For several years now, cyber security and cyber crisis management experts have understood that the impact of a cyber attack is no longer just economic, technical or reputational, but also psychological. Today, most cyber attacks are the result of human error. In fact, according to a 2018 survey of Deloitte clients, “63% of security incidents originate from active employees in the workforce”, whether intentional or not. With the increasing development of innovative technological solutions to detect and defend against all types of intrusions, cyber attackers have realised that it is much easier to exploit human vulnerabilities than technological ones, turning victims into their unwitting accomplices.
The dual threat: How do cyber-attacks use social engineering psychological attacks?
While technological attacks can be countered with protection solutions, social engineering attacks are much harder to prevent.
The human brain is an organ whose functions are not fully understood and which has a very unique structure. It consists of two distinct parts:
- An instinctive part that allows us to make quick decisions;
- A more reflective part that allows us to make rational, logical decisions.
Despite their different roles, these two parts complement each other and enable us to make decisions and take action in everyday life. However, it is important to note that our instinctive thinking can sometimes come back to haunt us, especially when it comes to cybersecurity. When the brain becomes a target and attackers exploit its vulnerabilities, we speak of “cognitive biases”. These famous cognitive biases represent a deviation in thinking that is devoid of any logic or rationality.
Savvy attackers know that social engineering techniques are more effective when they appeal to human emotions. Cybercriminals often use these social engineering tactics to obtain a variety of personal information, such as login credentials, credit card numbers, bank account numbers or social security numbers. This is often the first step in a larger cyber attack. For example, a cybercriminal might manipulate a victim into revealing their username and password, and then use this information to introduce ransomware into the victim’s employer’s network.
In a phishing campaign, the victim receives fake, seemingly legitimate emails asking them to enter their password, login details, bank card number, etc. The victim may feel tricked into revealing their username and password. The victim may feel embarrassed and guilty. They feel responsible for the situation the company is in. This entry point is based on manipulating the victim into clicking on a link to a malicious site. Psychologically and emotionally, the victim’s self-image and self-esteem are severely affected. Depending on the personality of the victim, reactions can be very different: fear, shame, embarrassment, anger, etc.
Fighting social engineering with cognitive cybersecurity
The origin of social engineering cyber-attacks is neurocognitive. The solution to effectively combat this phenomenon lies in understanding and analysing the cognitive biases that attackers use to psychologically trap their victims. This is known as cognitive cybersecurity or neuro-cybersecurity.
In order to build an appropriate and resilient defence against social engineering cyber-attacks, it is necessary to better understand the cognitive vulnerabilities exploited by attackers.
What kind of cognitive biases are commonly used by cyber attackers?
- The temptation of greed: In a phishing email, users may be tempted to click on some sort of link that will supposedly allow them to earn money. Those who click become trapped by their own desires and emotions, which are linked to the temptation to make easy money. In fact, numerous studies have shown that the search for profit mainly activates two key regions of the brain: the amygdala, the emotional centre of the brain, and the reward circuitry, particularly the nucleus accumbens, which is responsible for the sensation of pleasure.
- Curiosity and indiscretion: An employee receives an email claiming to be an important communication about an internal investigation taking place within the company. The message states that it is necessary to click on a link to access the details of the investigation and find out what steps to take to cooperate. Intrigued and concerned about his involvement in such an investigation, the employee gives in to curiosity and clicks on the link. Curiosity is a complex, information-oriented attitude: curious people seek to discover what they do not yet know (which is logical). According to George Loewenstein, curiosity arises when we become aware of an ‘absence’ or ‘gap’ in our knowledge. This gap creates a sense of lack that motivates us to fill the gaps in our knowledge.
- Stress: An employee receives an urgent email, purportedly from the CEO, requesting an immediate financial transaction due to an impending crisis. Under stress, the employee bypasses normal verification procedures and transfers funds to an account specified by the attacker. This is known as the attention tunnel effect, where attention is focused on the text of the email, but a suspicious address is ignored or peripheral alerts are missed.
The cognitive causality of attacks is no longer as ignored as it once was, but there is still a great deal of work to be done in analysing what makes an individual psychologically vulnerable to social engineering cyber attacks. The “naivety” of certain employees, or possibly their “corruption” or deliberate intention to harm their company, are not sufficient explanations for unravelling the mechanisms used by attackers. It is vital to understand the ‘psychological’ dimension of the cognitive traps that these hackers set, in order to diagnose them accurately and improve prevention. This understanding of the psychological elements is crucial, as it enables us to understand the reasons why an employee chooses or not to click on a malicious e-mail.
Key points to remember
As human beings, we are confronted with our own psychological weaknesses and are mainly victims of our psychological and mental state before and during the attack: high levels of stress, lowered vigilance thresholds, and so on.
Some cyber crises can have a lasting impact on employees and organisations and require professional support to understand, decipher and accept what has happened. Beyond the people who have been defrauded by the attackers, this type of crisis can damage teams and make it difficult to resume business.
While a cyber-attack is no longer just the concern of the CISO and IT department, technical teams are on the front line of this type of incident and are faced with operational issues that impact business teams. There are many stages in cyber crisis management where human intervention is essential. It is therefore vital to prepare managers and staff as effectively as possible for this type of situation.
This preparation includes cyber crisis management training and exercises that allow employees to fully immerse themselves in the situation and deal with the direct and indirect effects of a cyber crisis. Beyond the existence of specific methodologies and tools, the success of crisis management depends above all on the ability of teams to organise themselves and act in an unstructured environment. Alcyconie works with social and behavioural science experts to offer specific training and interventions: decision making under uncertainty, stress management, decoding individual and collective cognitive biases at work in a crisis situation. To be ready on D-Day, Alcyconie offers cyber crisis management training and exercises that take into account the human dimension, which is crucial both in terms of interaction between decision-makers and in internal and external crisis communication.
