Psyched Up: Three Human Factors In Cyberattacks.

It is often said that a trio of factors contributes to every successful cyberattack and therefore to successful cybersecurity.

Those factors are people, process and technology – and it’s the people that we’re interested in for this blog. What are the core human behaviours and psychological elements which cyberattacks seek to exploit – and cybersecurity teams need to work with?

Here are three core areas to consider:

Deferring to authority

Authority bias is a well-established cognitive bias. It refers to the tendency to assume authority figures are more accurate, or to attribute more weight to their opinions. In business settings, this means that junior members of staff are likely to trust the opinions of their managers, and potentially avoid openly contradicting a decision or judgement they may find questionable.

From a cybercriminal perspective, this can be very useful. Send a junior member of a team an email purporting to be from their manager, and you may be able to get them to hand over login credentials, or bypass standard security protocols in order to dig out some information. In other words, authority bias can be at the root of clever social engineering attacks.

Frightening into submission

Ransomware has become one of the most high-profile types of cyberattack in recent years, affecting the likes of hospitals as well as big businesses. Such attacks work on the basis of panic – people who believe they are about to lose access to business-critical applications or data are far less likely to pause and think clearly, and far more likely to make quickfire decisions which go against best security practice. Such as agreeing to pay attackers a ransom.

Seeming familiar?

Another well-established cognitive theory, authority bias underlines that humans are more likely to think that examples of things which come readily to mind are highly representative – regardless of whether they actually are. In the realm of cybersecurity, this might mean, for example, that individuals within an organisation tend to think that the typical cybercriminal is a teenager sitting in a darkened bedroom, probing the organisation’s perimeter for vulnerabilities.

The reality of cybersecurity, of course, is that the majority of cyberattacks and data breaches are ultimately due to human error and carelessness – whether independent incidents such as misconfiguration of key security tools, or individuals falling victim to social engineering techniques and accidentally handing over key credentials. In other words, people should look to themselves as the (potential) weakest links in the organisation’s security posture, rather than focusing outwards on malicious cybercriminals.

A psychological approach to cybersecurity

Forward-thinking organisations should consider these psychological aspects of successful cyberattacks and design their approach to security accordingly.

In practice, this means cultivating enterprise cultures where juniors are not merely allowed, but actively encouraged to question their seniors and raise queries where cybersecurity is concerned. It means carefully and dynamically education and training all staff members around what to do in the wake of security incidents – including keeping calm and escalating to senior members of staff. And it means keep abreast of what the greatest security risks to the organisation really are – not what the media say they are.Taking a psychological approach to cybersecurity can be empowering for all concerned – and it can have a hugely positive impact on your organisation’s risk posture.

To learn more, read ‘Why your security awareness training failed, and what to do about it

Request CybSafe Training demo and complimentary access to Dark Web Report.

Related posts

International Women’s Day: The increasing importance of women in technology

Stuck in a loveless Cisco partner relationship? You can do better.

Cybersecurity lessons learnt from 2022 and the New Year’s security resolutions you should stick to

12 new year’s resolutions for collaboration and hybrid working in 2023

What are the main reasons for poor WiFi in schools and how can you improve it?

How WiFi in schools is transforming the learning experience

All about the Department for Education Connect the Classroom initiative

Cloud Telephony for Public Sector

How is SASE Helping the Public Sector?

Hybrid workers are here to stay, but is your business ready?

How does call recording and analytics improve customer services?

A Quick Guide to Zero Trust Security

New phish in town – Browser-in-the-browser attack

Dubber on Webex – Call Insights and AI for Public Sector

Deep dive into the world of Secure Cloud Analytics

How is contact centre technology transforming the customer experience?

Exploits our radar: Apache Log4j

Cisco Secure Endpoint vs Microsoft Defender: Which one to choose?

From nice-to-have to business essential: why security matters for every business

How the adoption of digital accelerated collaboration technology