"Is Your Brain Wired for Insecurity?" - AJ King on Phishing, Present Bias and Purple Cows

Why People Still Click – And What AJ King Wants You To Know About Behaviour

We spend a lot of time talking about behaviour in security awareness – but not always with the people who study it for a living. That’s why I sat down with AJ King, a UX researcher with a background in psychology and behavioural economics, for an honest conversation about what really drives behaviour, and why traditional awareness efforts so often miss the mark.

AJ’s not in the security world full time. And that’s what makes this episode so valuable. He brings an outside perspective, grounded in science and shaped by years of coaching, facilitation, and user research. He knows how people actually behave – not just how we wish they would.

This isn’t about criticising users or blaming culture. It’s about digging into the reasons people don’t do the “secure” thing, even when they’ve had the training. We talk about attention, habits, emotional state, and the simple truth that most people are just too busy to prioritise security when it doesn’t feel urgent.

So what do we get into?

First, we unpack why annual training rarely changes behaviour. Five minutes of training once a year doesn’t stand a chance against overloaded calendars, meeting stress, and the mental shortcuts we all take to get through the day. Even well-intentioned awareness campaigns can get drowned out by everything else fighting for attention.

We explore the idea of present bias – how our brains are wired to care more about now than later. It’s why people skip the gym, eat the extra biscuit, and click on the link that maybe, probably isn’t legit. It’s not stupidity. It’s being human.

And that’s the heart of AJ’s argument: behaviour isn’t just a product of knowledge. It’s shaped by pressure, context, emotion, and habits. If we want people to behave securely, we need to design environments that make the right choice easier – not just scold them when they get it wrong.

We also talk about nudging. Everyone loves to say nudges are the answer – but if you’re not engaged, a nudge is just noise. Like walking on a treadmill at 2 mph while watching Netflix – technically you’re there, but it’s not changing much. Nudges only work when the user is open to the journey.

And tone matters too. Whether it’s a phishing simulation landing page or a newsletter, the way you talk to people shapes how they respond. Fear might get attention, but it rarely builds trust. Sometimes, it just makes people close the tab.

AJ’s not offering silver bullets – in fact, he calls them out. But he does offer perspective. Especially for awareness pros working alone, trying to do meaningful behaviour change in a culture that just wants the box ticked. We talk about reframing the message, using personal relevance, and why it might be more effective to teach people how to protect their personal email than their work account.

There’s also a brilliant section on internal branding – why what you call yourself might matter more to senior leadership than to your users, and how to make the value of awareness clearer upwards.

This one’s full of laughs, relatable moments, and smart ideas. It’s not preachy. It’s not academic. It’s just two people talking honestly about the messy business of influencing human behaviour in the real world.

If you’ve ever wondered why people still click – or how to make your next campaign actually land – this episode is for you.

You can connect with AJ on LinkedIn right here