Security blogs

Conscious vs. Unconscious – the determinants of security behaviour

Introduction

Have you ever wondered why you still fall for simple social engineer attack, even after you have undertaken a comprehensive security awareness training program that looks at cyber security behaviour?

Even more interesting, why can you identify the errors within a phishing email in a training course, yet still fall for the exact same email when sent to you?

Addressing a social engineering attack is often a conscious process, identifying certain characteristics of the email, then checking to see if you feel it is real or fake. When you are distracted, busy, feeling sick, etc., utilising your cognitive abilities often lets you down and you subsequently fall victim to the attack.

This all relates to “conscious vs. unconscious determinants of behaviour”. This can be defined as two distinct but overlapping systems of learning and memory that explain and predict human decision-making, thoughts, and behaviours.

Let’s look at a simple process that we all encounter every day, driving a car. To drive a car, you are primarily driven by your unconscious behaviours, braking, changing gears, steering etc. You don’t consciously think about applying the brakes when you notice the car in front is braking. You automatically apply the brakes. You don’t think about how to turn the steering wheel when turning the corner, you just turn the wheel.

Your conscious processes are used to identify dangers, navigate and ensure that you are obeying the law.

To what degree are people aware of the information that they are processing at any given moment? If people are unaware of these processes, then are they able to control their behaviours?

Both conscious and unconscious processes exert influences on behaviours. We will also try to explain why conscious thoughts about avoiding a social engineering attack are often fraught with issues.

The Conscious vs. Unconscious Mind

Conscious processes have often been considered to be the primary determinants of human behaviours. Approaches and advances in social cognition research over the past few decades suggest that many aspects of our decision-making, thoughts, and behaviours are, in fact, strongly influenced by unconscious processes.

These new approaches have often adopted perspectives from evolutionary theory, which focus on the naturally occurring mechanisms (e.g., intuitions, gut reactions) of these unconscious processes.

Working memory is extremely limited. For example, research has found that individuals can only retain approximately 2 seconds worth of speech while listening to others. Thus, humans must be wary of the amount of mental effort needed to carry out such complex tasks because their cognitive capacity can quickly become overwhelmed by these demands.

However, humans are able to rely on unconscious processes – which are relatively “automatic” that allow them to engage in well-learned behaviours with relatively little conscious/cognitive difficulty and effort.

There are actually a number of benefits that stem from the brain’s limited cognitive capacity. For example, imagine if you were constantly aware of the process of braking your car. Your mind would be quickly overwhelmed by this leaving little room for other functions.

To our advantage, we do not actually consciously experience much of this process because we rely on automatic processes. This basic notion of automaticity describes thought processes that are capable of occurring without conscious guidance (i.e., the process must be unintentional, involuntary, effortless, autonomous, and occur outside of conscious awareness.

In order for a process to become automatic, the process must be extensively practised. That is, an individual must frequently engage in a desired behaviour or task in order for it to become automatic, like awareness training, threat avoidance etc. Repetition of a learned task or process enhances the unconscious capabilities.

As a result, many of the behaviours and cognitive processes that we frequently experience may eventually become at least somewhat automatic.

Conclusion

It now becomes obvious that sending someone to do a training course will not result in a behavioural change. We need to change the process from a conscious decision to an unconscious decision.

Ensuring that all that is required is a trigger within any form of attack, will engage our unconscious abilities and subsequently enable our conscious mind to address the threat.

The trigger could be something like,  “if an email has an attachment, link to be clicked, or asking for personal data to be entered, this fires off a trigger to the unconscious mind that causes a “caution” flag to be raised and hence further conscious attention should be applied to the email.”

You may also like
Security Awareness Training is ineffective!
Here’s how to defend yourself online
Shadow IT Risks and How to Mitigate Them
Why do a Vendor Management Program