Industry insights

Could psychology be the key to cybersecurity awareness? Research points to yes

Christine McKenzie
March 21, 2022 by
Christine McKenzie

“In 2020, 93% of cyber attacks started with people instead of technology.” 

This statistic from the research of Dr. Erik Huffman shines a spotlight on the powerful connection between online security and human behavior. Every time someone opens an email or clicks a link, they have to decide whether or not it’s safe to proceed. 

And while firewalls and other technical measures can protect us from many of the web’s darker actors, we can think critically and react appropriately. That’s the most powerful weapon of them all. 

When it comes to an understanding of the psychology of why people fall for cyberattacks, Dr. Erik Huffman is a true expert. As a cyberpsychology researcher, he’s delved deep into the human psyche to answer questions like “why do people fall for phishing emails?” and “are certain personality types more likely to become victims of cybersecurity attacks?” Dr. Huffman shared his research findings and his recommendations in a fascinating session of Infosec Inspire. 

Here are some of the key takeaways outlining what you should know about the relationship between human behavior and cybersecurity. 

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

Cybersecurity is a decision-based science

When someone opens an internet browser, they’re bombarded by decisions: should I open this email? Should I download this attachment? Is this message really from my boss or someone pretending to be her? The decision-making process is quick, complex, and vulnerable to emotional persuasion. “People, unlike machines, do not often change their behavior in line with logical information: they need PR and propaganda,” explains Dr. Huffman. That means, “We fall for propaganda. The machine does not.” In other words, instead of following a purely logical thought process, people are swayed by their emotions. 

But how does emotional persuasion occur? Dr. Huffman cites a set of psychological principles called the principles of influence: 

  • Reciprocity: People are naturally inclined to give back if given something.
  • Commitment and consistency: People don’t like to give up after starting something.
  • Social proof: People are more likely to trust an individual or organization than others trust.
  • Liking: Like reciprocity, people are more likely to trust those they know and like.
  • Authority: People are more likely to listen to individuals and organizations with higher levels of authoritativeness.
  • Scarcity: The perception of limited resources can cause people to rush into decisions.

The goal is to trigger a powerful, knee-jerk emotional reaction called “amygdala hijacking.” This is clear when you take a closer look at the kind of threat language that phishing emails use. Although these emails are often made fun of for their numerous typos and quirky turns of phrase, they do pack a powerful emotional punch. Some are designed to create a sense of panic or embarrassment (“...we adjusted the virus on an adult website you recently visited…”), while others push a sense of urgency (“...you have 24 hours after opening this message to send us money!”).  

Psychology of a cybersecurity victim

Dr. Huffman has extensively studied the psychological traits that make people vulnerable to being exploited by hackers. To better understand what makes people vulnerable, he points to the Big Five Model for Cyber Victims. These personality traits include:  

  • Extraversion
  • Agreeableness
  • Conscientiousness 
  • Emotional stability
  • Open to new experiences
  • Impulsiveness

It’s this last trait — impulsiveness — that Dr. Huffman suspects are the reason why ransomware scams are evolving. The scam was fairly cut and dry in the past: we lock up your data, and you pay us to give it back. But modern iterations of the scam have evolved to include threat language that plays on the victim’s principles of impulsiveness and scarcity. The script may instead say, “Pay us three Bitcoin within 72 hours — and if you don’t, then it’s going to double.”

Technical knowledge isn’t fail-proof

One of Dr. Huffman’s most surprising findings is that technical knowledge doesn’t necessarily protect someone from becoming the victim of a cyberattack. His research shows that cybersecurity professionals are as vulnerable to phishing and social engineering attacks as everyone else. They’re also just as likely to reveal information to a hacker as non-technical staff. This surprising discovery led Dr. Huffman to the conclusion that “This isn’t a technical issue, it’s a human issue.”

But there is one area where technology professionals prevailed: identifying sketchy websites. Dr. Huffman presented thirty websites to a group of technical, non-technical staff. He found that technical staff was better equipped to identify standard security indicators like Hypertext Transfer Protocol Secure and the telltale padlock icon in the URL bar. This discrepancy shows that standard security indicators aren’t as well understood or as useful to non-technical users.

This is a knowledge gap that security awareness training for all levels of staff can help fill in. (See our best security awareness training article for more information.)

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What can cybersecurity teams do? 

One of Dr. Huffman’s recommendations is running a threat appraisal. The cybersecurity team needs to understand their users, and what might cause that user to click on a malware vector. He also recommends running a coping appraisal for all key players in your organization. A coping appraisal will provide your team with the answers to key questions like “If something happened, how would this person cope?” and “Would they react in compliance with the policy?” 

Christine McKenzie
Christine McKenzie

Christine McKenzie is a professional writer with a Master of Science in International Relations. She enjoys writing about career and professional development topics in the Information Security discipline. She has also produced academic research about the influence of disruptive Information and Communication Technologies on human rights in China. Previously, she was a university Career Advisor where she worked extensively with students in the Information Technology and Computer Programming fields.