Cyber Psychology
By Erik Huffman, Lead Technical Instructor at SecureSet Colorado Springs.
Psychology is a bigger part of cybersecurity than computer science is. You may be asking yourself “why would someone make such a bold claim? What is the correlation between cybersecurity and psychology?” In fact, several facets of psychology play a key role in the methods that are commonly utilized by cybercriminals.
Where Psych Meets Cyber
To start, trust is the foundation of security. It has been well documented that users are the most concerning vulnerability of any network. In 2017, Thycotic reported that nearly one third (32%) of survey respondents said that accessing privileged accounts was the number one choice for the easiest and fastest way to get at sensitive data. This was followed closely by 27% indicating that access to user email accounts was the easiest path to capturing critical data. Both style of attacks are similar in that they rely on human-error or confusion. This method of attack is known as social engineering.
For over 10 years, phishing has been the most used attack vector exploited by cybercriminals. Sans reported that 74% of hackers named clicking a link or opening an attachment in an email as the top ways threats enter the organization. Phishing has remained a significant problem despite constant technological security innovations such as: firewalls, IPS (intrusion prevention systems), IDS (intrusion detection systems), anti-virus, anti-malware, and other software security applications.
Patching Human Error
We, as a cybersecurity community, have attempted to patch human errors with technology. This has yielded great results in some regards, but minimal success in regard to social engineering and phishing. At the 2017 Defcon conference, 250 hackers (white, gray, and black hat) were surveyed, and it was revealed that 73% of those surveyed noted traditional perimeter security firewalls and antivirus software to be irrelevant or obsolete. Criminals understand that the weakest link in an organization’s cybersecurity plan is the employees and therefore, they are the primary targets.
Reprogramming “Fight-or-Flight”
In a cyber environment, criminals have an immediate advantage because their victims cannot see or hear them. There is not an instant sense of danger that resonates from a computer as an attack commences. People read in their own tone. Therefore, they have to think about every move they make. Traditional fear tactics are non-existent, as cybercriminals appear normal in unfamiliar scenarios.
The limbic part of the brain is the biological mechanism that keeps us alive in “fight-or-flight” situations. On a computer, the limbic system does not activate when a “threat” arises. A cyber threat does not promote physical danger or fear. Therefore, we must be able to differentiate a threat from a legitimate email, for example. By this logic, even the most knowledgeable can be fooled by a decently articulate cybercriminal.
From a psychological perspective, cybercrime does not discriminate between those who are knowledgeable and those who are not.
The Psychology of Cybercrime
The psychology of cybercriminals differs greatly from their traditional counterparts. Traditional criminals have to worry about their victims running, fighting back, calling for help, or triggering an alarm. None of the aforementioned counter-measures are a concern for cybercriminals. In the end, cybersecurity is a game of psychological football in which cybercriminals only have to “score” once to gain access to every bit of information they may want. Meanwhile, cyber professionals have to “score” every possession to keep all PII (personally identifiable information) secure. It is difficult for a person to operate with the utmost caution at all times. However, we have no other option.
Knowing that psychology plays an integral role in cybersecurity, what measures can we take to further understand the mindset of cybercriminals and better protect our networks? Please leave your thoughts in the responses section below.
Erik Huffman is Lead Technical Instructor at the SecureSet Colorado Springs Campus. He assists in the development of course curriculum and labs. Erik earned a BS in Computer Science from College America, MS in management concentrating in IT management from Colorado Technical University, and Doctorate in Management from the University of Phoenix.
