As a technologist and cybersecurity researcher, Erik J. Huffman is well-versed in hacker tricks. Yet Huffman nearly fell victim to a scam after receiving an email purportedly from his mother asking for financial help. The email immediately reminded him of how much his mother had done for her family. He says he heard her voice in his mind as he read the words on the computer screen. And although Huffman knew she had never before asked for money, he quickly replied: “How much do you need?”
It wasn’t until another email came back, asking how quickly he could send money — another uncharacteristic ask — that Huffman questioned the exchange. “Some red flags had been raised,” Huffman says as he recounted the story in his TED Talk, titled “Human Hacking: The Psychology Behind Cybersecurity.”
In both his TED Talk and in a follow-up interview with CSO, Huffman explains why he almost fell for the scam: he could hear his mother’s voice in his head as he read the email, which made the request seem real. He wanted to be helpful. And, in the rush of the everyday, he didn’t pick up on the danger right away.
Phishing reactions are part of the human DNA
He’s not alone in those reactions. Huffman and other cybersecurity leaders say they’re a typical part of the human DNA, which hasn’t yet evolved to trigger the flight-or-flight response when encountering online dangers. That reality has spurred a growing interest in how the science of human behavior can inform and improve the discipline of cybersecurity. Authorities in this space say the interest is warranted.
“People act in ways that are unpredictable, so while it’s great to have multifactor authentication and other security technologies, it only takes one person to respond to one email on one day to put the organization at risk,” says Lee Hadlington, a senior lecturer in cyberpsychology at Nottingham Trent University, a chartered psychologist and a member of the university’s cyberpsychology research group. “That’s the human factor side in cybersecurity, and it’s something CISOs have to start thinking more about.”
The intersection of cybersecurity and psychology
Cyberpsychologists and enterprise cybersecurity practitioners both stress the need to better understand how people interact with technology to create a stronger cybersecurity posture. They point to statistics showing that most breaches involve some sort of human misstep. Verizon’s 2023 Data Breach Investigations Report, for example, found that “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.”
As Huffman says, hackers “don’t want to go toe-to-toe with your firewall. They don’t want to challenge your antivirus, because that’s very difficult, not when they can exploit the largest vulnerability on every network on the planet right now — that’s us, people. Cybercriminals are not just hacking computers; they are hacking humans. Because … unlike computers, we actually respond to propaganda.”
Psychology gets at why humans do what they do, says Huffman, founder of cybersecurity services firm Handshake Leadership. There are multiple psychological reasons why people fall for phishing schemes and other hacker scams, according to Huffman, Hadlington and others looking at the role of human nature in cybersecurity.
For a start, many workers click when they shouldn’t because they’re focused on their job. “They’re thinking, ‘I’m just trying to get my job done. I want to get my boss off my back,'” Hadlington says. “Or it’s just an accident: They thought they were doing the right thing,” he says, adding that most people want to be helpful when receiving a request at work.
Employees don’t have a sense of ‘stranger danger’
At the same time, workers haven’t been conditioned to be wary of strangers online; they don’t think “stranger danger” as they would in real life, Huffman says. And people still have the tendency to think that they won’t be scammed.
“They have plausible deniability. They think, ‘It won’t happen to me, and the less I think about it, the less I’ll be a target,'” Hadlington explains.
The hackers understand all that, says Stephanie Carruthers, chief people hacker at IBM. She says they frequently design attacks that create a feeling of fear, a sense of urgency or an aura of authority to get people to react. That’s why a message like “You’ll lose your benefits if you don’t complete these forms today” is effective, Carruthers says. A message like that hijacks the reader’s amygdala — the portion of the brain that detects and responds to threats. “You’re reacting really fast,” she says. “And when you have those strong emotions, you stop looking at the red flags.”
Why bring psychology into security?
Applying the science of psychology to cybersecurity helps cybersecurity professionals understand where, how, and why they’re falling short in building a security program that works, experts say. “We need to design security with people in mind because if security doesn’t work for people, it just doesn’t work,” says John Blythe, a behavioral scientist and director of cyber workforce psychology at Immersive Labs, maker of a cybersecurity training platform.
Blythe points to password requirements as a case in point: requiring complex combinations of letters, numbers, and symbols as well as mandating frequent changes, taxes workers’ memories so they end up using weaker passwords (and writing them down) so they can get into the systems needed to do their work. (That’s why, he says, asking workers to use three random words “works best for human memory” as well as security. The UK’s National Cyber Security Centre reinforces that point, noting that three-word passwords are “long enough” and “strong enough” for most purposes.)
Huffman cites another example where the science of psychology shows where security might be working against itself, explaining that security practitioners who say “it’s not if there’s a breach, but when” (or some variation of that) may actually be doing more harm than good. He says it has to do with the Pygmalion effect, a psychological phenomenon in which setting high expectations leads to higher performance while setting low expectations gets low results.
“When we say ‘it’s not if, but when,’ we’re taking the control away from the user,” Huffman says. He asks: What’s the incentive for users to follow best practices, especially when those practices require extra effort, if they’re being told it won’t necessarily matter? “Instead, give every user power and control [by saying]: ‘We can stop these attacks. We can overcome this. We will not get attacked because we will follow the right processes,'” Huffman adds.
Psychology-aware security is effective security
As CEO and founder of RevolutionCyber, Juliet Okafor helps organizations move from cybersecurity awareness to adoption and offers fractional business information security officer (BISO) services. Okafor, who is also an attorney with a background in communications, focuses on the human component of building a cyber-resilient organization. She says she draws on marketing and sales principles that convince people to make a purchase or take an action.
“They’re selling someone on making a decision they wouldn’t normally make. Cybersecurity is the same. You’re convincing people that cybersecurity is part of their job. And to do that, cyber must use psychology. It demands psychology for it to be effective,” Okafor says.
Like a marketing professional, Okafor has developed and uses personas to help her fine-tune the cybersecurity messages she delivers to individuals. Those personas consider their roles, their motivations, how they prefer to learn and other factors. “When we do this, we can personalize campaigns, we build better awareness and we better mitigate risks,” she says.
Okafor says cyberpsychologists have also used their training to identify enterprise vulnerabilities. She points to research that shows how people’s more-rushed behaviors at certain times of day, such as just before lunch and right before leaving, make them more prone to click through emails including phishing attacks. (Cyberpsychologists call such rushed moments a “hot” visceral state.)
Security teams that understand this dynamic can act on that information, she says, for example by adjusting its security information and event management (SIEM) platform to create more gates for emails to travel through during those times.
Cyberpsychology works in training, too
Okafor has also applied psychology to training security teams, having worked with companies looking to improve their incident response times. She used competitions to train teams and asked winners to share their strategies — the former leveraging security workers’ typically competitive nature and the latter leveraging their motivations to do good and be seen as trusted stewards. As she explains: “It’s taking what you know about how people work and creating policies to make sure the right controls are in place.”
Christie Wilson, cyber resilience manager with UniSuper, says she, too, is bringing psychology into her organization’s security program. Â Wilson, who has both a bachelor’s degree and a post-graduate diploma in sociology, says she’s working to “analyze and predict human interactions, motivations, and vulnerabilities, which are important considerations for protecting against cyber threats and designing effective security measures.”
Wilson says this has helped her develop awareness training that better resonates with people and helps them better understand why they need to buy into the company’s cyber resilience program.
People are an attack vector, not a weak link
This mindset has even brought Wilson to adjust her thinking around people as “the weakest link. “People aren’t the weakest link,” she notes. “They are the primary attack vector. It’s important we understand this when creating awareness and training content. As security professionals, we need to put ourselves in our people’s shoes. Security might be the most important thing in the world to us, but for others it can be anything from a blocker to something they never consider.”
She adds: “Understanding that behavior change needs motivation, ability, and prompts has been a key component of our cyber resilience program.”
Blythe says the most effective way for CISOs to incorporate psychology into their security program is to bring a cyberpsychologist on board, saying “A cyberpsychologist would know what the science is and how it works.”
Others agree, but they acknowledge that’s a big ask –and one that’s hard to do. For one thing, there are few people trained in the discipline. Cyberpsychology, which focuses on how the mind reacts when people interact with technology, is still a relatively new field, Hadlington says. Moreover, not all cyberpsychologists and cyberpsychology programs focus on cybersecurity. CISOs already working with slim budgets may not have the money for such a position.
Still, interest and information about the intersection of psychology and cybersecurity is spreading. Hadlington is taking a “train the trainer approach.” Huffman researches and speaks on the topic. And institutions are adding courses in this space; for example, the SANS Institute, a training organization, is running a Managing Human Risk Summit in August 2023, which will address in part the psychology factor.
Adding psychology to the security department
Experts say CISOs can learn to layer psychology into their security programs to boost the effectiveness of their work. To start with, Hadlington and Huffman both recommend that CISOs engage in more communication. They should ask workers about where they struggle with security controls, why they circumvent security policies, why they clicked on the link in a simulated (or real) phishing scam, what would motivate them to be more security-minded, etc. Then they should address those human elements.
CISOs should also empower workers with ways to solve their challenges and also clearly articulate the ways workers make a difference in security. “That feedback loop is really critical,” Hadlington says. “People want to know ‘Why am I doing this? What’s in it for me? Am I helping the organization? Is what I’m doing effective?'”
Additionally, Huffman says CISOs can work with their marketing teams to learn techniques for influencing behavior. And, as marketing does with the messages it sends to its audience, Huffman says security can personalize security awareness and training.
Address issues that create a ‘psychological hot state’
CISOs can also work with their executive colleagues to address cultural issues that foster that psychological hot state, Huffman says, noting that a workplace where employees are constantly worried or unreasonably busy “gives hackers another advantage.”
Lance Spitzner, director of research and community at the SANS Institute, says he advises CISOs to take a broader view of this topic, applying psychology and behavioral sciences to affect not just individual workers but organizational behavior as a whole.
“You’re trying to create an environment in which humans exhibit strong security behaviors,” he says. “To secure organizations, we need to secure people. And to secure people, we need to change their behaviors. And to change their behaviors, we need to both motivate and empower them to change. That’s where the cognitive sciences come in.”
Click Here For The Original Source.
