It is often said that a trio of factors contributes to every successful cyberattack and therefore to successful cybersecurity.
Those factors are people, process and technology – and it’s the people that we’re interested in for this blog. What are the core human behaviours and psychological elements which cyberattacks seek to exploit – and cybersecurity teams need to work with?
Here are three core areas to consider:
Deferring to authority
Authority bias is a well-established cognitive bias. It refers to the tendency to assume authority figures are more accurate, or to attribute more weight to their opinions. In business settings, this means that junior members of staff are likely to trust the opinions of their managers, and potentially avoid openly contradicting a decision or judgement they may find questionable.
From a cybercriminal perspective, this can be very useful. Send a junior member of a team an email purporting to be from their manager, and you may be able to get them to hand over login credentials, or bypass standard security protocols in order to dig out some information. In other words, authority bias can be at the root of clever social engineering attacks.
Frightening into submission
Ransomware has become one of the most high-profile types of cyberattack in recent years, affecting the likes of hospitals as well as big businesses. Such attacks work on the basis of panic – people who believe they are about to lose access to business-critical applications or data are far less likely to pause and think clearly, and far more likely to make quickfire decisions which go against best security practice. Such as agreeing to pay attackers a ransom.
Another well-established cognitive theory, authority bias underlines that humans are more likely to think that examples of things which come readily to mind are highly representative – regardless of whether they actually are. In the realm of cybersecurity, this might mean, for example, that individuals within an organisation tend to think that the typical cybercriminal is a teenager sitting in a darkened bedroom, probing the organisation’s perimeter for vulnerabilities.
The reality of cybersecurity, of course, is that the majority of cyberattacks and data breaches are ultimately due to human error and carelessness – whether independent incidents such as misconfiguration of key security tools, or individuals falling victim to social engineering techniques and accidentally handing over key credentials. In other words, people should look to themselves as the (potential) weakest links in the organisation’s security posture, rather than focusing outwards on malicious cybercriminals.
A psychological approach to cybersecurity
Forward-thinking organisations should consider these psychological aspects of successful cyberattacks and design their approach to security accordingly.
In practice, this means cultivating enterprise cultures where juniors are not merely allowed, but actively encouraged to question their seniors and raise queries where cybersecurity is concerned. It means carefully and dynamically education and training all staff members around what to do in the wake of security incidents – including keeping calm and escalating to senior members of staff. And it means keep abreast of what the greatest security risks to the organisation really are – not what the media say they are.Taking a psychological approach to cybersecurity can be empowering for all concerned – and it can have a hugely positive impact on your organisation’s risk posture.
To learn more, read ‘Why your security awareness training failed, and what to do about it‘