“We are currently using a number of different solutions and vendors for security products and training… I’m not sure what else can be done?”
That’s often what I hear from IT professionals at potential clients. The tone is usually desperate as despite all the investment in the latest and greatest technologies and the “once a year” data privacy training; the company still gets hacked. In 85% of these cases, user error and unsafe behaviors are usually the root cause of these successful attacks. Even more alarming, a survey on insider leaks revealed that carelessness accounts for 71% of security breaches as opposed to 61 % attributed to malicious intent[i]. In order to address the root cause of these cyberattacks, we need to dig deeper into the “psychology of security”.
The concept of “psychology of security” is often strange to the IT professionals; yet they acknowledge that their users are the biggest challenge. When hackers are unsuccessful at exploiting technical vulnerabilities, they turn their attention to the users. What they scan for are responses to psychological triggers and cognitive patterns that can be easily predicted. Think of these as pre-conceived ideas and heuristic patterns that we tend to have around risk vulnerability and decision making. Let’s take a look at some examples:
Risk exposure: Most people tend to think that they are at less risk than others; and a cyberattack is unlikely to happen to them.
Risk control: Most people tend to think that they can control the outcome if they are the main decision makers. So if a security warning message pops up on the screen and we have the power to decide to bypass it, it gives us an illusion that we have it under control.
Habituation: Over time, frequent exposure to security warning messages causes the brain to pay less attention to these messages and to disregard any potential threats they may signal.
Normalization of deviance: If a user has clicked on a link and has not caused a data breach, he is more likely to repeat this behavior over and over again. It simply becomes the norm.
The path of least resistance: Most people tend to choose the action that requires the minimum amount of effort. Combine that with multi-tasking and scanning a file prior to downloading it becomes the least of your users’ concern.
Unlike IT professionals who are focused on adding more technologies and more barriers, hackers pay attention to the psychology of security. “The art of deception” is no longer an art, but a science that can be explained through cause and effect. Driving people towards safer behaviors cannot be achieved through firewalls or port scanners. In fact, technology-centric solutions tend to drive the wrong behaviors because security is secondary to the task that the user is trying to achieve. It simply gets in the way of executing a task efficiently. And if we factor in the fact that security is usually an “add-on” that tends to be poorly designed, it becomes hard for the user to apply it.
Cybersecurity is about the state of mind that the user has while using the technology as opposed to what technology is being used for. The most successful results are exhibited when we take a system approach where the “human in the loop” is at the heart of the cybersecurity initiative. This system approach is then orchestrated to reduce human error and increase safe behaviors. A well rounded cybersecurity initiative needs to address the following organizational capabilities:
Leadership commitment: Your C-Suite has to signal to the organization the importance of cybersecurity and commit to it financially and strategically.
Organizational structure: Your cybersecurity function needs to be fit for purpose to align with your overall business strategy while allowing for plenty of flexibility to proactively counteract and prevent future breaches.
Operating model: Your cybersecurity efforts need to be directed towards the rest of your organization in a way that bridges the gap between the business and IT.
Talent Management: Your IT security workforce has to be well thought out in advance to acquire the skills and the human resources needed to achieve and maintain a state of cyber resilience.
Culture: Your culture is a direct expression of your users’ behaviors inside and outside the workplace. Achieving a state of cyber resilience has to become second nature and not device dependent.
The strength of your organization to counteract cyberattacks comes from within. We can’t stop users from interacting with the technology, but we can certainly help them make better choices.