The Human Brain is Both a Liability and Asset for Cybersecurity: Here’s Why
We all know the feeling: you spot a link to “unbelievably rare historical photos – in color!” or a video of the “cutest puppies in the world!” and you helplessly move your cursor toward it. The site may look a little suspicious, but you’re an amateur historian – or maybe you just really want to see some puppies. Even people who know better often find themselves drawn to dangerous clickbait, and their curiosity sometimes overwhelms their better judgment.
Hackers prey on the elements of our psychology that can be exploited, such as our natural curiosity and our bias toward sensationalism. However, although certain characteristics of the human brain make us susceptible to cyberattacks, we’re also armed with many cognitive defense mechanisms. While these defenses need to be built up over time, the very same features of the brain that can get us into trouble can help us spot and foil cyberattacks.
Many people mistakenly assume that cybersecurity is all about developing more and more sophisticated digital defenses, from stronger encryption to multi-factor authentication. But the vast majority of cyberattacks involve some form of social engineering – the manipulation of human beings to infiltrate a system and steal data. While technological solutions are important, the most powerful cybersecurity tool you have is in your own head.
How Our Brains Can Put Us at Risk
Let’s stay with curiosity for a moment. Consider all the reasons human beings want to learn and discover new things, from the purely functional (such as studying for a test) to the recreational (historical photos and puppy videos). A study published in Neuron cites some of the drivers of curiosity that scholars have identified over the years, including play, exploration, various types of learning, and even neophilia (a fascination with novelty). It’s clear that we’re hardwired to be curious – just spend a few minutes watching a baby who recently learned to crawl.
But the downside is clear: our eagerness to click before we think is one of the main causes of cyberattacks. According to Verizon’s 2019 Data Breach Investigations Report, one-third of data breaches are caused by phishing attacks, which trick employees into sharing sensitive information. These schemes often take the form of “special offers” or other inducements designed to pique our curiosity. Many hackers also hijack devices through unsecured third party apps, which are irresistible to many curious smartphone shoppers.
We’re also hardwired to form habits, both good and bad. As a study in Personality and Social Psychology Review explains, “Bad habits present significant inhibitory challenges.” The study – which defines habits as “implicit associations between contexts and responses that develop through repeated reward learning” – notes that “Drinking too much, eating too much, procrastinating – all can be habitual responses that need to be controlled.” There are a whole lot of bad cybersecurity habits that need to be controlled as well.
For example, how many employees use public WiFi without a VPN, ignore the update prompts they receive on their phones and laptops (which do more than add new features – they ensure your security is up to date), or download third party apps? It’s easy to do all these things because logging onto public WiFi or clicking “remind me later” on vital security updates is a reflex for most people. But here’s the good news: bad habits can be broken.
How Our Brains are Wired for Security
The whole point of cybersecurity training is to take advantage of our cognitive resources to establish healthy habits. One such resource is the capacity for habit formation itself. After the initial process of educating employees on proper cybersecurity practices, their habit-formation mechanisms are at work every time they repeat healthy behaviors. A study in Psychology, Health & Medicine explains this phenomenon: “Results showed that behavior change was initially experienced as cognitively effortful but as automaticity increased, enactment became easier.”
Beyond reversing all the unhealthy behaviors listed above, the cultivation of responsible cybersecurity habits puts security top of mind. This will make employees more circumspect about suspicious emails and links, sharing sensitive information, etc., and it will make them more likely to use resources like password managers and VPNs. At a time when American adults are spending half of every day interacting with media and the number of connected devices is exploding, this generalized cybersecurity awareness is becoming more and more important.
Human beings are also natural pattern-seekers. There’s even a special term used in psychological research literature to denote how this capacity makes us unique: superior pattern processing (SPP). A study in Frontiers in Neuroscience describes this phenomenon as the “fundamental basis of most, if not all, unique features of the human brain including intelligence, language, imagination, invention, and the belief in imaginary entities…”
When this ability is coupled with effective education about cyberthreats, it turns the brain into a formidable piece of cybersecurity hardware. To take just one example: According to FBI data, the costliest type of cyberattack (by far) is what’s known as “business email compromise,” or BEC. To execute this attack, a hacker will either use a fake email account designed to look like it belongs to a high-ranking figure in a company (the CEO or CFO, for instance), or will actually take over their email account, to manipulate someone else in the company into disclosing sensitive information, making an unauthorized transfer of funds, etc.
How Education Plays a Role in Defending against Cyberthreats
Let’s say a hacker decides to pose as a CEO. He or she could send the CFO an “urgent” email demanding an immediate payment to a supplier or some other entity. By placing the CFO under pressure to act quickly, the hacker makes it more likely that the CFO will transfer the funds into a fraudulent account without verifying the authenticity of the request. The FBI reports that this type of cyberattack cost companies almost $1.3 billion in 2018 and almost $1.8 billion last year.
But if employees, managers, and members of the C-suite are educated about cyberthreats, their pattern-seeking systems can identify and prevent BEC attacks. For example, one of the clearest signs of a fraudulent message can be found in the email headers – if you see a domain name that doesn’t align with the company you’re communicating with, misspellings, long strings of numbers, unknown and unrelated recipients, or any other strange elements in an email header, the alarm bells should be ringing. And even when the email account itself is infiltrated, the attack can be identified by noticing suspicious changes in behavior. If the CEO seems reckless or rushed, or claims to be unavailable for the remainder of the day, his or her colleagues should confirm any request before acting (especially if money or sensitive information is involved). This is another form of pattern recognition.
While the human brain can be a serious cybersecurity liability, it can also be the last line of defense against the increasingly sophisticated cyberthreats that companies and other organizations face. Despite the common impression that hackers only go after vulnerable digital systems, the reality is much more disturbing: they go after human beings. Social engineering is by far the most common type of cyberattack, and hackers are always devising new ways to fool and manipulate people.
However, because human error is so often the problem, human intelligence is the solution. Although it’s alarming how adept hackers have become at exploiting our psychological weaknesses, we should never forget that we have the cognitive equipment to turn those weaknesses into strengths.