Cybercriminals use psychology–cybersecurity pros should, too

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

How human behavior impacts cybersecurity is a hot topic. For instance, cybercriminals are using the COVID-19 pandemic as a way to scam people. The scams are working because cybercriminals are leveraging known human foibles.

Brenda K. Wiederhold, president of the Virtual Reality Medical Center and a licensed clinical psychologist, writes in her research paper The Role of Psychology in Enhancing Cybersecurity: “Individuals are at a psychological disadvantage when faced with cybercrime. They are often not presented with sufficient information to make optimal decisions in privacy-sensitive situations.”

Wiederhold suggests lack of information skews the risk vs. payoff in favor of the cybercriminal, adding, “Even in cases when sufficient information is available, individuals, enticed by prospects of immediate gratification, and under the influence of optimism bias (a bias causing someone to believe they are less likely to experience a negative event), tend to fall victim to hyperbolic discounting, and assign lower risk values to privacy decisions.”

Hyperbolic discounting refers to how people making decisions give more priority to immediate benefits over long-term gains. Our non-linear perception of time, and inability to consider the long-term outcomes of an action when making a choice, are to blame.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

A well-known example is asking someone if they’d prefer $50 right now or $100 in a year. A majority choose the $50. If the choice changes to either $50 in five years or $100 in six years, almost everyone chooses the $100.

This propensity is something cybercriminals are aware of and use to their advantage.

On a positive note, Wiederhold suggests, “Using their understanding of human behavior in cyberspace, psychologists can introduce cultural and behavioral shifts toward higher security on both the individual and the collective levels.”

Wiederhold offers the following advice:

• Understand the behavioral economics governing people’s perception of risk and reward: An important first step would be to identify social situations in which individuals demonstrate a higher tendency to discount the risk of sharing private information. “A study found that people are more likely to reveal personal and confidential information in less-formal settings, such as casual conversation or on social networks.”
• Identify patterns of criminal and malicious activities: Wiederhold wants responsible parties to pay attention to behavior that might adversely affect cybersecurity. If an issue is found, she suggests developing security systems—either in-house or through a service provider—capable of detecting such activities, taking into consideration the psychological distortion influencing privacy decisions.
• Advise legislators and steering groups on the psychological and the social impact of cybercrime: Many cybercrimes do not have the same weight as the comparable nonvirtual crime. “A study across 64 countries has identified that fragment legislation (i.e., legislation variance across countries) is one of the major factors that hinder fighting cybercrime,” she said.
• Raise public awareness of cybersecurity risks: Wiederhold wants to get users involved–that is the only way to adjust their perception, and, subsequently, their behavior toward privacy. She said, “It is essential that psychologists reach out beyond labs and journals to communicate with the public through mainstream media and social networks.”
• Understand the impact of cybercrime on victims’ behavior through all the stages of victimization: The research paper Frames of Fraud: A Qualitative Analysis of the Structure andProcess of Victimization on the Internet, says victims of cybercrime (fraudulent interactions) go through three stages similar to those associated with rites of passage: Preliminal (separation), liminal (transition), and postliminal (incorporation).

Another perspective on how to help prevent cyberattacks comes from a quote from human-factor psychologist Anita D’Amico’s testimony before a congressional subcommittee:

“As researchers and educators, we must address the many different roles we humans play in cybersecurity, beyond just the security practitioner who administers firewalls, tunes intrusion-detection systems, and monitors networks. We must also educate the software developer, lawyer, policymaker, and all of us users who are unwitting accomplices of the attacker.”

For more about this topic, read these TechRepublic articles written by me: Social engineering: How psychology and employees can be part of the solution, 6 persuasion tactics used in social engineering attacks, and How understanding cognitive science can strengthen cybersecurity’s weak links.