What is the relation between cyber security and mental health? You probably think that there is no connection. But don't be too quick with your conclusion. You might be surprised! There is actually a direct link between the two as our mental state affects our behaviour and impacts the way we perceive and process information. Here you might say: "Hang on a second. This all might be true, but how is this related to cyber security?"
Robust research findings (some of which we highlighted earlier in our previous blogs) across many cyber security applications show that current cyber threats are not so much a result of technological advances in adversarial analytics and adversarial AI, but, rather a product of sophisticated social engineering. Social engineering is a rather complex term, which is often used by cyber security experts to describe "malicious activities accomplished through human interactions". These activities may include psychological or even behavioural science-inspired manipulations. In plain English, social engineering is a range of tricks, which adversaries are using to make us do something we ARE NOT supposed to do or to stop us from doing something we ARE supposed to do. And here is where our mental health plays an important role.
Mental health issues range from relatively light to severe, but all of them may impact our propensity to detect and anticipate cyber threats, and, ultimately, in many ways, determine our propensity not only to become a victim of a cyberattack, but also to cause serious damage to others through making (otherwise easily avoidable) risky decisions online. Consider a simple example, which many of us can relate to. What is the propensity that you could detect a simple social engineering attack (say, phishing email)? Believe it or not, but researchers from the University of Greenwich showed that under normal circumstances your chances of detecting a potential social engineering attack is quite high - on average, over 70%. Now, consider your propensity to detect the same potential attack if you are fatigued, stressed, feeling down or even depressed. While research does not tell us what the exact probability of, say, clicking on a malicious link in a phishing email would be, it is clear that the chances of you detecting a cyber threat under these circumstances (e.g., when you are fatigued) will be significantly reduced.
How do we know this? Much research on mental health has demonstrated that even rather common mental health problems such as stress can impact our neural correlates, which, in turn, affect our memory as well as many other functions. This means that even if we have been through the cyber security training, compliance training, and taken special courses on detecting social engineering, when we are stressed, we may have memory lapses that will cause us to click on wrong links, make us forget to check the email origins (email addresses, where the emails we receive originate from) or reply to "obviously" fraudulent messages.
Unfortunately, mental health-cyber security connection is often overlooked by businesses and other organisations, which tend to concentrate on technological solutions, avoiding the human side of the problem or believing that "zero trust" systems will "fix it all". Yet, not only security, but the very survival of every business or organisation to a significant extent depends on the ability of employees to effectively deal with a wide range of issues (including cyber security issues). Naturally, they cannot effectively detect risks if they suffer from mental health issues (no matter how small or insignificant those issues might seem).
During the COVID19 pandemic with frequent lockdowns, mental health and wellbeing issues have become significantly more pronounced. Many parents are faced with increased demands on their time due to changed childcare arrangements; some people do not have an opportunity to leave small flats, which affect their emotional state; many work after hours or have very long working days. All this contributes to the fact that since the start of the pandemic the number of cyber attacks increased by 300%. Hence, unless we do something about the mental health issues now, we will continue seeing more and more successful social engineering attacks in the future.
While systemic response is necessary here, stop and think about your workload and do take your mental health seriously. If you know that you are overworked or fatigued, do take a break. You need it. Remember that by doing so you not only help yourself, but you do make your organisation a safer place. Take care!