Cybersecurity as a Behavioural Science: Part 1

Why Cyber Security Is About Human Behavior?

There is much information online about human behavior and cyber security and it is easy to get lost. So, I decided to write a short series of posts on cyber security as a behavioural science (#cybersecasbehavioralscience). The first post will answer a simple question: Why cyber security is about human behavior and not so much about technology?

Why should organizations take human aspects of cyber security seriously?

In our recent book with Mark Skilton, we looked at the concept of cybersecurity as a behavioural science, although the concept itself was introduced by earlier research – see, for example, the work of Debi Ashenden, Karen Renaud, and Peter Cooper (I am sure there are other great people who talked about this, but these 3 are my role models, so please, forgive the personal bias). The main advantage of looking at cyber security through the prism of behavioral science from the organisational perspective is that behavioral science allows to consider cyber security risks and vulnerabilities across different dimensions; as well as suggests ways of how to discover new risks and vulnerabilities by looking at the wider ecosystem of issues beyond data and technology.

Behavioral science (#behavioralscience) focuses not only on how new #risks and #vulnerabilities could be detected, but also on how humans perceive them and how those perceptions can misrepresent the actual threats leading to under- or overreaction when responses to threats are formulated. As behavioral scientists, we also look at how the ability to anticipate new risks and vulnerabilities can influence business models and business model innovation. Essentially, behavioral science can be viewed as a gateway to empowering businesses to be able to apply a new human-centered vision to cybersecurity problems in order to detect risks which they have not encountered or have not anticipated before. Furthermore, these risks and vulnerabilities do not only have to be detected, but also effectively communicated. Behavioral science also aims to demonstrate how effective communication can help build secure and safe human-cyber spaces in the new digital economy.

Technology or psychology?

It is certainly true that technology is an important tool for cybercriminals but looking at the types of threats and their history we found that many of the currently used types of threats (with several notable exceptions such as Blockchain-related attacks or AI-informed attacks) existed from 1960s, 1970s, or 1980s. So, what we observe now (again, with several exceptions) are often unlikely to be new types of threats, these are essentially old threats “on steroids”. But the increased impact of these threats is mostly not so much due to the development of #technology, although the technological component does play a role. It is due to the increased use of hybrid scams where social engineering (#socialengineering) and psychological impact is the main method employed by cybercriminals.

With over 90% of successful breaches worldwide starting with a phishing email, it is clear why cybercriminals concentrate on the psychological tools for planning and implementing the attacks. With technological advances in the area of cybersecurity becoming more and more sophisticated, humans remain the weakest link.

The feel of security does not equal security!

In 2012, a renowned film director, Jake Schreier, released a movie “Robot and Frank” filmed based on Christopher Ford’s screenplay, where Frank (Frank Langella), an ex-jewel thief takes his AI healthcare robot on a heist job. The pair target the most expensive house in the neighborhood which seems to have the most sophisticated security system. Yet, Frank explains to his AI companion that “Every security system is designed by security companies, not thieves. It's not the question of if a thief can break in, it's how long. They place all the heavy systems where their customers can see them. They're selling the feel of security.” Frank then explains that one can spend weeks preparing for the robbery trying to decipher the highly advanced security system and making attempts to disable the alarms. Yet, wouldn’t it be much easier to just ring the door bell and wait for someone to open the door?

Which cyberthreats use social engineering?

If we consider various cybersecurity threats and how they depend on human (victim) psychology, we will get the psycho-technological matrix of cybersecurity threats.

Psycho-Technological Matrix of Cybersecurity Threats

(c) Pogrebna and Skilton, 2020

On the vertical axis, we show technological component necessary to ensure the success of a certain cyberthreat. The technological component might rely on physical systems, digital (cyber) systems or may exist in both systems. The technological component is mapped versus the psychological component which captures the degree of threat’s reliance on “cooperation” of human victims. In other words, the psychological component depicts whether and to what extent tricking people into doing something as a result of social engineering is necessary for the threat to succeed. Psychological component is presented on the horizontal axis and shows that, at one extreme, a cybersecurity threat’s success can be completely independent of human psychology; at another extreme, human involvement may be essential for the threat to succeed. There is also a space in-between where certain threats can be either independent or very dependent on the “cooperation” of humans.

For example, phone phreaking in principle can work without any involvement of human psychology and can operate in physical rather than digital domain. At the same time, DDoS attack requires digital technology but does not rely on human psychology. Threats like Cyber Terrorism in principle may not rely on human psychology and can use either physical or digital tools. For a range of threats, psychological component is often needed although it is not essential. For example, in the physical domain, stealing a device may involve playing tricks on a particular individual but also can be done without the involvement of this individual. In the digital domain, an individual’s password can in principle be broken simply using Password Brute Force, yet, it often helps to know something about this individual or even trick this individual to reveal sensitive information which would help the hacker to guess the password. Identity theft may be accomplished physically (by making a simple telephone call) or through digital means but it often requires at least some human cooperation.

For a number of threats, human psychology is a key component which ensures success. In order to manipulate prices for various bitcoins (Blockchain Price Infliction), one has to influence market price expectations. This can be reached primarily through physical rather than digital means, particularly, through convincing the impactful media to channel “fake news”. Threats like viruses use digital means but require human involvement as the user has to open an email attachment, click on a link, or go to a website in order to set viruses in motion. Threats such as phishing may use physical or digital tools but rely heavily on social engineering.

So what have we learned about cyber security and human behavior?

Note that of the 9 areas of the psycho-technological matrix of cybersecurity threats, only 3 do not involve human psychology while 6 either may to some extent rely on human psychology or have human psychology as a key factor. This shows that social engineering is an important component for a majority of successful attacks making the weak spots of human psychology to be the major weapon of cybercriminals. I hope you are now convinced that cybersecurity is a behavioral science, but even if not - check out this blog next week for subsequent posts on this topic!