Could psychology be the key to cybersecurity awareness? Research points to yes
“In 2020, 93% of cyber attacks started with people instead of technology.”
This statistic from the research of Dr. Erik Huffman shines a spotlight on the powerful connection between online security and human behavior. Every time someone opens an email or clicks a link, they have to decide whether or not it’s safe to proceed.
And while firewalls and other technical measures can protect us from many of the web’s darker actors, we can think critically and react appropriately. That’s the most powerful weapon of them all.
When it comes to an understanding of the psychology of why people fall for cyberattacks, Dr. Erik Huffman is a true expert. As a cyberpsychology researcher, he’s delved deep into the human psyche to answer questions like “why do people fall for phishing emails?” and “are certain personality types more likely to become victims of cybersecurity attacks?” Dr. Huffman shared his research findings and his recommendations in a fascinating session of Infosec Inspire.
Here are some of the key takeaways outlining what you should know about the relationship between human behavior and cybersecurity.
Phishing simulations & training
Cybersecurity is a decision-based science
When someone opens an internet browser, they’re bombarded by decisions: should I open this email? Should I download this attachment? Is this message really from my boss or someone pretending to be her? The decision-making process is quick, complex, and vulnerable to emotional persuasion. “People, unlike machines, do not often change their behavior in line with logical information: they need PR and propaganda,” explains Dr. Huffman. That means, “We fall for propaganda. The machine does not.” In other words, instead of following a purely logical thought process, people are swayed by their emotions.
But how does emotional persuasion occur? Dr. Huffman cites a set of psychological principles called the principles of influence:
- Reciprocity: People are naturally inclined to give back if given something.
- Commitment and consistency: People don’t like to give up after starting something.
- Social proof: People are more likely to trust an individual or organization than others trust.
- Liking: Like reciprocity, people are more likely to trust those they know and like.
- Authority: People are more likely to listen to individuals and organizations with higher levels of authoritativeness.
- Scarcity: The perception of limited resources can cause people to rush into decisions.
The goal is to trigger a powerful, knee-jerk emotional reaction called “amygdala hijacking.” This is clear when you take a closer look at the kind of threat language that phishing emails use. Although these emails are often made fun of for their numerous typos and quirky turns of phrase, they do pack a powerful emotional punch. Some are designed to create a sense of panic or embarrassment (“...we adjusted the virus on an adult website you recently visited…”), while others push a sense of urgency (“...you have 24 hours after opening this message to send us money!”).
Psychology of a cybersecurity victim
Dr. Huffman has extensively studied the psychological traits that make people vulnerable to being exploited by hackers. To better understand what makes people vulnerable, he points to the Big Five Model for Cyber Victims. These personality traits include:
- Extraversion
- Agreeableness
- Conscientiousness
- Emotional stability
- Open to new experiences
- Impulsiveness
It’s this last trait — impulsiveness — that Dr. Huffman suspects are the reason why ransomware scams are evolving. The scam was fairly cut and dry in the past: we lock up your data, and you pay us to give it back. But modern iterations of the scam have evolved to include threat language that plays on the victim’s principles of impulsiveness and scarcity. The script may instead say, “Pay us three Bitcoin within 72 hours — and if you don’t, then it’s going to double.”
Technical knowledge isn’t fail-proof
One of Dr. Huffman’s most surprising findings is that technical knowledge doesn’t necessarily protect someone from becoming the victim of a cyberattack. His research shows that cybersecurity professionals are as vulnerable to phishing and social engineering attacks as everyone else. They’re also just as likely to reveal information to a hacker as non-technical staff. This surprising discovery led Dr. Huffman to the conclusion that “This isn’t a technical issue, it’s a human issue.”
But there is one area where technology professionals prevailed: identifying sketchy websites. Dr. Huffman presented thirty websites to a group of technical, non-technical staff. He found that technical staff was better equipped to identify standard security indicators like Hypertext Transfer Protocol Secure and the telltale padlock icon in the URL bar. This discrepancy shows that standard security indicators aren’t as well understood or as useful to non-technical users.
This is a knowledge gap that security awareness training for all levels of staff can help fill in. (See our best security awareness training article for more information.)
ChatGPT training built for everyone
What can cybersecurity teams do?
One of Dr. Huffman’s recommendations is running a threat appraisal. The cybersecurity team needs to understand their users, and what might cause that user to click on a malware vector. He also recommends running a coping appraisal for all key players in your organization. A coping appraisal will provide your team with the answers to key questions like “If something happened, how would this person cope?” and “Would they react in compliance with the policy?”
ChatGPT training
In this Series
- Could psychology be the key to cybersecurity awareness? Research points to yes
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization