Psychology-aware security is effective security
As CEO and founder of RevolutionCyber, Juliet Okafor helps organizations move from cybersecurity awareness to adoption and offers fractional business information security officer (BISO) services. Okafor, who is also an attorney with a background in communications, focuses on the human component of building a cyber-resilient organization. She says she draws on marketing and sales principles that convince people to make a purchase or take an action.
“They’re selling someone on making a decision they wouldn’t normally make. Cybersecurity is the same. You’re convincing people that cybersecurity is part of their job. And to do that, cyber must use psychology. It demands psychology for it to be effective,” Okafor says.
Like a marketing professional, Okafor has developed and uses personas to help her fine-tune the cybersecurity messages she delivers to individuals. Those personas consider their roles, their motivations, how they prefer to learn and other factors. “When we do this, we can personalize campaigns, we build better awareness and we better mitigate risks,” she says.
Okafor says cyberpsychologists have also used their training to identify enterprise vulnerabilities. She points to research that shows how people’s more-rushed behaviors at certain times of day, such as just before lunch and right before leaving, make them more prone to click through emails including phishing attacks. (Cyberpsychologists call such rushed moments a “hot” visceral state.)
Security teams that understand this dynamic can act on that information, she says, for example by adjusting its security information and event management (SIEM) platform to create more gates for emails to travel through during those times.
Cyberpsychology works in training, too
Okafor has also applied psychology to training security teams, having worked with companies looking to improve their incident response times. She used competitions to train teams and asked winners to share their strategies — the former leveraging security workers’ typically competitive nature and the latter leveraging their motivations to do good and be seen as trusted stewards. As she explains: “It’s taking what you know about how people work and creating policies to make sure the right controls are in place.”
Christie Wilson, cyber resilience manager with UniSuper, says she, too, is bringing psychology into her organization’s security program. Wilson, who has both a bachelor’s degree and a post-graduate diploma in sociology, says she’s working to “analyze and predict human interactions, motivations, and vulnerabilities, which are important considerations for protecting against cyber threats and designing effective security measures.”
Wilson says this has helped her develop awareness training that better resonates with people and helps them better understand why they need to buy into the company’s cyber resilience program.
People are an attack vector, not a weak link
This mindset has even brought Wilson to adjust her thinking around people as “the weakest link. “People aren’t the weakest link,” she notes. “They are the primary attack vector. It’s important we understand this when creating awareness and training content. As security professionals, we need to put ourselves in our people’s shoes. Security might be the most important thing in the world to us, but for others it can be anything from a blocker to something they never consider.”
She adds: “Understanding that behavior change needs motivation, ability, and prompts has been a key component of our cyber resilience program.”
Blythe says the most effective way for CISOs to incorporate psychology into their security program is to bring a cyberpsychologist on board, saying “A cyberpsychologist would know what the science is and how it works.”
Others agree, but they acknowledge that’s a big ask –and one that’s hard to do. For one thing, there are few people trained in the discipline. Cyberpsychology, which focuses on how the mind reacts when people interact with technology, is still a relatively new field, Hadlington says. Moreover, not all cyberpsychologists and cyberpsychology programs focus on cybersecurity. CISOs already working with slim budgets may not have the money for such a position.
Still, interest and information about the intersection of psychology and cybersecurity is spreading. Hadlington is taking a “train the trainer approach.” Huffman researches and speaks on the topic. And institutions are adding courses in this space; for example, the SANS Institute, a training organization, is running a Managing Human Risk Summit in August 2023, which will address in part the psychology factor.
Adding psychology to the security department
Experts say CISOs can learn to layer psychology into their security programs to boost the effectiveness of their work. To start with, Hadlington and Huffman both recommend that CISOs engage in more communication. They should ask workers about where they struggle with security controls, why they circumvent security policies, why they clicked on the link in a simulated (or real) phishing scam, what would motivate them to be more security-minded, etc. Then they should address those human elements.
CISOs should also empower workers with ways to solve their challenges and also clearly articulate the ways workers make a difference in security. “That feedback loop is really critical,” Hadlington says. “People want to know ‘Why am I doing this? What’s in it for me? Am I helping the organization? Is what I’m doing effective?'”
Additionally, Huffman says CISOs can work with their marketing teams to learn techniques for influencing behavior. And, as marketing does with the messages it sends to its audience, Huffman says security can personalize security awareness and training.
Address issues that create a ‘psychological hot state’
CISOs can also work with their executive colleagues to address cultural issues that foster that psychological hot state, Huffman says, noting that a workplace where employees are constantly worried or unreasonably busy “gives hackers another advantage.”
Lance Spitzner, director of research and community at the SANS Institute, says he advises CISOs to take a broader view of this topic, applying psychology and behavioral sciences to affect not just individual workers but organizational behavior as a whole.
“You’re trying to create an environment in which humans exhibit strong security behaviors,” he says. “To secure organizations, we need to secure people. And to secure people, we need to change their behaviors. And to change their behaviors, we need to both motivate and empower them to change. That’s where the cognitive sciences come in.”