Visible to the public SoS Musings #54 - The Role of Psychology in CybersecurityConflict Detection Enabled

SoS Musings #54 -

The Role of Psychology in Cybersecurity

According to a joint study from Stanford University Professor Jeff Hancock and the security firm Tessian, 85 percent of data breaches stem from human error. This finding, accompanied by Proofpoint's report of more than 99 percent of cyberattacks relying on human interaction to work, highlights people as the most effective backdoor into a system, the leading cause of data exposures, and the biggest threat to security. Such statistics draw attention to the need to further incorporate psychology into the realm of cybersecurity. The American Psychological Association defines psychology as the study of the mind and behavior, embracing all aspects of the human experience, ranging from the brain functions to the actions of nations. In a testimony to a congressional subcommittee, human factors psychologist Anita D'Amico emphasized that psychologists must play a role in the evolution of cybersecurity, saying that while current research and development in this area has primarily been technological (i.e., creating or improving tools to implement or strengthen security), there is a human factor contributing to the problem that must be addressed through more behavioral research efforts.

Psychologists can contribute to the enhancement of cybersecurity in many ways. Brenda K. Wiederhold, president of the Virtual Reality Medical Center and licensed clinical psychologist with the California Board of Psychology, authored "The Role of Psychology in Enhancing Cybersecurity," which calls on psychologists to introduce cultural and behavioral shifts towards improved security individually and collectively in different ways using their understanding of human behavior in the cyber domain. Wiederhold recommends exploring the behavioral economics that influence how people perceive risk and reward, with one step being the identification of social situations in which individuals are more likely to disregard the risk of sharing private information. For example, a study cited by Wiederhold called "Strangers on a Plane: Context-Dependent Willingness to Divulge Sensitive Information" found that individuals are prone to disclose personal and confidential information in contexts in which privacy concern is downplayed such as casual conversations or on social networks, suggesting that people will be forthcoming with information when sensitive questions are presented informally. Wiederhold suggests that psychologists identify patterns of cybercriminal and malicious activities by observing deviations from normative behavior and working with technology providers in developing security systems capable of detecting such activities while considering the psychological distortion influencing privacy decisions. Psychologists should continue efforts towards providing guidance to legislators and other groups on the psychological and social effects of cybercrime to bring legislation to a level at which cybercrime is weighted similarly to non-virtual crimes. Another study involving 64 countries shared by the United Nations office on Drugs and Crime (UNODC) highlighted legislation variance across countries as one of the major factors contributing to the difficulty in fighting cybercrime. Wiederhold also points out that psychologists could play a significant role in raising awareness among the public about cybersecurity risks to adjust perception and behavior surrounding privacy by going beyond labs and journals in communicating via mainstream media and social networks.

In a paper titled, "Incorporating Psychology into Cyber Security Education: A Pedagogical Approach," a team of psychology and cybersecurity academics from Western Sydney University (WSU), Bournemouth University (BU), and LiMETOOLS Ltd discusses the inclusion of psychology into cybersecurity education to better equip practitioners with the skills needed to address cybersecurity issues. As psychology is a broad discipline, many of its associated theories, approaches, and methods may have little practical significance to cybersecurity, thus prompting the need to sift through literature to identify what can be applied in the cybersecurity realm. Therefore, the team identified the areas of psychology that may be the most useful and relevant to cybersecurity students. In identifying the most relevant areas of psychology to cybersecurity, they considered the issue in terms of understanding cyber adversaries and their targets. One important area of psychology mentioned in the paper in relation to cyber adversaries is motivation and group identity. Several typologies of adversaries have been proposed, including Ryan Seebruck's weighted arc circumplex model, which divides hackers' motivations into five categories: prestige, recreation, revenge, profit, and ideology. Making cybersecurity students aware of these varying motivations is important as it will enhance their understanding of adversaries' behavioral patterns and potential next steps. For example, there are different motivations and actions between a hacktivist group executing a Distributed Denial-of-Service (DDoS) attack in an ideological protest and a group launching an attack for financial gain. The researchers noted that these motivations and actions are linked to group processes. Although it is often difficult to attribute blame in many cybersecurity incidents, several of the more high-profile incidents that have been thoroughly investigated have been found to contain a group element. The paper cites a journal article titled, "Social Organization for the Production of Evil," in which social psychological research suggests that being a member of a group changes an individual's behavior and cognition in many ways. This includes cognitive biases that lead adversaries into overestimating their group's ability while underestimating the opponents' skill level, as well as making more extreme decisions than they would if they were acting alone. Being aware of cyber adversaries acting as a group and group processes can also inform cybersecurity practitioners and students on how to better publicly respond to attacks and predict the behaviors of such actors. Another important area to explore is adversaries' display of cognitive dissonance over their actions, which refers to the discomfort they feel when they have inconsistent beliefs or values. For instance, a cyberattacker may be dismissive of their targeted victim but still feel some degree of guilt over causing harm to others. Therefore, cyberattackers will apply various strategies to reduce cognitive dissonance, such as using euphemistic language, blaming their malicious actions on social pressures while minimizing their individual role in group-based actions, minimizing the negative impact of their actions, and vilifying and dehumanizing their targets. Educating cybersecurity practitioners and students about adversaries' common psychological patterns may help them better analyze possible threats and detect actual threats. As for studying targets from the psychological perspective, it is important to look at demographic factors and individual differences to identify which individuals are at particular risk of falling victim to cyberattacks. Victims' group processes and human decision-making processes should also be studied in order for cybersecurity practitioners to better determine how to design systems with these psychological factors in mind.

Security professionals must explore the psychological aspects of cybersecurity instead of just focusing on technological implementations to prevent attacks. The Information Security Forum (ISF) recommends that organizations use psychology to improve employees' security behavior in a report titled, "Human-Centered Security: Positively Influencing Security Behavior." This guide helps organizations develop psychological techniques that empower employees to engage in more secure behaviors. It provides guidance on understanding key factors that influence behavior, delivering security training, designing systems to account for user behavior, and developing metrics to measure behavior change and demonstrate return on investment. Organizations are encouraged to establish more human-centered security programs in order to better understand their employees and develop initiatives aimed at altering their behaviors in ways that reduce the number of security incidents relating to human errors and acts of negligence. Researchers from George Mason University (GMU), Dartmouth College, and HP conducted a five-year study on the inner workings of Cybersecurity Incident Response Teams (CSIRTs), which led to the development of a framework that applies behavioral psychology principles to strengthen these teams. The team interviewed more than 200 people and led 80 focus groups across 17 international organizations to identify what drives teamwork within and between teams. Through over 50,000 hours of interviewing, data gathering, and analysis, they gained greater insight into what an individual does on a team, the teams individuals represent, or the multi-team system they represent. The study found that collaboration issues arise when security professionals are trained to hack, investigate, and conduct testing individually. Therefore, when faced with situations involving complex problems and challenges that require collaboration, they would likely not have the background and habits that come from working collaboratively in a multi-team system. The primary focus on technical tools and skills also compounds CSIRTs' collaboration issues, with incident response teams often becoming overwhelmed by tools when addressing technical problems that emerge in security and incident response. In response to the lack of tools to address some of the social and collaboration challenges experienced by CSIRTs when operating in a multi-group or multi-team system, the research team developed a framework for applying behavioral psychology principles to improve the social maturity of CSIRTs, and tools to improve skills needed for defenders to work together more effectively.

Strengthening cybersecurity requires going beyond the research and development of new technology solutions. It's important to understand the psychological components and processes that encourage individuals and cyber adversaries to know how to enhance or create new security systems and methods that better prevent, detect, and mitigate cyberattacks.