Decisions are a fundamental part of human nature. Every choice an individual makes shapes their actions and outcomes, whether at home or at work. Consequently, researchers suggest that individuals make an average of 35,000 decisions a day, which equates to roughly 2,000 decisions every waking hour. While many of these choices are routine, like deciding what to wear, eat, or watch, others may have more severe personal or collective repercussions.
It is undeniable that technology has introduced an element of complexity to every decision we make. Gartner highlights how technology users are inundated with information at an overwhelming pace, often with conflicting priorities. For example, they illustrate the pressure to share information with clients or business partners, balanced against the crucial need to protect sensitive data. But what happens when one of these decisions goes wrong?
The Repercussions of Poor Cybersecurity Decisions
In a business environment, the repercussions of poor cyber decisions can have a devastating impact on the entire organisation. Whether it’s clicking a phishing link, accidentally sending an email to an unauthorised recipient, or deliberately ignoring policy to exfiltrate data to a personal device – innocently or maliciously – every action poses a significant risk. Recent research shows that 46% of organisations affected by data loss or exfiltration due to employee actions (accidental or deliberate) suffered financial losses from customer churn, and in 75% of cases, the employee involved was disciplined or fired.
However, the question remains: how can employers expect employees to make the right cyber decisions 100% of the time when they have 35,000 other things to think about? This doesn’t even account for the added stress of modern work, like checking emails from a mobile at the airport or rushing to meet tight deadlines.
In these rushed or stressful situations, employees often default to what Daniel Kahneman coined Type 1 thinking, or ‘fast thinking’. This quick, reactive, and automatic mode puts people on autopilot, increasing the likelihood of errors. In contrast, Type 2 thinking is slower, more deliberate, and relies on conscious thought and intentional decision-making, leading to better outcomes.
Cybersecurity decisions – whether made over email, on Teams or Slack, or during video calls – are far more effective when employees engage in Type 2 thinking. Even when employees are on the go or under pressure, organisations can implement strategies to encourage this more deliberate, thoughtful approach.
Reducing Decision Fatigue Through Automation
While the most obvious suggestion for meeting this need is relevant and timely coaching, combined with intelligent detection technology to catch sophisticated social engineering attacks, one thing an organisation must not underestimate is the power of automation within these tools. Clinical researcher Grant Pignatiello said one of the best ways to reduce decision fatigue, which pushes people into Type 1 decision-making, is for individuals and organisations to automate the number of choices they make each day.
So, what if we take this concept of automation and apply it to cybersecurity?
Automation in cybersecurity decision-making offers a powerful way to reduce decision fatigue, enhance security outcomes and better support employees. By offloading repetitive or routine tasks onto intelligent systems, organisations can free their workforces to concentrate on decisions that truly require human judgment. For instance, AI-powered anti-phishing tools can detect and neutralise suspicious emails in real-time whilst intelligent Data Loss Prevention (DLP) tools and automated data classification systems can identify and protect sensitive files, ensuring information is shared only with authorised parties, reducing the risk of accidental data breaches.
However, the promise of automation does not mean eliminating the human element. Automation works best when it augments human efforts, not replacing them. Over-reliance on AI could lead to complacency or an unhealthy dependence on technology. That’s why balancing automation with employee education and human oversight is crucial. Employees still need training to recognise cyber risks and apply human judgment in situations where technology cannot assist. For example, this could include a social engineering attack over the phone or an unsolicited request for sensitive information.
Balancing Automation and Human Intuition for Smarter Security Decisions
In a world where employees are constantly juggling countless decisions, it’s easy for them to slip back into Type 1 thinking, even in critical areas like cybersecurity. This presents a valuable opportunity for organisations to create environments where informed, deliberate decision-making becomes the norm. By thoughtfully integrating AI-driven automation and equipping employees with the right tools and training, organisations can reduce the cognitive burden, fostering security awareness and efficiency.
This isn’t just about preventing the next breach, it’s about evolving into a smarter, more resilient organisation where technology supports human judgment. When automation and human insight work together, cybersecurity transforms from a challenge into a strategic advantage. It’s time to leverage automation not just for efficiency, but for empowering better decisions and building stronger security cultures.
