Why We Lock Our Front Doors but Trust Strangers Online

“To assume the best about another is the trait that has created modern society.”
Malcolm Gladwell, Talking to strangers
The Physical Door and Stranger Danger
Comedian Elaine Boosler once joked that she had six locks on her front door. Whenever she left the house, she would lock every alternate one. That way, no matter how long somebody stood there trying to pick the locks, they ended up locking three.
We have all seen the movies. Multiple locks, alarm triggers, reinforced doors — the physical home as a fortress. Kids are taught to check the peephole before opening the door, to look at the camera screen before speaking to anyone, because “don’t talk to strangers” is one of the most well-ingrained rules we have. It just hasn’t been updated to catch up with the 21st century.
Why are we so protective of our physical assets and yet so openly trusting when it comes to strangers online? In Malcolm Gladwell’s Talking to Strangers he draws on the research of psychologist Timothy Levine to explain what he calls Default to Truth: our need to function in society begins with an automatic assumption that strangers are telling the truth. We are not being naïve when we do this, it’s a social operating system.
The very instinct that makes civilisation possible is the one that leaves us exposed. While our “front door” caution is the exception, a kind of addendum reserved for the moments when we feel physically isolated and unprotected or want to protect those more vulnerable when we are not physically present.
The rest of the time, we default to trust.
Gladwell goes further with what he calls the Transparency Illusion, our belief that we can accurately read people’s feelings and intentions from their faces and behaviour. We can’t, not with any real reliability.
This is precisely why skilled liars and sociopaths operate so effectively for so long, and probably the main reason we came up with the “front door” rule. Our overconfidence in reading others creates comfort, and comfort creates compliance, and this is the dangerous combination that manipulators of every kind are looking for.
The Digital Window Few Can See
In the physical world, a door is a real obstacle. There is weight, resistance, and consequence to any physical attempt to breach a solid object.
None of that exists online.
The digital world has no physical doors, only hidden lines of code that very few people can see, let alone understand. Consider this: the world currently holds around 8.3 billion people, with a literacy rate of 87.74% for those aged 15 and older. Impressive by most measures, but not very good when compared to what we might call developer literacy, the ability to actually read and write the code that powers the digital world most of us live inside. As of 2025, there are approximately 47.2 million developers globally. That is roughly 0.57% of the population able to work on and fix the very train that everyone else relies on every day.
This gap is critical, considering that the more vulnerable populations, the young and the elderly, are especially exposed in this environment, drawn in by ease of use, social pressure, and an almost complete trust in automated systems. Psychology has long had names for these tendencies, and cyberpsychology has shown us exactly how it plays out when the environment moves online.
Automation Bias, the tendency to accept what a system tells you without question; Authority Bias, the deference we extend to anything that looks official; Social Proof, the assumption that if everyone else is doing it, it must be safe; and perhaps the most quietly powerful of all, the Online Disinhibition Effect.
Coined by psychologist John Suler in 2004, the Online Disinhibition Effect proposes that there is a version of yourself that only exists online, slightly bolder, quicker to click, less likely to pause. This version operates without the usual social brakes we see in social environments. There is no eye contact, no physical presence, no immediate consequence for a bad decision. Suler’s research showed that people behave with measurably less caution in digital spaces, and for most of us, most of the time, this seems harmless. We say things in a comments section we would never say at a dinner table, or click links we couldn’t tell our mothers about. But for the person on the other end of a phishing message or a too-good-to-be-true offer, that loosened caution is precisely the vulnerability being exploited. Attackers do not need to fool you at your sharpest. They only need to find and connect with the version of you that is already halfway through a to-do list, mildly distracted, and running on autopilot.
What makes this more unsettling is that we have already established that we are poor judges of intent in person, now online, where physical cues disappear entirely, it becomes near impossible to tell if someone is malicious or actively trying to assist us with that password reset. Skilled attackers understand this and use the medium deliberately, building trust through familiarity, mirroring, and the shared sense of freedom that the online world creates. The bold, liberated version of you that feels powerful online is, ironically, the most exposed.
Human Risk: The Difference Between a Locked and Unlocked Door.
Anyone who still promotes the tagline “humans are the weakest link” doesn’t know enough about cyberpsychology nor the landscape in which we operate today. Those words strip away people’s ability to see themselves as capable, informed, and able to protect themselves and the environment in which they operate. The framing was wrong from the start, coined by those who made a living by preying on people who knew less, and were arguably more human and empathetic. The industry seems to be slowly reckoning with that. Companies are investing in people more as they realise that not everything can be automated, and what can be fully machine-driven is not always infallible, nor commercially viable.
A more honest view is that an empowered person is one of the most powerful assets a company has. Someone who knows what to look for, who pauses before they click, who trusts their instincts enough to report something that feels off, that person is not a liability, they are a line of defence that no firewall can replicate.
The problem has never been people. It has been those who were never given the tools, the language, or the permission to act differently. We tell our children not to open the door to strangers before they are old enough to reach the handle, yet we hand laptops to employees on their first day and assume that common sense and good judgement will fill in the rest.
Those employees come from different generations, different life paths, different relationships with technology, and wildly different levels of digital literacy. Some grew up with a screen in their hand, others came to it later, and most sit somewhere in the middle, navigating systems and platforms they were never formally taught to question.
We give our children a rule, guidance, and context, and yet we give our employees a login, deadlines, and a quiet fear of looking incompetent.
Human risk is not about weakness, it’s about the gap between what people know and what is thrown at them online.
Mimecast’s State of Human Risk report consistently shows that the majority of successful cyberattacks move through human behaviour rather than technical exploits, not because people are careless, but because they are operating exactly as Gladwell described, defaulting to trust, moving through a busy day, doing what functioning in society requires, and being human.
Attackers are not smarter, they are simply more patient, and have done the psychological homework that most organisations don’t on behalf of their own people.
The “front door” rule is timeless wisdom because it is simple, it is human, and it is passed down before a child is old enough to reach the door handle. The threat was always the same, a stranger expressing friendly intentions but with malicious motives behind them, and the rule worked because awareness came first.
While the door is no longer physical, and the stranger might take on a different persona, arriving through a screen rather than to your house. What has not changed is the solution, and yet somehow, giving people that same early, simple, human awareness in a world, quickly being dragged into a technological maelstrom seems like good advice not given.
It is never too late to start on this journey, whether as an individual, a manager of a team, or leader of a company, you can be a catalyst for change. Below are a few things that you can start doing today to improve your cyber posture and directly impact everyone else around you.
Start with onboarding
Does your current onboarding process clearly define your company’s stance on external links, what to do when a suspicious one lands in your inbox, and more importantly, what happens when someone has already clicked?
Cyber Hygiene
If you have a dedicated tech team or a single person manning the fort, have them engage your staff on basic cyber hygiene? Simple do’s and don’ts, and whether your company uses MFA or OTP as a baseline layer of defence, will go a long way.
Quarterly engagements, not annual compliance
One conversation per quarter (at least) is enough to meaningfully raise the awareness and posture of every individual on your team. It does not need to be a formal session, it just needs to happen consistently.
Reporting culture
When people are publicly admonished for clicking the wrong thing, they stop reporting. Shame keeps threat actors hidden in your environment far longer than they should be. Psychological safety is not a soft skill, the mental well-being of your staff is a security control.
If you are not sure where to start, or simply do not have the bandwidth to do this well on your own, reach out to us at Cyber Dexterity. We do this every day, and we would love to help.
Basil Polydorou – Head of Learning Solutions | BsC Cyber Psychology Candidate
References
Cialdini, R. B. (20). Influence: The psychology of persuasion. Collins.
Clown Jewels. (2026, May 8). Elayne Boosler Full Comedy Special (1989) [YouTube]. https://www.youtube.com/watch?v=iO1fpl-f7ho
Gladwell, M. (2019). Talking to Strangers: What We Should Know about the People We Don’t Know. Little, Brown and Company.
Levine, T. R. (2014). Truth-Default Theory (TDT): A Theory of Human Deception and Deception Detection. Journal of Language and Social Psychology, 33(4), 378–392. https://doi.org/10.1177/0261927X14535916
Milgram, S. (1963). Behavioral Study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. https://doi.org/10.1037/h0040525
Mimecast. (2024). The State of Human Risk 2024. Mimecast. https://www.mimecast.com/resources/ebooks/state-of-human-risk/
Mimecast Cyber Insights Blog Team. (2025, March 11). The State of Human Risk. Mimecast. https://www.mimecast.com/blog/the-state-of-human-risk/
SlashData Team. (2025, May 2). There are 47.2 million developers in the world—Global developer population trends 2025. SlashData. https://www.slashdata.co/post/global-developer-population-trends-2025-how-many-developers-are-there
Suler, J. (2004). The Online Disinhibition Effect. CyberPsychology & Behavior, 7(3), 321–326. https://doi.org/10.1089/1094931041291295
World Population Review. (2026, June 16). Literacy Rate by Country 2026. World Population Review. https://worldpopulationreview.com/country-rankings/literacy-rate-by-country
Worldometer. (n.d.). World Population Clock: 8.3 Billion People (LIVE, 2026). Worldometer. Retrieved 24 June 2026, from https://www.worldometers.info/world-population/