Cyber-security and human psychology

Dr Niklas Hellemann at SoSafe explains why human psychology is both cyber-security’s biggest weakness and its biggest strength 

 

From economic turmoil to geopolitical unrest, the rocketing cost-of-living and the lingering after-effects of the pandemic, the past three years have hit society with a constant stream of distressing crises and conflicts.

 

Unfortunately, the chronic uncertainty, stress and fear these global events have caused presents an excellent new opportunity for cyber-criminals, because a psychologically fragile human target represents an open door.

 

From ransomware to phishing, they know exactly how to weaponise human emotions and behaviour - which is why today’s innovations in cyber-crime are mostly psychological, not technological.  

 

Take Lapsus$, for example: the notorious cyber-crime gang is known both for its high-profile attacks on government, big tech and corporate targets, and its trademark menu of social engineering tactics including bribery, extortion, phone-based phishing, and a multitude of other methods for leveraging insiders from an organisation to gain access to sensitive, compromising information and demand ransoms.

 

Cyber-crime is now a highly professionalised business model with the resources to invest in extensive research and development; tactics and strategies are adapted minute by minute, and criminals use these new insights for even more successful, profitable cyber-attacks. But while Lapsus$ is an incredibly technologically sophisticated group like many of its peers, what sets it apart is the fact that its primary attack strategies are focused on the ‘human layer’ of its targets.  

 

The fact is cyber-criminals are hacking our brains. They are masters of human psychology who exploit weakness, target emotionally vulnerable people by taking advantage of their heightened emotions and use psychological tactics to manipulate them.

 

And it’s working: according to SoSafe’s Human Risk Review, one third of users click on harmful content in phishing emails, and - shockingly - half of them go on to enter sensitive information. Subject lines such as "Damaged car" and "Teams invitation" are the most likely to tempt people to open, click or enter personal details, and employees are particularly susceptible to tactics that trigger emotions like pressure, authority, and financial appeals.

 

Our data also shows that today, emotional manipulation tends to result in higher click-through rates on phishing emails than in previous years - and that users today are more vulnerable than ever to attacks that tug at their heartstrings.   

 

With the vast array of options now available to cyber-criminals, their capacity for creating highly personalised attacks has grown exponentially. Current events act as a catalyst for waves of successful cyber-attacks. AI can be used to generate convincing images, videos, and voices to impersonate colleagues and bosses, and with a diversifying list of channels and platforms used in everyday life, criminals are surprising users with attacks in channels they least expect.

 

Our data shows that while email (61%) is still the most used channel, hackers now also exploit social media (34%) and even collaboration tools used in the workplace (28%) to launch their attacks.

 

These highly creative, cutting-edge, and constantly evolving attack strategies are the new normal, and with the dawn of mainstream generative AI attackers can exponentially scale their success rates: our data shows that AI-written phishing emails were opened by 78% of humans, with 21% going on to click on malicious content within (such as links or attachments). 

 

The cyber-security awareness gap is expanding by the day: on the one hand, cyber-criminals are operating on a scale never seen before, while employees and everyday internet users are struggling to keep up with their speed of innovation, having never been more vulnerable to emotional manipulation than in current unsteady times.

 

In the relentless battle against cyber-crime, continuous and timely awareness is paramount; as cyber-criminals continuously professionalise their operations and adapt to new circumstances, we must match their level of innovation.

 

But traditional cyber-security training is simply no match for today’s threat landscape. The key is to tap into the profound influence of human psychology and behavioural science to beat the hackers at their own game.

 

Users can be empowered to adopt secure habits in the digital realm via dynamic "micro-learning" and in-situation awareness tools, reducing risks, enhancing productivity and crucially, keeping pace with the rapid evolution of career cyber-criminals.

 

Regular "nudges" and gamification techniques help drive engagement and habit building, amplifying the impact of security initiatives. It’s more than just imparting knowledge, it’s about empowering people to make lasting changes in their habits.  
 

Cyber-criminals constantly adapt and professionalise their operations, exploiting our increasingly technology-dependent society as well as a population emotionally worn down by a steady stream of disturbing news and events.

 

But by keeping employees trained and informed, organisations can enhance their resilience to attacks, with this proactive approach ensuring employees are at the forefront of security innovation and are equipped with the knowledge and skills they need for digital self-defence.  

 

---

 

Dr Niklas Hellemann is a psychologist and CEO at SoSafe 

 

Main image courtesy of iStockPhoto.com