Close Cookie Popup
Cookie settings
By clicking "Accept all cookies", you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Accept all cookiesCookie settings
Close Cookie Preference Manager
Cookie settings
By clicking 'Accept all cookies', you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings

The security paradox: why our brains reject digital safety

Why your brain hates MFA (and how to trick it) It’s not just laziness. It’s biology.

We all know we should enable Multi-Factor Authentication (MFA). It is the single most effective step to prevent 99.9% of account hacks. Yet, recent data suggests that 65% of Small and Medium Enterprises (SMEs) still don’t use it, and consumer adoption rates remain dangerously low.

Why? Are we lazy? Careless?

The answer is more complex. It turns out that the human operating system, your psychology, is actively fighting against your digital operating system.

Here is the science behind why we leave the digital front door unlocked, and how we can fix it.

The “Optimism Bias” (The Invisible Shield) The biggest reason SMEs and consumers ignore MFA isn’t a lack of technical skill; it’s a cognitive glitch known as Optimism Bias.

Research by neuroscientist Dr. Tali Sharot has shown that humans are hardwired to overestimate the likelihood of positive events and underestimate the likelihood of negative ones. When you hear about a massive data breach, your brain subconsciously whispers, “That happens to other people. My bakery/consultancy/personal email isn’t a target.”

For an SME owner, this bias is deadly. You believe you are “too small to target,” when in reality, automated bots don’t care about your revenue size—they care about your vulnerability.

Cognitive Load Theory (The “Brain Tax”) In the 1980s, educational psychologist John Sweller developed Cognitive Load Theory, which explains that our working memory has a finite capacity.

Every time you log in, you are performing a task.

Username + Password: This is a learned habit. It requires low cognitive effort (System 1 thinking).

MFA Prompt: This interrupts the flow. It forces you to switch tasks, find your phone, read a code, and type it in. This spikes your cognitive load (System 2 thinking).

To a security professional, it’s “just 5 seconds.” To the user’s brain, it is a “friction tax.” When you multiply that tax by the dozens of apps we access daily, the brain screams “STOP.” We naturally seek the path of least resistance, even if that path leads to a security breach.

Hyperbolic Discounting (The “Now” Trap) This is a fancy term for Present Bias. We value immediate rewards (saving 10 seconds right now) much more than future rewards (not getting hacked next year).

The “pain” of activating MFA is immediate. The “reward” of security is abstract, distant, and invisible. Evolution taught us to prioritize the immediate threat or reward. Unfortunately, cybersecurity threats are rarely immediate—until it’s too late.

The SME “Complexity Myth” For business owners, there is an added layer of psychological resistance: The Paradox of Choice.

The market is flooded with options: SMS, Authenticator Apps, Hardware Keys, Biometrics, Push Notifications. Faced with too many choices and a fear of “locking employees out,” business owners freeze. This is Decision Paralysis. They choose the default option: doing nothing.

How to Hack Your Own Psychology Understanding these barriers allows us to bypass them. We don’t need to “try harder”; we need to design better.

Lower the Friction (Kill the Code) Stop using 6-digit SMS codes. They are high-friction and psychologically taxing.

  • Switch to “Number Matching” or “Push” notifications: It’s easier to tap “Yes” than to type “482 931”.
  • Use Biometrics: FaceID or Fingerprint scanners rely on who you are, not what you do, effectively reducing cognitive load to near zero.

Reframe the “Optimism” If you run a business, stop asking “Will we get hacked?” and start asking “When we get hacked, how much will it cost?” Shifting from probability (which we are bad at judging) to consequence (which we fear) can override optimism bias.

Use the “Default Effect” If you are an admin, don’t ask employees to “opt-in” to MFA. Enforce it by default. People rarely change default settings. Make security the path of least resistance.

The Bottom Line Not activating MFA isn’t a sign of stupidity; it’s a sign of humanity. We are fighting millions of years of evolutionary programming that prizes speed and convenience.

But now that you know the glitch exists, you can patch it.

Stay secure...

Navigate Issues

Next Issue
All Issues
Previous Issue