This informal CPD article ‘How Normal Behaviour Is Used in Cyber Attacks’ was provided by SmartSec Academy, an independent cybersecurity awareness and professional development provider focused on improving human decision-making in digital environments.
Most people don’t expect to be part of a cyber incident. Not because they don’t care, but often because nothing about the situation feels unusual. The message looks familiar. The request makes sense. It fits into the day. That’s usually enough.
Why “Normal” Is the Key Factor
Many cyber-attacks don’t rely on breaking systems. They rely on fitting in. An email that looks like a colleague. A request that feels routine. A message that arrives at the right moment. There is no obvious signal that something is wrong. That is what makes these situations effective.
Research and incident reporting show that attackers often rely on phishing and similar techniques that depend on human interaction rather than technical exploitation [1][2]. But that interaction doesn’t happen by accident. It is shaped.
How Behaviour Is Used
Attackers pay attention to how people work. They understand that most decisions are made quickly, often under time pressure or as part of routine. Messages are designed to match that environment.
Sometimes there is urgency. A deadline, a delayed payment, a missed step. Other times there is authority. A request from a manager, a finance approval, a system notice. Often, there is nothing unusual at all. Just a normal-looking message that doesn’t stand out. That’s the point. The goal is not to create suspicion. The goal is to avoid it.
Why It Often Feels Reasonable
From the outside, these incidents can look obvious. From the inside, they rarely are. The message fits. The timing makes sense. The action feels small. Clicking a link. Opening a file. Replying to a request. In the moment, it feels like part of the job.
Guidance from organisations such as ENISA and the UK National Cyber Security Centre highlights how attackers design messages to appear legitimate and reduce suspicion [3][4]. That difference between how it looks and how it feels is where most risk sits.
A Practical Perspective
This is why awareness is not just about knowing rules. People already know they shouldn’t click suspicious links. The problem is that many situations do not look suspicious. They look normal.
That is why improving decision-making matters more than simply adding more information. It is not about recognising every possible threat. It is about pausing, even when something appears routine.
Conclusion
Cybersecurity is often discussed in terms of systems, controls and tools. But in practice, many incidents depend on something much simpler. A message that fits in. A moment that feels ordinary. A decision that seems reasonable at the time. Understanding that is the first step towards addressing the problem more realistically.
We hope this article was helpful. For more information from SmartSec Academy, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
References
[1] Verizon, Data Breach Investigations Report (DBIR)
https://www.verizon.com/business/resources/reports/dbir/
[2] UK Government, Cyber Security Breaches Survey
https://www.gov.uk/government/collections/cyber-security-breaches-survey
[3] ENISA, European Union Agency for Cybersecurity
https://www.enisa.europa.eu
[4] National Cyber Security Centre (UK), Phishing Guidance
https://www.ncsc.gov.uk/guidance/phishing
