Welcome to Episode 44 of The Hockey Stick Show! I'm your host, Miko Pawlikowski, and today I’m diving deep into the fascinating crossroads of cybersecurity and psychology with Craig Taylor — a 25-year veteran of the security world, founder of cybersecurity education company CyberHoot, and someone with a background in behavioral science.
We explored what actually drives human behavior in cybersecurity, why most training fails, and how slot machines, shock collars, and America's Got Talent can all teach us something about protecting digital lives.
Slot Machines and Cybersecurity: What’s the Connection?
I kicked things off by asking Craig a fun but pointed question: what do slot machines have to do with cybersecurity?
Turns out, quite a lot.
Craig explained that slot machines use the most powerful behavioral reinforcement schedule known to psychology: intermittent rewards. It’s what makes them addictive — you never know which pull is going to win, so you keep going. Sound familiar? That principle is exactly how bad actors exploit human psychology with phishing emails and social engineering — there's always a small chance this one is real, or safe, or maybe even necessary to click.
His point: If hackers are using behavioral science to attack people, shouldn’t we be using it to defend them?
Rewards Work Better Than Punishment
One of Craig's strongest arguments was that the security industry relies too heavily on punishment — think "three-strikes-and-you're-fired" for clicking phishing emails. But this is outdated and ineffective.
Using real-world analogies (and a very vivid comparison involving shock collars and invisible fences), Craig broke down the differences between:
Positive Reinforcement: Rewarding good behavior so it sticks. Think certificates, recognition, or gamification.
Negative Reinforcement: Removing something unpleasant when the right action is taken — like your seatbelt dinging until you buckle up.
Punishment: Applying an unpleasant consequence after bad behavior — like zapping a dog every time it crosses a line.
The best path forward? Use psychology to build habits, not fear. Like giving your employees treats (metaphorically speaking) instead of punishments.
Why Psychology Belongs in Cybersecurity
Craig’s background in psychology isn’t just a cool origin story — it’s a competitive edge. He’s used those skills to lead security programs for Fortune 500 companies, framing secure behaviors in a way that makes teams want to comply — not because they were forced to, but because they were convinced it's their own idea.
It’s not about “locking everything down” after a breach — it’s about getting involved early and collaboratively to prevent issues in the first place.
What’s Actually Causing Breaches?
You might imagine hackers furiously typing code like in the movies. But in reality?
#1 cause of breaches for the last 20 years: Phishing.
#2: Bad password hygiene.
From AI-driven phishing attacks to nation-state actors lurking inside U.S. telecom networks, the threats are evolving — but most of them still rely on human error. That’s why education and behavior change are more important than ever.
The Problem With Credit Monitoring (And the Better Alternative)
We also talked about breach fatigue — the idea that everyone’s data has already been leaked at this point, so why care?
Craig had a perfect analogy: credit monitoring is like living next to a fire station — it doesn’t stop your house from catching fire, it just means someone will be there after the damage is done.
Instead, he recommends freezing your credit at all major (and lesser-known) bureaus to prevent identity theft in the first place. In his words: “Don’t monitor the fire — fireproof your house.”
Cyber Literacy Is the Future
Craig coined a term I think we should all get behind: cyber literacy.
It’s not just knowing how to use a computer — it’s understanding phishing, password security, MFA, and how social engineering works. Most schools and workplaces teach computer literacy, but not cyber literacy — and that’s the gap we need to close.
Final Thoughts
This episode left me thinking about how much we could improve security if we just… stopped punishing people and started teaching them. And more importantly, started rewarding them for doing the right things.
Craig’s biggest takeaway? Security works better when it’s built on psychology and compassion.
You can find more of Craig’s work at CyberHoot.com.
Thanks for tuning in, and if you liked this conversation, share it with a friend — and maybe your company’s IT team. They’ll thank you later.
Stay safe. Stay smart. And don’t click suspicious links.
Until next time,
—Miko
Share this post