Learn how to prevent cybercriminals from taking advantage of users’ minds that are on “automatic.”
When a business experiences a cyberattack, there tends to be a certain amount of finger-pointing. Users are usually blamed, which might be fair, but not always for the most commonly suggested reasons.
Cybercriminals have always used whatever means available to defeat the newest cybersecurity mousetrap or, better yet, avoid it. Right now, that means leveraging human nature.
That may sound nebulous, but it isn’t. “As human beings, we like to believe that our behavior is primarily guided by our conscious thoughts and feelings,” writes researcher in social cognition and neuroscience Maddalena Marini, Ph.D., in her Psychology Today article, The Automatic Mind: How the contents of the unconscious mind guide behavior.
“Decades of research on mental functions have instead compellingly shown that this is not the case: many of our decisions and actions are generated with little consciousness and awareness,” says Marini.
An example Marini gives is one many of us have experienced: Say you’re in a noisy restaurant when suddenly your attention, without deliberate effort, was captured by other information, such as someone pronouncing your name in the room or by important news on the TV.
To put it simply, the human mind is capable of processing information without intentional and conscious effort, which, in turn, can unknowingly influence our behavior. See why cybercriminals might be interested in this?
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
What are controlled and automated systems?
The processing portion of the human mind consists of two systems: Controlled systems and automatic systems.
Controlled systems can be defined as the processing of information under the voluntary and conscious control of the individual.
Automatic systems are described as the processing of the information which occurs outside of our awareness and consciousness.
The automatic system is vital to how we react with the environment–for example, the fight or flight response. Marini offers a less dramatic, but equally important example, “When we stand up from our chair in the office to grab a book on the shelf, we know automatically what to do to achieve a fully standing position. We do not think, ‘How should I move my body?’ or ‘Where should I put my feet?’ …we automatically know the situation and the proper process to reach our goal based on our experience.”
“However, sometimes our automatic actions can interfere with our ability to behave in a desired or appropriate fashion,” continues Marini. “Indeed, there are cases in which we might wish our automatic behaviors to be different and more in line with our conscious and controlled intentions.”
What is cognitive automaticity?
If you see a DO NOT READ THIS MESSAGE note in an online text box, most of us will read it anyway because of cognitive automaticity. “Like for all literate people, reading is an automatic process that occurs without any voluntary effort,” adds Marini. “Of course, this is true only for single words or short sentences, but it shows how we do not have full control of what we read and how the automatic processes activated by our mind can be in conflict with our desired and intentional behavior.”
Reading is not the only process the mind uses to automatically input information. Marini adds, “The interference between automatic and desired behavior can involve different mental abilities, including vision, attention, learning and memory, reasoning and problem-solving, judgment and decision making, and even social stereotyping and attitudes.”
Besides environmental inputs, Marini emphasizes our “automatic minds” are active participants in how we perceive and interact with people. That should be a huge red flag to those concerned about how we deal with the various types of cyberattacks such as spearphishing.
What factors should IT security pros consider?
The idea is to use psychology to better prepare users. John Blythe and Carmen Lefevre, research associates at University College, London, in their The Conversation article, How to save the Internet of Things from cyberattacks – with psychology, offer a model of behavior known as the COM-B Model methodology to identify what needs to change to alter a particular behavior.
Interestingly, three factors have to be in place for any behavior to occur: Capability, opportunity, and motivation. “To behave in a certain way, people need to have the capability and opportunity to do so–and be more motivated to do so than behave in any other way,” explain Blythe and Lefevre. “They have to want to perform the behavior and feel that they should.”
The trick, the authors say, is to understand what drives a particular behavior and then come up with ideas on how to change it.
Passwords are a great example. There are still people who do not realize the risk they are taking by not using a proper password–this would be a relatively easy behavior to correct.
The more disconcerting reason for not using a password is that it takes time to set up and is a pain to use. Blythe and Lefevre suggest, “Then we need to increase users’ motivation, perhaps by providing inbuilt incentives to having a password, such as offering additional services and features to users.”
Using psychology is a relatively new approach for cyber defenders, but not cybercriminals, so it’s time to catch up.