Why Psychology Plays Such an Important Role in Cybersecurity Blog

Godrej

Why is psychology so important to Cyber Security executives

Cybersecurity executives deal with two sets of challenges, which can be represented as two sides of the same coin.

Two sides of the same coin
  1. Hackers user various psychological manipulation techniques in order to trick employees so that they can hack into your network

  2. Employee's behavior towards cybersecurity is based on many psychological aspects; they know it is important but fail to realize their own behavior could be part of the problem.

1. Hackers Psychological Manipulation Techniques

Hackers use various psychological manipulation techniques to target your employees and to get into your system. Once you understand these techniques it will enable you to formulate creative strategies in order to deal with complex cybersecurity attack chains.


So that you can understand where these techniques come from, we should start with basic human needs and motivations.


Maslow's hierarchy of human needs

Abraham Harold Maslow was an American psychologist best known for creating Maslow's Hierarchy of Human Needs. His model explains that human needs are motivated by a hierarchical structure.


This means that basic needs which are lower down in the hierarchy must be satisfied before individuals can attend to needs that are more sophisticated and complex.


Hackers take advantage of these fundamental human needs. Here is the mapping of typical hacker psychological manipulation tactics along with Maslow’s model.

Maslow's hierarchy of human needs

Hackers manipulation of human needs

  • More information

    Transcendence needs: A person is motivated by values that transcend beyond the personal self (e.g., mystical experiences and certain experiences with nature, aesthetic experiences, sexual experiences, service to others, the pursuit of science, religious faith, etc.).

    Hackers Tactics to manipulate this: The hacker may target you with Adware/Spam promoting spiritual development such as religious experience offers or free yoga retreats. They may offer books and information about spiritual or new age subjects such as crystal healing.

    Self-actualization needs: Realizing personal potential, self-fulfillment, seeking personal growth and peak experiences.

    Hackers Tactics: The hacker may target you with messages that make you feel singled out for special attention. These may include; courses in personal development, invitations to attend special training courses or similar. The message is that you are special and not achieving your full potential. Sometimes these purport to come from a top executive and can be sent via email, text, social media or other internet avenues.

    Aesthetic needs: Appreciation and search for beauty, balance, form, etc.

    Hackers Tactics: These types of messages will relate to making your life more balanced by removing stress so you can appreciate life more fully. They may include some of the following:

    Guaranteed work stress relief program – pay now to save 90%

    Invitations to cultural events

    Offers to subscribe to online magazines that claim to help your aesthetic development

    Cognitive needs: Need for knowledge and understanding, curiosity, exploration, meaning, and predictability.

    Hackers Tactics: The hacker may try to get your email address by baiting you with a reward. Baiting is where you are promised something for free in return for subscribing. This type of scam may include; Special offer click here, a free magazine subscription offers or being added to a mailing list that promises to send you insider information.

    Esteem needs: Need for dignity, achievement, mastery, independence and desire for reputation or respect from others (e.g., status, prestige).

    Hackers Tactics: Phishing works because these types of emails are sent to thousands of people in the hope of getting a couple of responses. These may be completely bogus such as pretending to come from the tax office or the government. Types of phishing mail include letters about winning something such as bonus or promotion, tax rebate or similar. Sometimes phishing emails single you out for some type of award or tell you that you have won a competition.

    Love and belonging needs: Need for friendship, intimacy, trust, and acceptance, receiving and giving affection and love. Affiliating, being part of a group (family, friends, work).

    Hackers Tactics: The hacker may connect with you via social media and try to gain your trust as well as your personal details. If you post on social media such as Facebook, your hacker will know a lot about you, your family, your interests and your friends and use these for social engineering attacks.

    Safety needs: Need for protection from elements, security, order, law, stability, freedom from fear.

    Hackers Tactics: To exploit your need for security, the hacker may use scare tactics in order to make you contact them. The types of the scam may include: Act Now- you got a malware! Your bank has zero balance, COVID-19 Alerts, Email from your CEO.

    Biological & physiological needs: Air, food, drink, shelter, warmth, sex, sleep, etc

    Hackers Tactics: The hacker may try to tempt you with offers for adult websites or dating sites. You may receive emails about the cheap property for sale or offers on home improvements.


Hackers use tactics such as spam or phishing in an attempt to directly exploit one of these human needs. However as people become more aware of these techniques, hackers become increasingly sophisticated and combine various needs together in order to create a complex attack model. For example, a hacker may try to become your friend through your social media. By going through your profile, they can get a better understanding of your needs, such as your religious or spiritual beliefs or your favorite sports, etc. The hacker can then target you by sending you a Facebook message with an offer for a limited time only for a spiritual retreat, or game tickets to your favorite team, followed with a text message and a phone call. Because the hacker has studied you, he knows exactly how to push the right buttons in order for you to respond. These types of cyberattacks are very convincing so employees must be constantly reminded of the risks of being too open to these types of friendly approaches online.

2. Employee Psychology

Employees' behavior towards cybersecurity such as; how they respond to security events, whether they click on a phishing link, or they report incidents, or whether they take cybersecurity training depends a lot on their psychological aspects.


Cybersecurity Behavior Model


People's cybersecurity behavior can be explained using a behavior model. An example of such a behavior model is the Fogg Behavior model, created by BJ Fogg, a Stanford scientist and New York Times Best Selling author. Although this is a general behavior model, we can use this to explain people's responses to cybersecurity incidents.


Based on the Fogg Behavior Model model, people perform actions when they have sufficient motivation, and they have the ability to do that action, and if they receive an appropriate prompt. (B=MAP)


We can control these variables - Motivation, Ability and Prompt to facilitate changes in employees' behavior, resulting in a better cybersecurity culture. 


Motivation:

  1. Launch an employee inclusive cyber program and promote the values of your company, including protecting your customers’ data. A community with a higher purpose can create positive motivation.

  2. Create a cybersecurity policy and hold employees accountable for good behavior and bad behavior. Reward good behavior and reprimand bad behavior, creating motivation in the path which you want to take.

Ability:

  1. This is the most important aspect and it requires analysis and planning. Often, people make cybersecurity mistakes because it is less work. It is important to review the most common employee tasks and see how they can carry out operations in a secure manner without too much hassle. For example, people working in sales often need to share time-sensitive documents with the customer. Is there an easy process available to do this? If not, implement one, otherwise, they might use their personal communication system to share it, creating a path into your system for the hacker.

  2. Sometimes not allowing a certain action is the right choice, but this can be a hard balance to strike. Using a cybersecurity system that has more adaptive policy capabilities will enable employees to carry out their work effectively without causing a security breach.

Prompt:

  1. A large number of the policy violations can be stopped with a reminder prompt, such as an alert or a simple “Are you sure?” question during the action, so choose security user alerts that work without overwhelming the users. It is important that messages have to be simple and easy to understand. If they are too complicated and your employee is busy doing their job, a complex abstract security message is likely to be ignored.

  2. When it comes to cybersecurity awareness for employees, one of the common myths held by cybersecurity experts is that you should give a lot of highly detailed security training to employees. However, this is not effective. Unfortunately, the typical cybersecurity compliance policy contains a long list of security requirements, which are often translated into long mandatory security training sessions. As we all know, employees hate these boring training sessions, so it actually drags their motivation down. A better option is to consider bite-sized, personally relevant nudges so that your employee understands his or her own role in cybersecurity and how it is relevant to them.

We all need to be careful because, despite how much we know about the risks, it only takes one false click to compromise the safety and integrity of the entire operation. I hope these concepts help you to build a better cybersecurity culture within your company.



AUTHOR
  • Santhosh Purathepparambil
    Santhosh Purathepparambil

    Co-founder, SecurityAdvisor

Published on : April 23rd, 2020

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today