May 24, 2026
By Jane Frankland
I didn't expect to learn anything about cybersecurity last week from a dog.
I was fostering a rescue Podenco called Robbie. He’d arrived from Spain via a circuitous route — starvation as a hunting dog, abandoned and left as a stray, picked up by a farm household, a rescue centre with 37 other freely roaming Podencos, then another, shipped to the UK, three months in a foster home where he thrived, two weeks in a placement with a child before that where he didn't, and then 10 days in my house where he was variously affectionate, goofy, playful, terrified, attached, growling, and trying to work out whether anyone in it were safe.
Having grown up with rescue dogs as a child, taking one on three years ago, I spent the week reading his behaviour, managing my household, talking to the rescue, drafting documents for a behaviourist, and trying to keep everyone safe — my two adult children who live with me, my own dog, the foster dog, myself. By the end of the week, we made the call together with the rescue: the placement wasn't going to work. Robbie needed a different shape of home than ours. The structural mismatch was clear enough, and the safety risk to my family real enough, that continuing would have been kinder to nobody — least of all Robbie.
This piece isn't really about that decision, though I will come back to it. It's about something I noticed somewhere around day five, while reading the rescue coordinator's careful, evidence-based reframing of behaviours I had been describing in lay terms as "dominance" and "guarding."
I realised I was reading my own blog back at me.
The blog I’d published the previous week was about cybersecurity awareness. Specifically, about why fifty years of fear-based awareness programmes have failed, and why the behavioural science points consistently toward identity-based behaviour change instead.
The rescue was explaining the same thing to me. Just about a dog.
When humans encounter behaviour they don't want, whether in employees or in dogs, the instinct is the same. Correct it. Suppress it. Make the consequence unpleasant enough that the behaviour stops.
In dogs, this is the dominance-theory model — the most familiar of a family of punishment-based approaches still in widespread use. The dog growled, so you tell it off. It shows teeth, so you intimidate it. It pulls on the lead, so you correct it sharply. The premise is that the dog is making a calculated bid for status, and your job is to demonstrate that the cost of the behaviour is higher than the reward.
In humans, this is the fear-based awareness model. The employee clicked a phishing link, so you remediate them. They failed the security training so you don’t allow them to log in. They botched the simulation, so you escalate. The premise is that if the consequences are visible enough and unpleasant enough, the rational actor will recalculate.
Both models share the same fundamental flaw. They treat the visible behaviour as the problem to be fixed, rather than the symptom of an underlying state.
A dog growls because it is anxious, insecure, or guarding access to something it cannot afford to lose. Punishing the growl doesn't address the anxiety. It just removes the warning system. The dog still feels unsafe. Now it has just learned that growling gets it in trouble — so next time, it skips straight to the bite.
An employee clicks a phishing link because they were rushed, distracted, anxious about an unread inbox, frightened of looking incompetent, or simply tired.
The data backs this up. Recent research found that nearly 40% of phishing clicks come from people on email autopilot or rushing through crowded inboxes, and more than one in five employees who clicked don't even remember doing it. These are not careless people making rational mistakes. They are tired people operating in Kahneman's System 1 — fast, automatic, instinctive — because the conditions of modern work give them no time to engage System 2. Punishing the click doesn't address any of those states. It just teaches them that getting caught is the thing to avoid — so next time, they hide it.
Both responses produce the same outcome. Short-term suppression. Long-term reversion. And a degraded signal because the warning system has been punished out of existence.
I wrote last week about the behavioural foundations — Bem, Fogg, Ariely, Thaler, Clear — and why fifty years of research points away from fear and toward identity. What I didn't expect was to see all of it playing out, with a dog, in my own house, while I was still arguing for the same case in a professional context.
When you treat Robbie like a calm dog repeatedly — gentle handling, low-arousal environment, no corrections — he becomes calmer. That's the Pygmalion effect with four legs. Your expectations, transmitted through behaviour, shape what the other being becomes. Identity follows behaviour, behaviour follows identity, and the loop reinforces itself in either direction.
When you frame a dog as "a good dog" through tone, body language, and reinforcement, he behaves in ways that match the frame. That's Ariely's identity priming, with four legs.
When you change the environment so the right behaviour is the path of least resistance — a baby gate that removes a trigger, a solid door that prevents visual fixation, a houseline that lets you redirect without confrontation — you are doing exactly what Thaler called nudging. Not compromising with the problem. Making the safe behaviour the easy one.
And when you build trust and regulation in a dysregulated dog over time, rather than trying to extinguish the visible behaviour, you are doing what Clear means by identity-based change. You are not stopping the bad thing. You are building the underlying state in which the bad thing is less likely to fire.
Same science. Different species. Same conclusion.
Robbie showed teeth multiple times at my son. He growled at my daughter and other son. He redirected anxiety onto whoever happened to be nearest when he couldn't reach me. He had, in lay terms, behaved badly.
The rescue's reframing, which I came to genuinely accept, was that none of these behaviours were bids for status. They were stress responses. They were the symptoms of a dog whose nervous system had been dysregulated by years of upheaval, and who was, in his own way, asking us to help him feel safe.
If I had told him off when he growled — the dominance-model response — I would not have fixed anything. I would just have taught him that the growl gets him in trouble. He would still have felt unsafe. He would just have learned to escalate without warning.
And here is where I sat with my coffee on day five and realised what I had been writing about all along.
The phishing simulation is the dominance model applied to humans!
We frighten employees with vivid threats. We catch the ones who click. We remediate them. We treat the visible behaviour — the click — as the thing to suppress. We do not address the underlying state — the rushed inbox, the cognitive load, the fear of looking incompetent, the absence of psychological safety to ask for help.
So what happens? The employee who clicks the phishing link learns the same thing the punished dog learns. Don't let them see it. They become better at hiding the mistakes, not better at avoiding them.
And this matters more now than it did even a year ago. AI-generated phishing now accounts for more than 80% of what employees actually receive, and click-through rates on AI-written lures run roughly four to five times higher than on traditional ones. The grammar tells are gone. The mismatched-domain heuristics are eroding. Attackers can clone a CFO's voice from thirty seconds of a podcast and run a deepfake video call convincingly enough to authorise a wire transfer. The "train them to spot it" model was already weak. It is now structurally broken. Which means the warning signals you still have — the report, the near-miss, the "this felt off, can someone check it" — have gone from being useful to being the primary defensive signal you have left.
The reported phishing attempt is the canine equivalent of the warning growl.
It is the early signal that something is wrong and that the system has a chance to respond before the real damage happens. If you punish the report through embarrassment, through remediation that feels like correction, through public shaming of click rates, you teach the workforce to suppress the signal. You don't get fewer phishing victims. You get the same number, plus less information about them, plus the loss of every near-miss that would have helped you understand your threat landscape.
A workforce that hides phishing clicks is a workforce that has been taught to skip the growl and go straight to the bite.
If the model is the same in both, the solution is the same too.
You don't change a frightened dog by frightening it more. You change a frightened dog by addressing the conditions that frighten it. Removing the triggers where you can. Building trust where you can. Helping the dog feel safe enough that the defensive behaviours don't need to fire.
And here is where the cybersecurity conversation needs to flip on its head.
For decades, the industry has treated employees as the weakest link. The human risk. The unpatched vulnerability between the keyboard and the chair. Every awareness statistic, every click-rate dashboard, every breach post-mortem has reinforced the same framing: people are the problem.
They are not the problem. They are the largest, most distributed, most context-aware sensor network the organisation has. Every employee sees things the technical controls cannot see. They notice the email that doesn't sound right because they actually know the sender. They feel the wrongness of the request because they understand the business context. They are the only defence that can catch the deepfake CFO on the Zoom call, because they are the only defence that can ask the question the deepfake cannot answer.
This isn't a case of humans versus tech. It's a case of humans and tech catching different things, and against AI-driven attacks you need both — with humans firmly in the loop.
The technical stack does work no human can do at scale. It filters, sandboxes, blocks known patterns, flags anomalies, and processes volumes of traffic no person could ever read. It is necessary. It is not sufficient. AI-driven phishing has already broken most of the heuristics filters used to rely on, which means more will get through than used to. What catches what gets through is the human ability to notice that something feels off, to pause, and to surface it.
The technical stack will not save you on its own. It is a safety net underneath the human layer, not a replacement for it. The defence that actually works in 2026 is leadership that builds the culture, culture that builds the collaboration, collaboration that surfaces and reduces the threat — with the tech doing the filtering work at scale beneath all of that. Strip out the human layers and the stack is catching less and less of what matters. Strip out the stack and the human layer is drowning in volume. You need both.
That partnership is your cyber shield. And the human side of it — the side that actually does the catching when AI-driven attacks slip past the filters — is only as strong as the conditions you build around it.
People become cyber ambassadors — actively protective of the organisation, alert to threats, willing to surface near-misses — when leadership creates the conditions for it. That is the difference between a workforce that is your weakest link and a workforce that is your strongest one. It is not a difference of headcount, budget, or tooling. It is a difference of identity, regulation, environment, and trust — the same four levers that worked with Robbie, applied at organisational scale.
In both cases, the leadership move is to stop treating the visible behaviour as the problem and start treating it as the symptom.
In both cases, the test of whether you've got it right is not whether warning signals are going up or down on their own. It's the relationship between two different signals. Are the reports, the questions, the near-misses, the "this felt off" messages going up? And are the actual incidents — the successful clicks, the breaches, the things that escalated because nobody told anyone — going down or holding steady against a rising threat baseline? If reports are up and incidents are down, the system is healthy: people feel safe enough to surface things, and the surfacing is preventing the bad outcomes. If reports are down and incidents are up, you have not solved the problem. You have just suppressed the signal — and the suppression is making you blind to a worsening situation.
The same applies to Robbie. A dog who growls more isn't necessarily a healthier dog. A dog who growls before he bites, and bites less often over time, is. Two signals, both moving in the right direction.
A few other parallels I noticed, almost in passing.
The bonded human matters more than the briefing. Robbie bonded to me. He would have eventually tolerated and possibly bonded with my adult children — but only if my behaviour towards them, in his presence, modelled that they were safe people. He was reading me before he was reading them. In a workforce, the same principle holds. The CEO's posture towards cybersecurity — the visible signals about whether the cybersecurity team is welcomed or tolerated, whether reports are celebrated or punished, whether the function is part of the leadership or below it — shapes whether the rest of the organisation can build trust with the security function. The bonded human is the culture.
Suppression masks the problem and worsens it. If I had shouted at Robbie when he growled at my son, my son would have been no safer. The dog would just have been better at hiding the trigger. If a CISO is pressured to make the dashboard greener than it is, the board is no safer. The CISO is just better at hiding the risk. In both cases, suppression of the warning signal feels like progress and is actually the opposite.
The structural fit matters as much as the technique. This was the hardest lesson, and the one I lived in real time. Some rescue dogs need a single-person home. Some employees need a different role than the one they were hired into. Some cybersecurity cultures need a different leadership team than the one they currently have. No amount of skilled management will fix a structural mismatch — and the kind thing to do, in any of those situations, is to name the mismatch rather than persist with a fix that cannot work. Robbie didn't need our household to try harder. He needed a different household. Naming that was the kindest thing we could do for him.
The honest conversation is the start of the change. I spent the week being more honest with the rescue, my household, my friends, and myself than would have been comfortable a week earlier. About what I was seeing. About what I wasn't sure I could manage. About where the lines were. I shed a lot of tears in the process too. The rescue's response to that honesty was better than the response would have been if I had performed competence. The same is true in any leadership conversation. The first uncomfortable, truthful exchange is almost always the one that unlocks everything that follows.
We made the call to end Robbie's placement at the end of week one. My heart is filled with sadness. We know Robbie is not a bad dog, has much love to give, and can work through these issues with the right support. He is a sweet, loving, playful dog who will thrive in the right home — I'd wager a primary bonded human, ideally on their own or with a single adult partner, no other adults routinely approaching him at rest, and a settled older dog he can anchor to. That home exists, and the rescue will find it.
The kind thing for him was not to keep him here longer, hoping the behavioural pattern would soften. The kind thing was to read the signals he was clearly giving, name what he needed honestly, and let him move on to a placement – thankfully back to his previous foster home – where his nervous system can settle in a household that actually fits him. The behavioural history he generated in a week with us, if shared, will help his next carer skip the learning curve we just went through.
What the week reminded me is that the science behind how we change behaviour — in dogs, in humans, in organisations — is consistent. The methods that work are the methods that respect the underlying state of the being whose behaviour we are trying to change. The methods that fail are the methods that try to bypass that state through fear or force.
The cybersecurity industry has spent decades trying to bypass that state. To fix the symptom and not the underlying problem. The dog training world has spent decades unlearning the same instinct. Both are arriving at the same conclusion, in different language, from different directions.
Identity, regulation, environment, trust. These are the levers that work — for the anxious foster dog who briefly shared my sofa, and for the anxious workforce in front of your next phishing simulation.
The job of leadership, in both contexts, is to stop reaching for the easier lever of fear and start doing the harder, slower, more honest work of building the underlying state in which the right behaviour becomes natural.
Two questions, pick whichever one you have something to say about.
What does it look like when leadership gets this right? If you've worked somewhere that treated security as a partnership rather than a policing function, what did that feel like in practice?
And where else have you seen this pattern — punishing the symptom rather than addressing the underlying state? It shows up in dogs and in security awareness, but I suspect it's everywhere once you start looking.
I work with cybersecurity brands as an advisor and advocate, helping them strategically build trust, credibility, and engagement in the market. If you're trying to be the kind of brand the cybersecurity community actually respects — and chooses — I'd love to hear from you.
related posts:
I’ve been noticing something for a while. Fear-based security presentations change one thing reliably — the budget. Everything else stays exactly the same. I’ve seen it in boardrooms where the threat landscape briefing produced budget approval and cultural indifference. I’ve seen it in security awareness sessions where the phishing video produced genuine shock and identical
Read MoreBank holiday Monday, last week. A day I’d mentally reserved for the garden and the slow, unhurried thinking time that rarely survives contact with a normal working week. I was pulling weeds. Not thinking about anything in particular, aside from the new dog I’m about to foster. And then, somewhere between the fading bluebells and
Read MoreThere’s a particular kind of irony that only becomes visible in hindsight. I wrote about the failure to connect signals in time. And then I experienced it. The idea had been building for years, drawn from decades of watching cyber and fraud teams operate in parallel worlds, each seeing fragments of the same attack, nobody
Read More