MSP Cybersecurity: Psychology vs. Traditional Training with Craig Taylor

The discussion highlights the limitations of traditional cybersecurity training methods, emphasizing that a psychology-informed approach with positive reinforcement is crucial for developing genuine cyber literacy within organizations. Traditional "gotcha" tactics, such as fake phishing tests, are shown to be ineffective and can even lead to increased clicks, according to research from the University of Zurich and Black Hat. This approach risks creating a false sense of security without genuinely improving user behavior.

Craig Taylor, CEO of Cyberhoot, advocates for a positive reinforcement model rooted in operant conditioning principles, where rewarded behaviors are repeated and internalized. This strategy is implemented through gamified modules, such as interactive "Hootfish" exercises that guide users in identifying threats with in-moment assistance. Progress is tracked via avatars that mature with learning, and an anonymous company leaderboard encourages engagement, particularly motivating management to complete assignments. These elements aim to foster intrinsic motivation for security best practices rather than relying on external pressure or punishment.

The conversation also delves into the challenges of measuring security progress, noting that traditional phishing tests often fail to capture a complete picture of an organization's security posture, particularly with C-suite employees who may not engage with such tests. The episode touches upon the complexities of evolving cybersecurity threats, including AI-powered personalized attacks, and the inherent difficulties in relying solely on human training against sophisticated adversaries. Furthermore, the discussion addresses the lack of accountability for cybersecurity vendors with faulty software, contrasting it with product liability in other industries, and the debate around the absence of consistent federal regulations for AI and data privacy in the US compared to Europe's GDPR.

For MSPs and IT service leaders, this episode underscores the need to adopt more effective, psychology-driven security awareness programs that focus on positive reinforcement and intrinsic motivation. It highlights the limitations of purely technical or punitive cybersecurity measures and emphasizes the importance of a comprehensive strategy that combines user education with robust technical defenses. The discussion also serves as a reminder for MSPs to critically evaluate vendor security practices and to advocate for stronger accountability and clearer regulatory frameworks to protect client data and services.

💼 All Our Sponsors

Support the vendors who support the show:

👉 https://businessof.tech/sponsors/

🚀 Join Business of Tech Plus

Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.

👉 https://businessof.tech/plus

🎧 Subscribe to the Business of Tech

Want the show on your favorite podcast app or prefer the written versions of each story?

📲 https://www.businessof.tech/subscribe

📰 Story Links & Sources

Looking for the links from today’s stories?

Every episode script — with full source links — is posted at:

🌐 https://www.businessof.tech

🎙 Want to Be a Guest?

Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:

💬 https://www.podmatch.com/hostdetailpreview/businessoftech

🔗 Follow Business of Tech

LinkedIn: