To err is human. It’s a simple truth, and hackers know and exploit it every day. Contrary to the picture Hollywood paints, cyberattacks are not grandiose events executed by criminal masterminds who drop in on a string to hack networks. Research from Verizon’s DBIR shows that 82% of all breaches are caused by mistakes people make in the course of everyday work.
Traditionally, cybersecurity has focused on protecting systems and information. But as the data makes clear, it’s not simply just the networks that need protection, it’s also the people using them. By the numbers, just 10% of attacks are the result of vulnerabilities, while 50% stem from credential harvesting, 20% from credential stealing, and 20% from phishing. To effectively thwart them, cybersecurity teams have to shift their mindset and prioritize people over devices. And there are three ways to do this:
- Understand the adversary.
There are plenty of tactics, techniques and processes (TTPs) that security pros can use to detect and respond to cyberattacks. And they work – as a second line of defense. The first line comes in understanding what makes hackers tick. And here’s where cyberpsychology comes into play.
Broadly defined as the study of how humans interact with machines and the emotional effects this has on the brain, we can use cyberpsychology to uncover why and how bad actors do what they do, and most importantly, what they may do next.
While attacks have become more prevalent, likely associated with the continued growth of technology adoption and not the increase in adversarial capabilities, the way attackers operate hasn’t changed much. Verizon’s research shows that over the 15 years of the report, human errors remain at top for vectors of malicious activity. Paired with neuroscience research that suggests the human brain will always take the easiest path, we can begin to see why errors continue to lead as the reason for breaches and why the adversary has been slow to adopt more advanced capabilities.
Traditional focus point motives like MICE: money, ideology, coercion, and ego, still apply to the underlying reason attacks happen. However, by countering motives such as making an attack difficult or not worth the investment, cyberpsychology potentially shows that focusing security efforts of prioritizing ease of entry may have a better ROI for businesses. Most act in predictable ways that once understood, we can use to stop them in their tracks, and leveraging cyberpsychology, organizations can gain such insights.
Security teams can apply cyber deception techniques internally to see how threat actors operate and what they’re using to try and access within the company’s deception capabilities. We can use the same tactics externally to watch for new vulnerabilities and prevent attacks before they occur. Security pros can deploy and monitor capabilities that look like corporate applications on the open internet to see if hackers attempt to gain access, their precise location, and what infrastructure they are using.
It’s possible to exploit even the most savvy users. To prevent this, companies need to invest in understanding the cyberpsychology of their workforce as well. People don’t generally come to work and look for ways to introduce errors into what they are doing. They’re simply overwhelmed and processes break down.
Statistics show that the average employee uses 16 different applications a day to get work done. And then there’s Slack, Microsoft Teams, emails, text messages and a host of other applications and messages going on around them. They’re trying to keep pace, but they’re being pushed to do more and work faster. And that’s when mistakes happen.
This loud, always-on environment creates the leading cause of poor performance levels: cognitive overload. Cybersecurity analysts are faced with too many tasks and too much information to properly do their jobs – and the mental stressors behind these challenges are often the critical catalyst for missed red flags and careless practices.
To solve the problem, organizations need to put the same amount of energy into figuring out why alerts are missed as they do in determining why attacks happen. And after locating the root cause, they need to prescribe corrective actions as opposed to pointing fingers and punishing offenders.
As an industry, cybersecurity has been heavily focused on broad-level implementations that check all the boxes – from risk and incident management to network security, malware prevention, and everything in between. But to succeed, organizations must narrow their scope. Security teams need to limit the attack paths. And to do this, defenders need to double down on detection and finding stolen credentials. They need to monitor the open internet, look at phishing and use what they uncover to build threat models and cohesive capabilities that point the way forward.
A significant number of the attacks we see today are the result of stolen credentials, which means it’s essential to crack down on the human side of cybersecurity. Historically most organizations have been much too tactical in how they think about defending against threats. Bringing in someone like a cyberpsychologist can help teams with stepping back, more broadly understanding the adversary and seeing the proverbial forest through the trees.
Cybersecurity incidents are escalating immensely. And the threat actors behind them are much smarter today. But so too are the tools available to combat them. Cyberpsychology isn’t just a buzz word. It’s a real way to build systems that take human error and cognitive vulnerabilities into account. And organizations that invest in it can outsmart the bad guys and prevent malicious attacks.
Mike Saxton, technical director, defensive cyber operations, Booz Allen
