October is Cybersecurity Awareness Month, and this year the urgency feels sharper than ever. Artificial intelligence is advancing at breakneck speed. While it drives innovation in finance, it also makes fraud faster, easier, and harder to detect. From flawless phishing emails to AI-generated voice clones that can trick customers into revealing sensitive information, the threat landscape is evolving rapidly.
Having spent the early part of my career inside financial institutions and the last decade advising them, I’ve seen the industry from both sides. One truth stands out: trust is the true currency of financial services. And in today’s digital-first era, that trust is inseparable from cybersecurity.
To deepen my own perspective, I recently completed the Mastercard Emerging Leaders Cyber Initiative (ELCI) at Rogers Cybersecure Catalyst, Toronto Metropolitan University. The experience underscored a simple truth: technology alone cannot keep us safe. People have to engage with it.
That raises a bigger question: why do some Canadians embrace strong security measures while others avoid them? Our 2025 Environics Research Fintech Syndicated Study explored this, and the answers reveal that cybersecurity behavior is about more than habits. It is about Social Values.
Canadians’ Habits Are Only Part of the Story
When asked how often they use strong security measures like multi-factor authentication (MFA), updated passwords, or avoiding password reuse, Canadians said:
Graph Insights Credit: Environics Research
Nearly three-quarters (73%) claim to use strong measures regularly or consistently. But only 29% are truly disciplined. And in cybersecurity, inconsistency is risk.
So why do some lean in while others hold back? This is where Social Values unlock the bigger story.
Cybersecurity Through a Social Values Lens
At Environics, we use Social Values to go beyond demographics. Values are the deeper motivations that shape how people see the world, who they trust, and how they act. And when it comes to cybersecurity, those values drive three very different groups.
The Consistent Protectors (29%)
These Canadians do not just practice cybersecurity, they live it. They see protecting data as protecting identity. They embrace technology with confidence and link security to authenticity, responsibility, and community. For them, cybersecurity is aspirational: a way to live responsibly and stay in control. They can be role models and advocates, not just adopters.
Social Values that are strong for this group:
The Security Skeptics (4%)
For skeptics, security feels unnecessary or out of step with their world. They are anxious about technology, distrust institutions, and often prefer familiar routines. To them, constant password resets or MFA prompts do not feel like protection, they feel like obstacles. Campaigns that stress rules only reinforce their belief that the digital world is cumbersome and untrustworthy. For skeptics, security must be reframed as simpler, more relevant, and personally empowering.
Social Values that are strong for this group:
The Don’t Knows (8%)
This group is not resistant, they are overwhelmed. They disengage when things feel too complex, focus on the immediate over the long term, and treat technology as purely functional. They need simplicity, small wins, and confidence-building. With the right guidance, they can shift from uncertain bystanders to active participants.
Social Values that are strong for this group:
Control Extends Beyond Security
Interestingly, values around control extend into finance more broadly. Canadians who agreed with the statement “I prefer that AI-powered tools only supply suggestions, not automate actions in my accounts” were also much more likely to use strong security measures.
This shows that security is not just about protection, it is about agency. The same people who want control over their money also take control of their digital safety. For financial institutions, the implication is clear: customers who care deeply about security also expect transparency and choice in how technology, including AI, is deployed.
Why This Matters for Financial Institutions
The stakes are rising. Cybercrime losses globally are projected to hit trillions in the coming years. With AI amplifying the speed and sophistication of fraud, every weak password, ignored MFA prompt, or moment of uncertainty creates an opening for criminals.
The consequences ripple far beyond individuals:
- For institutions: financial loss, regulatory scrutiny, reputational damage.
- For consumers: stress, financial fallout, loss of trust.
- For the ecosystem: systemic vulnerabilities that weaken the financial system.
The uncomfortable truth is this: the best cybersecurity tools are useless if people do not use them properly.
So What Can Financial Institutions Do?
- Design for Values. Protectors want affirmation and leadership. Skeptics need reassurance and control. Don’t Knows need simplicity and confidence. Meeting people where their values are is how you turn awareness into action.
- Remove Friction. Every clunky password reset or MFA hurdle risks disengagement. Defaults, biometrics, and passkeys make the secure path the easy path. Frictionless security is not just good UX, it is risk management.
- Lead with Trust. Security is no longer a back-office issue. In a world of rising scams, trust is a brand differentiator. Institutions that make security visible, human, and values-driven will reduce fraud and earn loyalty.
- Reinforce Control. Canadians who take security seriously also want autonomy in how they manage their finances. Security and AI tools that emphasize choice and transparency will resonate far more than those that impose rules or automation.
- Think System-Wide. One user’s poor habits can cascade into systemic vulnerabilities. Raising the baseline of secure behavior across millions of Canadians strengthens resilience across the entire financial ecosystem.
The Bottom Line
As I reflect this Cybersecurity Awareness Month, I keep coming back to what I learned through ELCI: cybersecurity will not be won by technology alone. It will be won, or lost, by people.
Our study makes clear that security is not just about tools. It is about values, trust, and worldview. And now, with AI making fraud faster and more convincing, closing the human behavior gap has never been more urgent.
For banks, fintechs, and policymakers, the challenge and the opportunity is to make security human. Those who succeed will protect not only their customers and institutions, but also the trust that underpins every financial relationship.
Control Of Privacy
Ethical Consumerism
Enthusiasm For New Technology
Brand Genuineness