Cyberpsychology – Employees as the key to IT security

Cyberpsychology – Employees as the key to IT security.

IT security is here to stay. It’s a recurring topic that is all too often reduced to being merely technology-based. This is quite ironic, as, in reality, it’s people that play a key role in it—both on the side of the perpetrator, the cyber criminals, and the side of the victim, the corporations. The psychology behind this enduring cat-and-mouse game was explained to us in the following interview with Professor Stefan Sütterlin.

About.

Stefan Sütterlin is a Professor of Cyberpsychology at Albstadt-Sigmaringen University (ASU). His research is currently on Human-computer interaction (HCI), the psychological aspects of IT security, cybercrime, political disinformation and experimental psychology and the effectiveness of awareness trainings. He is member of the Executive Academic Board of the EU Commission’s European Security and Defence College.

Professor Sütterlin, do you have any concrete examples that show the interaction of IT security and psychology?

Of course, we just have to look at the Prevalence Paradox. It exemplifies what happens when a company deploys sophisticated e-mail security. Only one piece of software can have the effect that hardly any phishing mails reach your employees’ mailboxes—this is great, and exactly what companies want to achieve. The problem here, however, is that users lose touch with these mails and forget how to act in the event of danger. This makes them susceptible to clicking on the wrong thing. Something that, according to experimental research, is so detrimental that it negates the positive effects that comes with technical progress, making companies more vulnerable than ever before.

Does this mean people pose the biggest security risk for companies?

Yes. But, psychologically speaking, this would be an unadvantageous way of introducing the topic to employees. It's like saying “You’re the problem”. If I tell my employees that they’re the problem they won’t want to learn or change their habits. Instead, companies should be clever and motivate their employees to become part a part of a defence strategy—a human firewall. The first line of defence against cyberattacks.

Definition of cyberpsychology.

Cyberpsychology is a subdiscipline of media psychology, also referred to as internet psychology, computer psychology or web psychology. The focus of research is on the interaction of humans with the digital world through computers and other digital devices as well as the inherent psychological processes, effects and behaviour of the users. Researchers are trying to find out which impact everything digital has on individuals and society as a whole. They also analyse the opportunities and vulnerabilities that the virtual world offers.

Are there people who are especially at risk of cyberattacks?

That’s hard to say because most phishing attacks are distributed evenly among companies. In the case of spear phishing, which are targeted attacks towards individuals, people from IT departments that are close to the CIO or CISO are interesting targets because they often have the most permissions and represent the easiest way into the network.

In the case of spear phishing, which are targeted attacks towards individuals, people from IT departments that are close to the CIO or CISO are interesting targets because they often have the most permissions.

You mentioned positions. Are there people who are especially targeted due to having certain characteristics?

Generally speaking, everyone is at risk, because most people tend to trust rather than remain sceptical. And this is what cybercriminals exploit. The basis of their strategy can be found in the teachings of US psychologist Robert B. Cialdini and his six principles of persuasion. Reciprocity, Scarcity, Authority, Commitment and consistency, Consensus/Social proof, Liking

How does this play into the hands of hackers?

They combine this knowledge with the ‘big five’ from personality psychology—Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism. For example, cybercriminals will evaluate social media profiles of potential victims and notice that they have posted a lot of photos from various activities, which are visible for the public, many of which are selfies. They might come to the conclusion that this person is an extroverted personality. The large number of selfies may even indicate that the person is a narcissist. This can be a great entry point, especially when the person in question is in a higher position. Let’s take a professor for example. All I have to do is send them a phishing mail with the subject matter “You have been quoted” with a link to the alleged quote. Boom—I’m most likely in. I call narcissism the master switch.

What can companies do against these simple but effective exploits?

Regular trainings can reduce the likelihood of successful phishing attacks by 20 to 80 per cent. Long-lasting security campaigns have been proven to have the most permanent effect. Employees show improvement even after the tenth training. On the other hand, this spectrum is so broad that you can do a lot of things wrong.

Are we talking about awareness trainings?

Yes and no. This is the label that is given to these kind of trainings, but awareness alone doesn’t do the job. Knowledge alone has not prevented any attacks. Employees are often swamped with information on the right behaviour, but often with the wrong approach. These trainings often start out with live hacks, which demonstrates to employees how important the topic is, but also confronts them with its complexity. This intimidates them, and intimidation doesn’t help people learn. And since most mistakes don’t have direct consequences, they become desensitised towards the imminent threat, which they don’t understand anyway.

What should companies do instead?

Skills and knowledge should be tested before starting a training. On this basis, you can create clusters that contain the right courses. It also plays a role how the training is structured. This is where cyberpsychology comes in again. We know how people can be motivated and how gamification can be implemented to achieve success in a playful manner. The trainings have to lead to a change in behaviour that becomes second nature to the employees. Only then can they have the desired effect.

This is an excerpt of an article in the print edition of Bechtle update 02/2018.

PRINT EDITION

Links.

Newsroom: Zero trust – A question of faith
Newsroom: Incorporating Security Awareness Training into your security strategy
Press Release: Bechtle announces intent to double IT security team