In this fifth installment of our series on cognitive security and how it impacts the food industry, we will look at the cognitive threats presented by social media. For this article, we will use the common definition of social media: online content generated by users for their friends, customers, and followers, and not intended to be supported by formal journalistic protocols. In the spring of 2025, popular social media platforms included sites like Facebook, YouTube, Instagram, WhatsApp, and TikTok.¹ Other sites with heavy user-generated content such as LinkedIn, Pinterest, and Reddit also rank high.

In previous articles, we explored how cognitive security challenges are shaping the landscape of food safety. From deliberate disinformation campaigns to deceptive cyber tactics targeting supply chains, we examined how attackers exploit human psychology and digital weaknesses to create disruption. We also discussed how business cybersecurity, spanning both information technology (IT) and operational technology (OT), intersects with cognitive security. In Part 4,² we showed how transnational criminals and criminal organizations are using social engineering to gain access to food corporation systems for monetary gain and enabling them to steal intellectual property (IP).

Social media is widely used by food corporations for marketing-related messaging and for alerting customers during food safety emergencies. However, adversaries can also use it to create false narratives and thereby create distrust and panic—adding risk to a corporation's bottom line. Customers are driven in large part by emotion, rather than rational thought and evidence. Left unanswered, negative corporate and food product social media posts can be damaging, perhaps permanently so, and in worst cases even become existential threats to the brand itself. Social media is therefore both a corporation's best friend and its worst enemy. Social media has become a battlefield of rational thought, where cognitive attacks are increasingly common and the truth is often hard to find.

Fake Narratives, Hoaxes, and "RATs"

A 2016 Yahoo Finance article highlighted a hoax widely spread on social media, namely that McDonald's was using ground worms as filler in hamburger.³ In the 1970s, similar, unfounded claims were made against Wendy's,⁴ long before social media as we know it today emerged. Both instances resulted in financial losses and brand/reputation consequences for the respective corporations. This re-appearing urban legend illustrates the impact of the spread of misinformation in the pre- and contemporary social media environments, particularly as the number of social media users increases and the proportion of the population that relies on it as their sole source for news grows.

Information campaigns by threat actors and groups can be considered a category of cyber-based attacks against the minds of targeted individuals or groups, otherwise known as the "persona layer." Like internet-based worms or viruses that spread from computer to computer via software vulnerabilities, social media posts move from human to human via online sharing and forwarding. Unfortunately, in the minds of many social media users, the more information is repeated, the more believable it becomes. Successful social media attacks have the potential to not only impact consumers, but also employees embedded within food production, processing, and distribution.

“Food corporations should recognize they are not only a target for criminals, but also for any individuals that may use online cognitive attacks to harm them.”

Since cognitive attacks are a high risk at all points within the food supply chain, examining the threat risk and applying principles that have been established for other types of harmful activity might be useful. One such principle is contained within what is called the "routine activities theory (RAT)"⁵ and is a potential means by which cognitive security threats can be linked with food safety/security concerns. Doing so enables better response planning for cognitive attacks by highlighting both the objective or rational elements of cognitive security and the subjective or bias elements. The combination of rational and bias elements affects food consumers, corporate decision-makers, and regulators both positively and negatively as they view threats and respond (or do not respond) to them.

RAT focuses specifically on victimization. The crime researchers Cohen and Felson⁵ argue that crime is a convergence of three elements: motivated offenders (criminals), vulnerable targets (victims), and lack of capable guardianship (in this case, food corporations with inadequate cyber and cognitive attack defenses). Initially proposed to shed light on post-World War 2 changes in crime dynamics, there is growing consensus that RAT is increasingly applicable to cybercrime, and especially to the harm caused by misinformation spread via social media channels. Food corporations should recognize they are not only a target for criminals, but also for any individuals that may use online cognitive attacks to harm them.

In the context of threats to the food supply chain, criminals, nation-states, and activists may be motivated by any number of factors. These may include economic gain, the desire to cause harm to targeted corporations or to the public as part of a larger strategic campaign, or disruptive attacks via social media misinformation and disinformation. It is important to note that cognitive vulnerabilities, whether from individuals (including employees), organizations, or businesses, can occur at any point in the food supply chain. From a corporate standpoint, this means that a business must protect itself with robust cognitive security defenses and ensure that its suppliers, distributors, and retail outlets where its products are sold do the same. Any link within the supply chain can be the point of failure if not maintained to be strong and resilient, capable of weathering and neutralizing cognitive attacks.

Mitigation Strategies

Beyond building corporate cognitive defenses, companies will also need to strategize and plan for the means to assuage fears or other negative manifestations (such as product boycotts) that might occur as a result of cognitive attacks directed at people vulnerable to misinformation and disinformation campaigns. Put differently, food corporations need to proactively educate their customers and stakeholders about how their food products are protected, and be both transparent and fact-driven in their responses to the public and regulatory agencies, should an attack via social media occur.

Robust corporate cognitive security planning must also include the acquisition of defensive technical solutions designed to rapidly detect, contain, and deter malicious external threat actors, insider threats, and cognitive threats that may manifest due to widespread misunderstandings about food safety protocols. In parallel, companies should promote food safety and security via their social networks and platforms, as well as via their employees and senior leaders.

Since trust is easily lost during cognitive attacks, two necessary proactive elements of corporate cognitive security include:

1. Promoting a shared worldview between company and consumer. In the case of food production, processing, and distribution, it is essential that companies promote trust among consumers. Trust begins with the knowledge that the food products offered are safe and that the corporation has the data to prove it. This knowledge base then needs to be shared in a creative marketing way, so that the consumer maintains that trust. Social media is an excellent tool for building and sustaining customer trust.
2. Reducing the impact of successful cognitive attacks. In the cybersecurity community, there is a concept called the "cyber-doom effect."⁶ This is a cognitive death spiral in which an event, whether real or imagined, is discussed in extreme terms with emphasis on the worst outcomes. If left unchecked, negative corporate imaging problems will gain acceptance by customers and stakeholders, and will be hard to reverse. In addition, corporate decision-makers and consumers might be led toward counterproductive situations in which they are desensitized to the point they might ignore a real and more damaging threat. In the worst case, they give up, believing that nothing can be done.

“If a food product or corporation is successfully targeted in a cognitive attack, then consumers may turn to similar food products offered by unaffected corporations.”

Corporate decision-makers may elect to downplay or ignore real or imagined threats, but in doing so they increase their own risk and that of their company. Beyond giving advantage to an adversary wishing to accomplish corporate harm, decision-makers can also inadvertently provide advantage to competitors.⁷ If a food product or corporation is successfully targeted in a cognitive attack, then consumers may turn to similar food products offered by unaffected corporations.

User-generated social media posts commonly contain recommendations for food products. Some of these are legitimate, coming from actual consumers who like the products or the corporate brand. In other cases, food or corporate brand "recommendations" may be illegitimate, unethical, or illegal, generated by adversaries determined to do corporate harm by impacting the opinions of consumers. Clandestine marketing campaigns by nefarious corporate competitors are yet another cognitive threat of which the food industry must be aware.

Key individuals and organizations within food production, processing, and distribution networks must be educated so they do not underestimate these types of social media threats and unwittingly become vulnerable targets. In a similar fashion, the public must also be educated through information transparency campaigns, so they do not downplay or disregard legitimate threats or fall victim to misinformation and disinformation campaigns.

The same is true for regulatory agencies. They must likewise be educated to understand these emerging cognitive threats and the importance of cognitive security. It is a hard truth, but in reality, all the domains of food safety (corporate, consumer, and government) lack a complete understanding of cognitive security at a level adequate to address the evolving threats. To borrow a term from cybersecurity, in the ever-changing and evolving threat landscape, "information gaps" are inevitable. Once identified, they must be addressed in a timely manner. The authors hope that this series of articles will begin to remedy some of these gaps, as part of a larger effort that must include subject matter experts inside and outside of government working collaboratively with an all-source-threat-focused, comprehensive Information Sharing and Analysis Center (ISAC).

Public Awareness and Skepticism

Fortunately, there is good news on the horizon in that the public is becoming more skeptical about information, regardless of its source. This emerging reality, which is the possible result of the skepticism surrounding the COVID-19 pandemic, means that repetitive information is not automatically believed. This creates both opportunity and risk—risk in that correct information may not be available or believed, but also opportunity to counter false content that is unintentionally or intentionally distributed.

By taking a leading role in public awareness, education, monitoring, and response, the food and agriculture sector can help safeguard the public food supply, build food product and brand trust, and enhance supply chain resiliency. This can be accomplished through a coordinated effort of robust and integrated cyber, information, physical, food safety/defense, and cognitive security programs.

Notes

• The data referred to in this article was obtained using private sector analytical services and databases made available to the authors. The authors sincerely thank those responsible for the analysis.
• Data obtained from private sector sources.

References

1. Dixon, S.J. "Most Popular Social Networks Worldwide as of February 2025, by Number of Monthly Active Users." Statista. March 26, 2025. https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/.
2. Lancaster, J.B., T.L. McAllister, A. Whiskeyman, et al. "Cognitive Security, a Growing Concern for Food Safety: Part 4." Food Safety Magazine April/May 2025. https://www.food-safety.com/articles/10318-cognitive-security-a-growing-concern-for-food-safety-part-4.
3. Taylor, K. "A Viral Rumor that McDonald's Uses Ground Worm Filler in Burgers has Been Debunked." Yahoo Finance. January 21, 2016. https://finance.yahoo.com/news/viral-rumor-mcdonald-uses-ground-182439819.html.
4. Cantrell, M.D. "Urban Legends: Why Do People Believe Them?" M.A. Thesis. Wake Forest University. May 2010. https://wakespace.lib.wfu.edu/bitstream/handle/10339/14790/cantrellmd_05_2010.pdf.
5. Cohen, L. and M. Felson. "Social Change and Crime Rate Trends: A Routine Activity Approach." American Sociological Review 44 (1979): 588–608.
6. Lawson, S.T., H. Yu, S.K. Yeo, and E. Greene. "The Cyber-Doom Effect: The Impact of Fear Appeals in the US Cyber Security Debate." 8^th International Conference on Cyber Conflict. 2016. https://ccdcoe.org/uploads/2018/10/Art-05-The-Cyber-Doom-Effect-The-Impact-of-Fear-Appeals-in-the-US-Cyber-Security-Debate.pdf.
7. Woodside, J. "Misinformation in U.S. Food and Agriculture: A Policy Analysis of Impacts and Recommended Solutions." Journal of Food Law & Policy 20, no. 1 (2024): 39–66.