How human behaviour impacts cybersecurity is a hot topic. For instance, cybercriminals are using the COVID-19 pandemic as a way to scam people. The scams are working because cybercriminals are leveraging known human weaknesses.
Individuals are at a psychological disadvantage when faced with cybercrime. They are often not presented with sufficient information to make optimal decisions in privacy-sensitive situations.
Even in cases when sufficient information is available, individuals, enticed by prospects of immediate gratification, tend to still fall victim.
Why do we do what we do? The field of psychology has sought to explain human behaviour for more than 100 years. Its breakthroughs have shed light on some of the most baffling, damaging, and counter intuitive human habits, from violence, abuse and addiction to self-harm, obsessive compulsion and depression.
What can psychology tell us about cybercriminals and how their attacks work? What psychological levers are they exploiting in us to invade our lives, steal our data and disrupt our lives? And why do we seem intent on ignoring these threats?
What psychological levers do various cyberattacks exploit to get the desired response? At its root, social engineering exploits human psychology. The attacker needs not only to understand how we work as individuals but also how we work as individuals within a society and then exploit that.
Some people take more risks. They might go onto a website they shouldn’t, or they do it unprotected. Attackers exploit that. Even though cybercriminals might be trying to target people, some people are making themselves more susceptible to attack, because of their personality.
Many cyberattacks have similar properties. If you look at ransomware, phishing and even the old Nigerian Prince scam, the attacker is trying to get the victim to give something to them that is usually valuable. Or trying to keep something from you that is valuable, returning it in exchange for money.
It is clear that some attackers are very good at what they do and have obviously done their homework, indicating that cybercriminals are conscious of psychological drivers when creating and conducting cyber-attacks.
Success at social engineering is a skill which is perfected over time. Those attackers learn what works and what doesn’t. Criminals will see what works and add their own take on approaches to improve it. So, hacks get better, more effective, and more sophisticated over time.
People think of cybercriminals as kids in their bedrooms just trying it out, but these people are doing this as a business, so it is no surprise that they research what works and what doesn’t.
How can we outsmart the perpetrators of cybercrime? It’s all about a holistic approach to cybersecurity. We need to treat cybersecurity as holistic to the individual: is every piece of hardware and software they use, and every action they take everywhere, whether it is at home or at the office, secure? Because every action can impact multiple places.
It is absolutely essential to educate employees about the potential risks, because if you don’t, you and your business are open to attack.