Generally speaking, emotions are not a prioritized consideration in the field of cybersecurity. But given the current threat landscape, where people are being targeted over technology, I propose that this needs to change. Getting security professionals to understand the role that emotion plays in driving human actions is key to creating a more holistic and secure defense.
Simply put, emotions are important because they are a driver of behavior. Thoughts and planned goals are not the only factors that make people do (or not do) certain actions - behavior involves a complicated interplay between planning one’s actions (thinking) and reacting to one’s own emotional state. To help people control their own behavior and understand the behavior of others, it’s vital for us to consider emotion as a key component of human factors in cyber security.
Emotion as a human factor in social engineering
Cybercriminals began to understand the powerful influence that emotions have on human behavior long ago, and have been able to use that knowledge to their advantage - most commonly, to manipulate people into giving them access to restricted IT systems. Methods include creating a sense of urgency (so that their target panics and does what is suggested to them without thinking it through), or taking a fear-based approach by using real or imagined threats to coerce actions against the best interests of the target. To defend against this, it is important we help others understand what social engineering is and, more importantly, why it works.
Emotion as a human factor in misuse of equipment
Outside of being a vehicle for manipulation, emotions are also an important part of general IT interactions. When tools and software are not user friendly and individuals experience frustration, this will inevitably lead at least some to seek alternatives.
Shadow IT is a serious global issue, and research conducted by Gartner shows that employees know when they're engaging in unsecure behaviors. When asked why they still undertook behaviors knowing they were unsecure, the primary reasons cited were speed and convenience. This is in fact an emotionally driven response - with the desire to be rid of feelings of frustration outweighing the potential security risks in the moment.
Emotion as a human factor in non-compliance
Emotions can also be a contributing factor in our decision to follow procedure or not. In the aviation industry, events whereby someone fails to follow procedure don’t usually arise from a lack of knowledge or from poor quality in procedural documents. Mechanics, pilots and technicians are usually educated and have received sufficient training to do their jobs; realistically they know the regulations and understand the importance of using the written technical procedures. However, in situations when there are interruptions and distractions, time pressure and competing priorities, individuals may unintentionally miss a step or choose to skip steps entirely in order to complete their work in a fashion they perceive to be safe and high quality, as quickly as possible. Fear has also been found to play a role in the under-reporting of incidents, particularly in environments with a poor or weak security culture.
What can you do?
As a security professional, you can leverage this knowledge of how our emotions are being used against us in your defense by incorporating empathy into your security program. Based on multidisciplinary research, Praxis has the following suggestions:
When choosing, designing and/or configuring technology, consider not only whether it does what you want it to do, but also how employees feel about using it. Assess your employees IT interaction experiences to identify potential weak areas. Do not assume - not everyone in your organization will be as IT literate or as enthusiastic as you about tech!
Instead of focusing on teaching employees the various software vehicles through which cybercriminals attempt to socially engineer them, consider instead focusing training on the actual methods of social engineering. For example, rather than focusing on the practical differences between phishing, smishing and vishing, instead prepare them for urgency and fear based interactions. Preparing employees for the emotional aspect of social engineering is far more effective as it covers all delivery scenarios. Social engineering is, as the name suggests, social. The interaction is what counts, not the method of delivery.
The best way to address neglected and strict procedural compliance is to change the industry culture surrounding how we design and use procedures. Well-designed processes, supported by intuitive and easy to follow policies, can reduce friction in the workplace, improve productivity, and can provide efficiency savings through optimisation.
Need help assessing your organization and identifying areas of friction? Get a free and personalized Security Efficiency report from Praxis Security Labs by completing a short survey that examines the (mis)alignment of your organization today!
Get your report: https://praxissecuritylabs.com/praxis-efficiency-report