Why Psychology Matters to Cybersecurity

Cyber-criminals are infamous for their ability to exploit human psychology as part of their nefarious activities – such as playing on fear and invoking a sense of urgency to entice victims into clicking on malicious links or give away log in credentials.

Tapping into the human mind through social engineering techniques, such as phishing, vishing and smishing, continues to be highly successful. For example, Verizon’s 2023 Data Breach Investigations Report found that the human element is present in three-quarters (74%) of data breaches.

In response, organisations should also be employing psychological techniques to boost cyber-defenses, finding the most effective ways of encouraging individuals to adopt secure behaviours.

Researchers are trying to understand the scenarios when users are more likely to adopt robust security measures, such as multi-factor authentication and strong passwords. Security decisions revolve around a range of factors, including knowledge of the level of risk involved, the value of the data and assets being protected and the time and cost of the additional security measures.

A paper written by researchers from the University of Maryland in 2018 concluded that a ‘one-size-fits-all’ approach that encourages all users to engage in all security behaviours at all times “can lead to significant market and individual losses.”

Speaking to Infosecurity Magazine during Infosecurity Europe 2023, Richard Meeus, Director of Security Technology and Strategy EMEA at Akamai, said that organisations need to engage with the work being done in this area to understand how and when to push customers to adopt increased security. This is vital in an area like retail, where customers can be put off shopping with a particular company if they deem the security requirements on their account too cumbersome.

“It’s trying to figure out that logical process where the human being is empathetic towards taking that step,” he outlined.

The need to employ psychological techniques in staff awareness training programs is being increasingly recognised. Traditionally, security training has been a bland ‘box-ticking’ exercise that fails to engage employees and consequently bring lasting changes to user behavior.

During a session at Infosecurity Europe 2023, Charlie Sinclair, cyber security senior awareness and engagement manager at Unilever, and Tim Ward, CEO and co-founder at ThinkCyber, explained how techniques such as Nudge Theory are a better tool for changing workplace behaviour than conventional e-learning programs.

They argued that these nudge programs, must be easy, attractive, social and timely, and seek to incentivise employees to avoid risky behaviour rather than appear to punish those who make mistakes.

In addition, it is important to create engaging security awareness content to increase the chances of a positive learning experience for participants. In an article for Infosecurity Magazine, Javvad Malik, Security Awareness Advocate at KnowBe4 noted that “if a positive experience is had, a higher chance of secure behavioural change will be made.”

He urged organisations to avoid boring material or repetitive learning and explore options like gamification and simulation to boost interactivity and enjoyment of the users.

Unfortunately, the cybersecurity industry has a tendency to tap into emotions like fear and anxiety in users to meet its aims. In a talk at IRISSCON 2021, Dr Victoria Baines, visiting research fellow at Oxford University, said that “criminals, governments and vendors have a tendency to represent cyber-threats in exactly the same way.”

For example, she noted that the FBI frequently uses words like ‘devastating,’ ‘insidious’ and ‘catastrophe’ to describe cyber-threats. The wider industry tends to make the threat seem immediate, with the goal of enticing users to make fast decisions around security behaviours and purchases.

Baines believes this approach is counter-productive: not only are the messages often an unrealistic portrayal of the situation, it makes the field of cybersecurity feel remote to people, who see it as too complex to understand and impossible to contain, thereby reducing engagement.

She urged the industry to move on from this type of rhetoric and believes a much more effective way of encouraging the public to engage in secure behaviours is by harnessing a sense of civic and community responsibility in this area.

In addition to using psychology to improve users’ security behaviours, it should be used to enhance the performance of cybersecurity professionals.

In a presentation in November 2021, Mark Orlando, CEO of Bionic, and Daniel Shore, chief research officer of LeTS: Leadership & Effective Teamwork Strategies, outlined common teamwork issues in computer security incident response teams. These included an overreliance on a few key individuals for thought leadership and personnel only being motivated to do their own work.

They argued that at the heart of these problems is ‘ego-centrism,’ where attitudes of “I can do this on my own” are prevalent. Such an approach is not suitable in incident response and cybersecurity more generally, where teams must solve complex problems quickly.

Orlando and Shore argued that egocentrism must be overcome with human psychology, with cyber leaders ensuring their staff feel validated and valuable while working in a team. Therefore, it is essential that staff have buy-in to the broader scope of goals and tasks of that team, realising the importance of their individual efforts to that cause. 

While cybersecurity is a highly technical industry, the field of psychology is at the core of successful defences. Just as attackers exploit human psychology, the cyber sector must hold an understanding of human behaviours when designing security systems and training and communication with users.

Enjoyed this article? Make sure to share it!

Looking for something else?