“In 2020, 93% of cyber attacks started with people instead of technology.”
This data from Dr. Erik Huffman’s research highlights the profound correlation between internet security and human behaviour. Every time someone reads an email or opens a link, they must determine if it is safe to proceed.
While firewalls and other technical solutions help protect us from many of the web’s bad actors, we can also think critically and respond appropriately. That is the most powerful weapon of all.
Dr. Erik Huffman is a specialist in the psychology of why individuals fall victim to cyberattacks. As a cyberpsychology researcher, he has delved deep into the psychology of humans to answer problems such as, “Why do people fall for phishing emails?” and “Are particular personality types more inclined to be victims of cyberattacks?” Dr. Huffman presented his research findings and recommendations at a compelling Infosec Inspire session.
Here are some essential insights for understanding the connection between human actions and cybersecurity.
The Field of Cybersecurity Relies on Decision-Making As a Fundamental Science
When someone launches an internet browser, they are overwhelmed with options: should I open this email? Should I download the attachment? Is this a message from my boss, or is it someone pretending to be him? The process of making choices is fast, complicated, and susceptible to emotional influence. “People, unlike machines, do not often change their behaviour in line with logical information: they need PR and propaganda,” said Dr. Huffman. This says, “We fall for propaganda. The machine does not.” In other words, rather than thinking logically, people are influenced by their emotions.
But how does emotional influence work? Dr. Huffman outlines a set of psychological concepts known as the principles of influence:
- Reciprocity: People tend to give back when offered something.
- Commitment and consistency: People do not like giving up after starting anything.
- Social proof: People are more inclined to trust a person or organisation whom other people trust.
- Liking: People are more prone to trust persons they know and like, just as they are with reciprocity.
- Authority: People are more prone to listen to individuals and organisations with a strong sense of authority.
- Scarcity: People who believe they have little resources may take rash actions.
The goal of these attacks is to elicit a dramatic, knee-jerk emotional reaction known as “amygdala hijacking.” This becomes evident when you examine the threat language used in phishing emails. Although these emails are frequently mocked for their numerous errors and unusual changes of words, they do have a tremendous emotional impact. Some messages aim to instill fear or humiliation, such as “We adjusted the virus on an adult website you recently visited…”, while others emphasise the need to send money within 24 hours of opening the message.
Psychological Aspects of a Cybersecurity Victim
Dr. Huffman has conducted substantial research into the psychological factors that render people prone to hacking. To further understand what makes people at risk, he recommends the Big Five Model for Cyber Victims. These personality characteristics include:
- Extraversion
- Agreeableness
- Conscientiousness
- Emotional stability
- Open to new experiences
- Impulsiveness
Dr. Huffman feels that the last feature, impulsiveness, is the reason why ransomware frauds are changing. Previously, the fraud was quite straightforward: we lock up your data and you pay us to return it. However, current variants of the scam now use threat language that exploits the victim’s impulsiveness and scarcity. Instead, the script may say, “Pay us three Bitcoin within 72 hours — otherwise, it will double.”
Expertise in technology doesn’t guarantee immunity from failures.
One of Dr. Huffman’s most shocking results is that technological knowledge does not always protect people from becoming victims of cyberattacks. His research demonstrates that cybersecurity professionals are just as vulnerable to phishing and attempts at social engineering as anyone else. They’re also just as likely to give information to a hacker as non-technical employees. This unexpected discovery led Dr. Huffman to conclude, “This isn’t a technical issue, it’s a human issue.”
However, there is one area where technology workers excel: spotting suspicious websites. Dr. Huffman presented thirty websites to a group of professional and non-technical personnel. He discovered that technical people were better able to spot conventional security signs such as Hypertext Transfer Protocol Secure and the recognisable padlock icon in the URL bar. This mismatch demonstrates that typical security indicators are not as well understood or useful to non-technical people.
This is a knowledge gap that security awareness training for every level of personnel can assist bridge.
What Can You Do?
Dr. Huffman recommends conducting a threat assessment. The cybersecurity staff must understand its users and what may drive them to click on a malware vector. He also advocates doing coping assessments for all important personnel in your firm. A coping appraisal will answer crucial questions for your team, such as “If something happened, how would this person cope?” and “Would they comply with the policy?”
