The Psychology of Cybersecurity

Troy La Huis and Michael Salihoglu
| 10/30/2019
Psychology of Cybersecurity

The power of perception

How we think is a key piece of cybersecurity, and our mindsets regarding cybersecurity are constantly changing. These mindsets are shaped by many factors, including how we interpret and prepare for cybersecurity threats, whether we believe we could fall victim to an attack, how we perceive what the bad guys are thinking, why they do what they do, and what psychological levers are pulled to dupe victims. Recently, a more sinister problem is emerging in cybersecurity: a growing numbness and indifference to real threats because of desensitization.

In the past, cybersecurity professionals used to have to convince business leaders that the threat of a cybersecurity attack is real for any organization. For years, it seemed many executives lived in a state of denial (or willful ignorance), believing that cybersecurity was a luxury. However, as evidenced by trends in cybersecurity spending, it appears they have shifted their collective mindset. According to Statista.com, spending on cybersecurity has more than doubled in the U.S. since 2010 from $27.4 billion to about $66 billion in 2018. Gartner claims that the 2018 figure was closer to $100 billion and predicts that in 2019, U.S. spending will top more than $120 billion.

Cybersecurity professionals have moved from “It’s not if but when” to “It’s not when but how often.” The regularity of cyberattacks is now much more apparent in the news and in daily life. In 2017, more than 1,600 data breaches were reported in the United States. That amounts to more than four breaches per day and includes only reported breaches, since notification requirements vary by state. The impacts and scale of cyberattacks have become so dizzying that we no longer need to convince people that cyberthreats are real.

Understanding targets

Business leaders often feel exhausted and defeated by the looming threats posed by sophisticated nation-states, organized crime, rogue groups, and even 13-year-old script kiddies. The unfortunate paradox is that the internet is the home and gateway to a vast abundance of cyberthreats, yet it seems impossible to try and run a business without it.

The seemingly endless ocean of threats can paralyze those who make decisions for an organization. They sense an ominous feeling of blood in the water yet lack clarity about how to stop the sharks from feeding. Some organizations turn to compliance-related measures to at least do something and stop simply treading water. In a sense, they’re just putting on pool floaties – a false sense of comfort from a measure designed to mitigate a different type of risk.

Two important psychological factors are at play here: a lack of understanding and desensitization. Targets of cybersecurity attacks are often vulnerable simply due to a lack of understanding, and some end up in the same boat because they become desensitized to the threat.

Take age, for example. The elderly are frequently labeled as the most at-risk group when it comes to cybersecurity. However, a U.K. Home Office study found that 16- to 25-year-olds “are far more likely to reuse passwords than their parents and grandparents,” thereby increasing risks. This study contradicts commonly held biases about risk-taking by revealing that insecure behaviors aren’t necessarily driven by age. The point is that no matter the age or demographic, the most vulnerable are those individuals who don’t prioritize security.

So what about the second group, comprised of those who are made aware of the risks yet still fall victim to cybersecurity attacks? According to a 2016 study performed by the Rand Corp., “64 million U.S. adults recalled receiving a breach notification in the 12-month period before the survey,” a number that corresponds with 25% of respondents in a 2012 Ponemon Institute study. In 2017, the Equifax breach alone disclosed sensitive information of about 143 million Americans.

Acknowledging security fatigue

Although no single sweeping federal law enforces disclosures to consumers, individuals are constantly flooded by bad news of their private information being revealed publicly. As Dave Frymier, chief information security officer at Unisys, remarked, “There’s a general feeling that there’s little consumers can do to prevent these incidents.” At the same time, consumers ignore data breach notifications altogether. In fact, the 2014 Ponemon “Aftermath of a Data Breach” study reported that 32% of respondents do nothing upon receiving notice.

The data points to desensitization or security fatigue, described in a National Institute for Standards and Technology study as

…a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore… People get weary from being bombarded by ‘watch out for this or watch out for that.’”

The mentality of inevitability is an interesting problem in cybersecurity. On one hand, cybersecurity professionals and hackers have finally succeeded in convincing the public and business leaders that cyberthreats are very real. On the other hand, now cybersecurity-related news and warnings are so frequent that individuals take no notice, even when they could possibly help prevent more adverse events.

Another interesting side effect is the organizational attention on response to and recovery from a breach, which aligns with the “It’s not when but how often” shift in thinking. This approach is necessary and beneficial. However, it might imply that proactively securing a company’s assets and removing vulnerabilities is no longer a focus.

Understanding threat actors

What about the people perpetrating these cyberattacks? What is going on in their heads? Why do they select the organizations and individuals that they do? Attackers’ motivations include financial gain, political ideology (hacktivism), and pure enjoyment, or “for the lulz.” The ability to monetize cyberattacks has certainly increased the volume of attacks over time. Threat actors have learned to harvest and sell user data and financial information online and to successfully use cryptomining and ransomware. They even sell the remote access they’ve gained into organizations to other criminals in black-market transactions.

Beyond monetization, however, another suspected cause of the rising number of attacks and threat actors is the communal sharing of hacking knowledge on the internet. In the past few decades, the cybersecurity internet community has blossomed. Now, university-level courses are freely available on the internet for those interested and motivated enough to take advantage of the information.

The combination of two factors helps fuel a continual rise in attacks: the dangerous intersection of the psychological motivations to perform cyberattacks and the readily available tools and knowledge to perpetrate them.

Using psychology to our advantage

How can a better understanding of the psychology of cybersecurity be used to help prevent adverse cybersecurity incidents? Although no perfect answer exists, improving cybersecurity seems to be linked to appropriate sensitization. As Lee Hadlington, a chartered psychologist and an associate professor of cyberpsychology at De Montfort University, puts it, “It’s all about general awareness – a holistic approach to cybersecurity.”

On an individual basis, a psychological tool in the arsenal is positive social influence. Jason I. Hong, cofounder of Wombat Security Technologies, explains in an Association for Psychological Science (APS) article:

"The 'light bulb' moment for me happened one day at my startup," Hong explained. "Two women were talking to each other about a recent event. One said, 'Did you hear what happened to Moe? He slipped on the ice [and dropped his laptop], and now can’t access the files on it.' The other woman said, 'I’m going to back up my data right now.' And she did!

"It immediately struck me that this was a positive example of social influence and behavior change for cybersecurity. I had heard my colleagues in the behavioral sciences talk about concepts like social proof, commitment, and reciprocity for years, and it all crystallized in my head based on this one event that we could also use these kinds of techniques to solve hard problems in cybersecurity."

This scenario demonstrates several psychological concepts, notably social proof – a well-known psychological lever to behavioral scientists. As Alexandra Michel, author of the APS article, notes, “One of the biggest challenges in convincing people to adopt safer cybersecurity practices is that people simply don’t have much opportunity to observe each other’s behavior.” Because our internet- and computer-based lives are so private, it’s harder for us to know which practices are common and what the secure and accepted norms are.

Breaking down the problem

From an organizational perspective, a strategy to aid with awareness and understanding is to break things into manageable, understandable pieces. When we are more knowledgeable about the threats that are most likely to affect us, we are better able to prevent and detect them. Organizations can consider a few initial questions to determine the threat (Exhibit 1).

 

Investing in user education and maintaining a security culture goes a long way. By breaking down the threats, targets, and actions, cybersecurity specialists can help people understand their individual roles and the cybersecurity risks involved in their jobs and interactions with others. They can give people the tools to identify likely threat scenarios, how to detect them, and how to respond. Exhibit 2 gives an example of this thought process:

 

The point is to give members of an organization an opportunity to understand why it’s important they fulfill their security responsibilities. Securing an entire organization is no easy task, but ultimately, it’s a worthwhile one.

Building a mental fortress

As individuals and organizations experience the many facets of cybersecurity in their everyday lives, it’s clear that psychological motivations and effects vary. The ability to improve cybersecurity posture and avoid the slow decay of concern seems to lie in making cybersecurity a digestible, positive experience. If nothing else, individuals and organizations should consider how they think about cybersecurity and about how those thoughts translate into their everyday actions.