Cybersecurity executives deal with two sets of challenges, which can be represented as two sides of the same coin.
Hackers use various psychological manipulation techniques to target your employees and to get into your system. Once you understand these techniques it will enable you to formulate creative strategies in order to deal with complex cybersecurity attack chains.
So that you can understand where these techniques come from, we should start with basic human needs and motivations.
Abraham Harold Maslow was an American psychologist best known for creating Maslow's Hierarchy of Human Needs. His model explains that human needs are motivated by a hierarchical structure.
This means that basic needs which are lower down in the hierarchy must be satisfied before individuals can attend to needs that are more sophisticated and complex.
Hackers take advantage of these fundamental human needs. Here is the mapping of typical hacker psychological manipulation tactics along with Maslow’s model.
Transcendence needs: A person is motivated by values that transcend beyond the personal self (e.g., mystical experiences and certain experiences with nature, aesthetic experiences, sexual experiences, service to others, the pursuit of science, religious faith, etc.).
Hackers Tactics to manipulate this: The hacker may target you with Adware/Spam promoting spiritual development such as religious experience offers or free yoga retreats. They may offer books and information about spiritual or new age subjects such as crystal healing.
Self-actualization needs: Realizing personal potential, self-fulfillment, seeking personal growth and peak experiences.
Hackers Tactics: The hacker may target you with messages that make you feel singled out for special attention. These may include; courses in personal development, invitations to attend special training courses or similar. The message is that you are special and not achieving your full potential. Sometimes these purport to come from a top executive and can be sent via email, text, social media or other internet avenues.
Aesthetic needs: Appreciation and search for beauty, balance, form, etc.
Hackers Tactics: These types of messages will relate to making your life more balanced by removing stress so you can appreciate life more fully. They may include some of the following:
Guaranteed work stress relief program – pay now to save 90%
Invitations to cultural events
Offers to subscribe to online magazines that claim to help your aesthetic development
Cognitive needs: Need for knowledge and understanding, curiosity, exploration, meaning, and predictability.
Hackers Tactics: The hacker may try to get your email address by baiting you with a reward. Baiting is where you are promised something for free in return for subscribing. This type of scam may include; Special offer click here, a free magazine subscription offers or being added to a mailing list that promises to send you insider information.
Esteem needs: Need for dignity, achievement, mastery, independence and desire for reputation or respect from others (e.g., status, prestige).
Hackers Tactics: Phishing works because these types of emails are sent to thousands of people in the hope of getting a couple of responses. These may be completely bogus such as pretending to come from the tax office or the government. Types of phishing mail include letters about winning something such as bonus or promotion, tax rebate or similar. Sometimes phishing emails single you out for some type of award or tell you that you have won a competition.
Love and belonging needs: Need for friendship, intimacy, trust, and acceptance, receiving and giving affection and love. Affiliating, being part of a group (family, friends, work).
Hackers Tactics: The hacker may connect with you via social media and try to gain your trust as well as your personal details. If you post on social media such as Facebook, your hacker will know a lot about you, your family, your interests and your friends and use these for social engineering attacks.
Safety needs: Need for protection from elements, security, order, law, stability, freedom from fear.
Hackers Tactics: To exploit your need for security, the hacker may use scare tactics in order to make you contact them. The types of the scam may include: Act Now- you got a malware! Your bank has zero balance, COVID-19 Alerts, Email from your CEO.
Biological & physiological needs: Air, food, drink, shelter, warmth, sex, sleep, etc
Hackers Tactics: The hacker may try to tempt you with offers for adult websites or dating sites. You may receive emails about the cheap property for sale or offers on home improvements.
Hackers use tactics such as spam or phishing in an attempt to directly exploit one of these human needs. However as people become more aware of these techniques, hackers become increasingly sophisticated and combine various needs together in order to create a complex attack model. For example, a hacker may try to become your friend through your social media. By going through your profile, they can get a better understanding of your needs, such as your religious or spiritual beliefs or your favorite sports, etc. The hacker can then target you by sending you a Facebook message with an offer for a limited time only for a spiritual retreat, or game tickets to your favorite team, followed with a text message and a phone call. Because the hacker has studied you, he knows exactly how to push the right buttons in order for you to respond. These types of cyberattacks are very convincing so employees must be constantly reminded of the risks of being too open to these types of friendly approaches online.
Employees' behavior towards cybersecurity such as; how they respond to security events, whether they click on a phishing link, or they report incidents, or whether they take cybersecurity training depends a lot on their psychological aspects.
People's cybersecurity behavior can be explained using a behavior model. An example of such a behavior model is the Fogg Behavior model, created by BJ Fogg, a Stanford scientist and New York Times Best Selling author. Although this is a general behavior model, we can use this to explain people's responses to cybersecurity incidents.
Based on the Fogg Behavior Model model, people perform actions when they have sufficient motivation, and they have the ability to do that action, and if they receive an appropriate prompt. (B=MAP)
We can control these variables - Motivation, Ability and Prompt to facilitate changes in employees' behavior, resulting in a better cybersecurity culture.
We all need to be careful because, despite how much we know about the risks, it only takes one false click to compromise the safety and integrity of the entire operation. I hope these concepts help you to build a better cybersecurity culture within your company.
Schedule some time to talk with one of our experts and they will show you how we can help your organization.Get a demo Today