Domain: Cybercrime | Arc: Human Cost | Theme: The wider costs of cybercrime
The call comes on a Tuesday afternoon. The voice is calm, professional, reassuring. It knows the name of the bank. It knows the last transaction — the amount, the date, the payee. It knows the home address. It uses the name, the full name, the one that does not appear on social media. Sam has been careful about that.
The caller explains there has been suspicious activity. The account is at risk. There is a procedure. Sam follows the procedure. Forty minutes later, the line goes dead, and so does the account.
The first call Sam makes is to the bank. The second is to family. The response, calm at first, a version of the same question the bank asked: how did you not know? Then less so — you gave them everything. The implication settles in the room and stays there.
This is the second crime. It arrives without a perpetrator and without a name, and it does far more lasting damage than the first.
The doctrine has a name inside the security industry, though you would not know it from the way it is sold. The Human Firewall. The idea is straightforward: because technology cannot stop every attack, people must become the first & last line of defence. Train them. Test them. Send them simulated phishing emails. Run quarterly awareness sessions. Make the individual responsible for their own digital safety, and the safety of every organisation they belong to.
It is not a bad idea. It is, in some respects, a necessary one. The problem is what it does quietly while presenting itself as empowerment.
When the defence fails, and it will, because it always does eventually, the doctrine has already written the verdict. The firewall failed. The human failed. The implicit corollary is unavoidable: the human should have been better. Should have known. Should have spotted it. The breach becomes, in the unspoken logic of this framing, a personal failing rather than a systemic one.
We built a system that is easy to exploit and then we call the person who was exploited foolish.
The call Sam received was not the work of an amateur. The criminal knew the bank, the account details, the home address. That information did not come from carelessness. It came from a data breach at an institution Sam had no control over, combined with information scraped from sources they had no visibility of, assembled by people whose operational sophistication would be recognised as professional competence in any legitimate field.
The attacker had time, information, and rehearsed technique. Sam had forty minutes and a Tuesday afternoon. The encounter was not a fair test of awareness. It was a designed asymmetry, engineered to produce one result.
Security awareness training is built for a different encounter. It assumes a person sitting at a desk, in a stable emotional state, with time to reflect. It does not account for a voice that knows things only a bank should know, or for the very specific human response to apparent authority combined with apparent urgency. These are not oversights in the criminal’s approach. They are the methodology.
Cognitive load research has a term for what happens to human decision-making under those conditions - Cognitive Tunneling (sometimes referred to as Cognitive Lock-in or Task Saturation). The capacity to evaluate, to pause, to apply learned heuristics collapses under the weight of real-time pressure and social cues that all point in one direction. The awareness training that was supposed to protect Sam was designed for a person who no longer exists in that moment.
The scale of what this costs is rarely counted in the terms that matter most. UK Finance reported over £1.1 billion lost to fraud in a single year — but that figure captures the financial loss. It does not capture the shame. It does not capture the family dinner that is now never quite the same. It does not count the person who stops answering unknown numbers, who no longer manages their own accounts, who absorbs the verdict that was handed down in a Tuesday afternoon conversation and carries it forward as a settled fact about their own competence.
Digital shame has a particular texture in this context. It is not the embarrassment of not knowing how to use an app. It is the shame of having been deceived, of having, in the eyes of those closest to you, failed at something basic. The criminal exploited professional techniques honed across thousands of similar calls. The verdict delivered by the people who love Sam does not acknowledge this. The verdict says: you should have known.
The organisations whose systems made the attack possible are invisible in this accounting. The institution whose breach provided the account details. The data broker whose aggregation made the targeting possible. The bank whose authentication process created the gap. None of them are in the room on Tuesday afternoon. None of them hear the question.
The question worth asking is not whether Sam should have been more vigilant. It is whether the system there were navigating was ever designed with them in mind.
The Human Firewall doctrine, held against an Assistive standard, largely fails. It is designed for an average user in average circumstances. The criminal does not attack average users in average circumstances. The attack is calibrated to the individual, timed for the moment of maximum vulnerability, and built on information the individual did not know was available. The training does not assist a person navigating that reality. It assists the organisation in documenting that it tried.
Against an Augmentive standard, the picture is no clearer. Quarterly phishing simulations add anxiety. They do not add capability in the moment that matters. The gap between a controlled exercise and a live attack, the one built on real account details, delivered by a professional, timed to a Tuesday afternoon, is precisely the gap that a professional criminal operates in.
And against an Adaptive standard, the doctrine fails entirely. The standard security brief does not adapt to who is receiving it — their age, their circumstances, the specific threats relevant to their situation, or their state of mind on the day the attack arrives. The human firewall is built the same for everyone. The criminal builds the attack for one person.
None of this removes the value of awareness entirely. People who understand how these approaches work are less likely to comply under pressure, more likely to pause, more likely to call back on a number they already hold. That matters.
But the distribution of responsibility that the Human Firewall doctrine produces is worth examining carefully. When every training programme, every awareness campaign, every post-incident debrief places the weight on the individual, the organisations whose systems were breached, whose data was harvested, whose design made the attack possible, they remain invisible in the accounting.
Sam’s bank details were not taken by Sam. They were taken from somewhere else, by someone else, and used against Sam. The response to that sequence — the family’s question, the unstated verdict — asks Sam to have defended against something they were never told was coming, using tools they were never given, in a moment they had no preparation for.
That is not a failure of awareness. It is a failure of the systems that made the attack possible and the culture that made the victim responsible for surviving it.
NOW WHAT?
This isn’t abstract, it’s happening all the time and only getting more sophisticated as technology evolves - especially AI and the realism now available in generated voice and image capabilities. Ask around and you won’t have to look far before you find someone who has a story. So ask yourself:
Has something like this happened to you, or to someone close to you? What was the first reaction from the people around you/them?
If the criminal is professional and the victim is ordinary, is ‘you should have known’ a fair response?
What would genuine support for a digital crime victim look like and why doesn’t it exist yet?
Is ‘security awareness’ a solution or a way of making the problem the individual’s responsibility rather than the system’s?
The challenge we have is the criminals operate at the speed of technology as they have no moral restrictions or controlling governance. On the other side we operate at the speed of consequence, policy, laws, governance, and process authority. We unfortunately live in a cyber world that is more reactive than responsive.
A note on Sam
Sam is a fictional character. Their story is drawn from a combination of professional observation and personal proximity to real events. The experiences described are real. The person is not.
You’re reading The Next Evolution by Neil Catton, articles that explore the human world and the intersection of technology, they try and ask difficult questions - not to scare - but to inform. If someone forwarded this to you, you can subscribe free at neilcatton.substack.com.
Neil Catton is the author of The Next Evolution, The Cognitive Crucible and The Shadow System - available on Amazon, and writes at the intersection of technology, ethics, and human purpose.


