homes, and losing half a million or a million dollars because they are investing in cryptocurrency via a text message or an email, because they thought the person on the other end had their best interests in mind. And many of these people are lonely.

[00:31:47] Robert Siciliano: And that matters. It means something. Because 25% of all human beings on the planet right now are lonely. And what that truly means is that they are extremely vulnerable.

[00:32:03] Robert Siciliano: And when you are hungry, when you are thirsty, sometimes you get hangry. Sometimes when you are so hungry you will do anything just to fill that void. Well, people who experience the pain and ache of loneliness are exactly the same. They will do almost anything to rid their bodies of that pain. And bad actors know this. The organised criminals in Southeast Asia, that is their model, that is their template, that is what they are using against us.

[00:32:26] Robert Siciliano: Twenty-five per cent of your employees just want to connect with someone: phone call, email, text message. And those communications are designed to get access to that human who is vulnerable. This goes beyond what security is and is not. It is going after our biology.

[00:32:44] Robert Siciliano: I have been involved in these pig-butchering scams now for over a year and a half, and I have to tell you, the majority of them are not about romance. They are not even about flirtation, for that matter. I am literally in my kitchen going back and forth in text messages with Isla, who looks like a Russian model and is supposedly from Australia, born in Ireland, but is really a victim of human trafficking in Southeast Asia using the photo of a Russian model.

[00:33:19] Robert Siciliano: And all the dialogue back and forth between Isla and me starts first thing in the morning: Good morning, dear. How did you sleep last night? I slept well, she says, and I am meeting with my girlfriends later on this morning. What do you have going on today?

[00:33:35] Robert Siciliano: And then later on in the day, she sends me pictures of her with her girlfriends having lunch. And early evening, she says, hey, what are you having for dinner tonight? I am having this. And she sends me a picture of what she is eating that day. And that is all it is, back and forth, back and forth, back and forth. Why? Because if I am a lonely person and now Isla is communicating with me six, eight, ten times a day, what happens to my loneliness after a week? It dissipates.

[00:33:51] Robert Siciliano: Now my focus becomes Isla. And Isla is now the puppeteer and I am now the puppet. And I am going to do anything Isla says, because I no longer feel lonely. She satisfied that, she got rid of all that pain. It is recognising the risk of our biology, and that is what criminals are doing.

[00:34:10] Robert Siciliano: And phishing simulation training is not talking about any of that.

[00:34:13] Dominic Bowen: I think these are very real risks. In episode 288 we talked about human trafficking with Dr Lyudmila Bogdan. In episode 148 we talked about the international risks of human trafficking and people smuggling with Roy McComb. And in episode 145 we talked about transnational organised crime in Southeast Asia with Nathan Southern. And we talked about those farms where people are trafficked to.

[00:34:38] Dominic Bowen: And then they are sitting there all day talking to hundreds of people online. So please do go back and look at those episodes if you are interested in learning more about what human trafficking looks like in 2026. And Robert, I would love to, if we take it back to the geopolitical level, because I think that is really important. We see Vladimir Putin, Donald Trump, Xi Jinping, and Keir Starmer making big statements at the geopolitical level. Of course, right now we are seeing massive destruction in Iran and through the Gulf states because of the ongoing war there.

[00:35:17] Dominic Bowen: But those statements from our political leaders, and other countries’ political leaders, ultimately translate down to someone doing something. In many cases, that is a cyber attack or an attack involving personal information. And these serious threats and the social engineering techniques used by them are really showing up with state-linked activity. Google’s threat intelligence reporting has really highlighted how nation-state actors are using artificial intelligence and adaptive social engineering to get to people in order to breach the social contract and steal corporate information, and in many cases state information.

[00:36:09] Dominic Bowen: The FBI has also raised concerns that impersonation is being used to build rapport and move targets from where they are into channels where they feel more comfortable, or obliged, to share credentials and where access can be stolen. So what should business leaders listening to the podcast today do when they hear what you are talking about? Twenty-five per cent of employees are lonely. When we see these things at the geopolitical level, what does that mean for them when it comes to consumer fraud and corporate cyber risk today?

[00:36:19] Robert Siciliano: You know, it is going to sound so rudimentary and so simple. We need to get back to the basics, the absolute fundamentals. I might sound like a broken record here, and my apologies, but it is just treating security as personal. All of those world leaders, all of those people in charge, all of those CEOs and COOs, and all of those responsible for protecting our critical infrastructure, may not themselves truly believe in security.

[00:36:45] Robert Siciliano: Which means to me that some of the people who are in the game of security maybe are not properly protecting their own identities, do not even have a home security system, and are not doing the basics like changing all their passcodes. They probably should not be in the business of security to begin with because they are incongruent. Everybody, including you and I, has people in our lives who are at risk. We have got a dad who cannot stop clicking pop-ups, or a mum who cannot stop responding to text messages from her phone carrier saying she has to update her mobile phone, because she just thinks it is real.

[00:37:24] Robert Siciliano: We have all got these people in our lives who are at risk in that regard. And so when you frame it like that to the people who are in charge, and point out, do you have these same people in your life? And remind them that all of our people, all of our employees, and all of our organisations are filled with those same exact people who are at risk, who do not truly believe in security, and who resist security. Until we actually change the paradigm and change the conversation, we are going to continue to use basic compliance risk training, which is like putting a band-aid on an arterial bleed.

[00:38:15] Dominic Bowen: And Robert, maybe in just the last 30 seconds today, one question that we ask all guests on the International Risk Podcast is: when you look around the world, what are the international risks that concern you the most?

[00:38:26] Robert Siciliano: Well, of course, I am asked by my audiences all the time, who is winning the battle? Are the good guys winning or are the bad guys winning? I am asked that question every single time I present. And I tell them, plain and simple, the good guys are winning. And the reality of it is that in our country, I know we say teachers, law enforcement officers, firefighters, first responders, and nurses are all heroes, and they are.

[00:38:52] Robert Siciliano: But do you know who the heroes in my mind truly are? The CISOs and the tech executives. They are the unsung heroes. Without them, you and I would not enjoy the quality of life that we do. Because literally what the bad actors want is for our banking system to be wiped out, our energy grids to go down, and for us to be living in the dirt like it was the 1800s. They want us to be defeated in that regard. But the good guys, the tech executives, are the ones keeping the lights on.

[00:39:22] Robert Siciliano: What worries me is that they can only hold on for so long. With AI and deepfakes, unless we begin to change the paradigm, their backs are already up against the wall. They are already underfunded and underbudgeted. Unless they get what they actually need to bring true security appreciation training forward, I do not know how much longer our critical infrastructure is going to stay online. We are at a very critical point, and I am extremely concerned about that.

[00:39:51] Dominic Bowen: Yes, and for those people who do not monitor or do not look at this sort of news, in Sweden alone, and most people will realise that Sweden has a very advanced information-technology environment, it is very digitally native. Everything is done online. I do not receive any bills; everything is done on my phone.

[00:40:05] Dominic Bowen: And last year we had 164 communes, so that is basically local councils, paralysed by state-backed cyber activities. We also had four regions, which are similar to a state level, completely taken offline, as well as hospitals and wards. Similar things have happened in Norway and Denmark. The level of cyber attacks is just massive in Europe right now. Governments are doing a good job of keeping it quiet and responding quite quickly, but the level of attacks is huge.

[00:40:35] Dominic Bowen: And the US, of course, is not immune to it. You have had huge issues in Texas and elsewhere that have actually cost people their lives. So these risks are really real, Robert. So thanks for raising that.

[00:40:45] Robert Siciliano: Like I say, do not worry about any of this stuff. Just do something about it.

[00:40:48] Dominic Bowen: Do something about it. I think action is the best way to remove fear, definitely. Well, Robert, thank you very much for coming on the podcast today. I really appreciated the conversation.

[00:40:58] Robert Siciliano: Real quick, if anybody is looking for me, I am on all the socials. If you can spell Siciliano, I am easy to find on LinkedIn. Other than that, I am at ProtectNowLLC.com.

[00:41:07] Dominic Bowen: We will link to your LinkedIn and to ProtectNowLLC.com in the show notes below. Well, that was a great conversation with Robert Siciliano. I really appreciated hearing his thoughts about the human side of cyber risk, particularly how trust, routine, and small behaviours can really open the door to much larger security failures. Today’s podcast was produced and coordinated by Edward Penrose.

[00:41:33] Dominic Bowen: I am Dominic Bowen, your host. Thanks very much for listening. We will speak again in the next couple of days.