The Psychology Of Cyber Security: How Hackers Exploit Human Bias

Most of us have come across a variation of the classic ‘Nigerian prince scam’ – a thinly veiled email informing the receiver that exorbitant amounts of money have been located and that your bank details are required to ‘release’ these funds. Poor grammar is abundant and the yarn is overly spun.

But many online scams aren’t nearly as easy to identify. Spear-phishing emails – targeted attacks on individuals making convincing use of personal details – are increasingly commonplace. For example, tech giants Google and Facebook were conned in one such attack earlier this year to the tune of $100 million and around the same time, a Canadian University was duped into handing over $11.8 million.

What’s really to blame? Well, for the most part, it’s simply to do with the way our brains are wired.

The lie of neutrality

One of the values we champion in society is the ability to be ‘objective’ – unbiased, logical, and sensible. We want to believe that we are analysing situations skilfully and basing our actions on the correct conclusions: in the stock market, the courtroom, the hospital, at the voting booth, on the road, and online.

The reality of the situation is quite different. The study of how often human beings are irrational earned psychologist Daniel Kahneman a Nobel Prize in Economics in 2002. Our irrationality is equally common when it comes to interacting with technology. We open attachments that we know that we shouldn’t. We click on unsafe links inadvertently and instinctively. Some of us may have even complied with the financial requests of phishing (scam) emails.

What’s the source of this irrationality? Biases. Hundreds of them.

Hacking the mind

One of the most pernicious, particularly when it comes to our behaviour online, is that we’re usually overly optimistic when evaluating our ability at intellectual tasks: otherwise known as ‘illusory superiority’ bias. In one famous study at Stanford University, researchers asked MBA students where they ranked themselves in comparison to others. 87 percent reported themselves to be better than the median. In another, 93 percent claimed their driving skills were above the median level of the population.

In the context of cyberpsychology, everyone thinks they are the equivalent of a cyber genius. In a study conducted at Friedrich-Alexander University, Germany, 78 percent of participants stated in a questionnaire that they were aware of the risks of clicking on unknown links, and yet, when sent a mock phishing email, 45 percent clicked the malicious link anyway.

In fact, studies show that the worse we are at a given task, the more confident we become; our lack of ability deprives us of the skills needed to recognise that lack of ability. Often, those with the poorest cyber security behaviour in organisations won’t bother with their company’s cyber security training; assuming they know it all or their time is too valuable to spend on training. Individuals also often assume that because they have never personally experienced a disaster, they never will: so-called ‘normalcy bias’. In cyber security terms, this typically results in situations where people fail to adequately prepare for, or even consider, the possibility of being victim of a data breach.

These kinds of thought processes often spread like wildfire in workplaces. The psychological phenomenon of ‘information cascade’ (when a person observes the actions of others and engages in the same acts) means that newbies who may come into a workplace with good cyber security practices can end up adopting the poor practices of senior peers. In these environments, once one person leaves a sticky note with their passwords on, you can almost guarantee that others who notice this will begin to do the same.

Hacking the heart

The emotional brain is stronger and quicker than the logical brain. Imagine you’re in a heated discussion with your boss over the behaviour of a colleague, or perhaps you’re overloaded with work alongside family commitments – the classic work/life balance problem. All of these examples can cause the emotional brain (psychologists might call it the ‘amygdala hijack’) to take control of your frontal cortex (the ‘thinking brain’) and therefore possibly decreasing your rational decision-making capabilities. This flaw in the way our brains are wired – emotional bias, or ‘affect bias’ – is keenly exploited by scammers.

Attraction (people are more likely to comply with someone they like), trust (people comply when a request comes from a figure of authority), the need for acceptance (people comply if and when others are doing the same thing), excitement, curiosity, and fear, are all great tools for gaining compliance and encouraging victims to disclose information or click on malicious links.

In getting individuals to part with their money, one of the most commonly used methods to exploit the strength of the emotional brain is the scarcity principle. You’ve no doubt observed this in action at a local shop, where signs exclaim “Hurry! Sales ends Friday”. Things that are difficult to attain are typically more valuable. It’s a principle prevalent in fraud. For example, phone fraudsters try to convince victims that their computers are malfunctioning and are urgently in need of repair.

Double check

Of course, it’s impossible to simply become unbiased and unemotional. But in high pressure work environments where the brain is looking for a quick fix in order to get onto the next task, we need to pay attention to what our brains are really up to. Double check everything.

Is this situation plausible? Is this person who she says she is? Is this link going to redirect me where I think it is? For the most part, the answers to those questions will be yes.

But those extra few seconds could be the difference between staying safe online and losing a great deal of money and reputation.

When the answer is no, you’ll be thankful you double checked.

Behavioural psychologist Tom Cross and CEO of CybSafe, Oz Alashe MBE are co-authors of Tackling the Human Aspect of Cyber Security: The Psychology of a Law Firm.