The Complexity of Human Behavior in Cybersecurity: From Threats to Defence
In cybersecurity, human emotions and behaviours are not just peripheral factors; they are vital elements in the continuous battle against digital threats. Acting both as vulnerabilities and safeguards, our human traits like fear, trust, and curiosity play significant roles.
By Daniel Kelley
2024-01-29
How Human Behaviour Can Lead To Threats
Cybersecurity threats are constantly evolving as threat actors get more creative in exploiting human behaviour and psychology to carry out attacks. The human element often unintentionally enables many cybersecurity incidents. However, comprehending these tendencies also presents an opportunity to implement robust defences.
This blog post examines the most common ways human behaviour and mistakes become cybersecurity risks, provides a real-world example, and suggests strategies to foster a culture where employees recognise their responsibility in safeguarding information.
The Double-Edged Sword of Human Behavior
According to Verizon's 2023 Data Breach Investigations Report (DBIR), an astounding 74% of all data breaches (page 8) involve the human element. Even more astonishingly, email serves as the attack vector in 98% of all social engineering incidents, which include widespread phishing campaigns (page 33).
These alarming statistics highlight the exploitation of human psychology by threat actors to orchestrate precise and sophisticated attacks. Through creative techniques, they manipulate individuals into compromising security by either disclosing confidential information or engaging with malicious content.
Common Threats Due to Human Behavior: A Closer Look
Understanding human behaviour's role in cybersecurity means recognising common threats that often originate from simple mistakes or misunderstandings. Here are some of those threats:
- Phishing Attacks: These occur when attackers impersonate trustworthy sources to trick people into revealing personal information. Phishing often uses email and can lead to identity theft or financial loss.
- Social Engineering: This broad category includes tactics like pretending to be tech support to gain access to your computer or using personal information to gain trust and extract sensitive data. It's all about manipulation and exploiting human nature.
- Insider Threats: Sometimes, the risk comes from within an organisation. Employees may accidentally mishandle data or, in rare cases, intentionally cause harm. Both scenarios can lead to significant security breaches.
- Password Compromise: Using weak or repeated passwords across various sites is common, and it makes it easier for attackers to gain access to multiple accounts. Educating employees about strong password practices is vital to protect information.
- Third-Party Risks: Working with external partners is common in business, but if those third parties don't follow secure practices, they can become a weak link in your security. It’s essential to verify the security measures of partners and vendors.
These types of threats, which target human emotion and behaviour, emphasise the significance of continuous education. Let's dive into a real-world example that effectively illustrates the impact that can occur.
Example: $100M Google and Facebook Spear Phishing Scam
The $100 million Google and Facebook spear-phishing scam refers to a fraudulent scheme that took place between 2013 and 2015, orchestrated by a Lithuanian man named Evaldas Rimasauskas. He targeted two of the biggest tech companies, Google and Facebook, by creating companies in Latvia and Cyprus that had the same names as legitimate companies in Asia with which both tech giants did business.
Rimasauskas forged email addresses, invoices, and corporate stamps to make the requests for money appear legitimate. He then sent spear-phishing emails to employees at Google and Facebook, directing them to wire payments for real services to the bank accounts of his fake companies. Both Google and Facebook complied with the requests, thinking they were paying legitimate vendors. Over a period of two years, around $100 million was transferred to Rimasauskas' accounts.
Eventually, the scheme was uncovered, and legal action was taken against Rimasauskas. He was arrested in Lithuania in March 2017 and later extradited to the United States. In 2019, Rimasauskas pleaded guilty to one count of wire fraud, agreeing to forfeit about $49.7 million. In July of the same year, he was sentenced to 5 years in prison and ordered to pay restitution of $26.5 million to one company and $20 million to another.
What Does This Incident Teach Us?
This incident teaches us that even technologically sophisticated companies like Google and Facebook can fall victim to spear-phishing and wire fraud scams. The success of the scam underscores the vulnerability that lies in human error and judgement, highlighting the need for continuous education of employees, human oversight, and the development of procedures to validate and authenticate requests, even when they appear to come from trusted sources.
Creating a Cybersecurity Culture Through Employee Training
Understanding human traits is not just a tool for attackers; it can also be harnessed to establish solid defence mechanisms within companies. The key to success lies in fostering a culture where every employee recognises their role in cybersecurity. They must prioritise their daily decisions, understanding that they contribute to the overall state of security.
Here are some strategies that companies can employ to create a culture, where cybersecurity becomes everyone's responsibility and a matter of personal importance:
- Emphasise Personal Relevance and Connection to a Bigger Picture: Make employees aware that cybersecurity is not solely about protecting company assets. It encompasses safeguarding their personal information, job stability, and the well-being of their colleagues.
- Utilise Gamification Techniques: Transform training into interactive, engaging, and competitive experiences. Through games, simulations, and challenges, employees can gain firsthand experience of how easily an attack can occur. Leaderboards, achievements, and rewards can enhance engagement.
- Illustrate Real-World Consequences with Storytelling: By highlighting cases where real people have suffered significant losses and narrating them in a compelling manner, companies can instil a sense of urgency and importance. Stories that resonate on a personal level will leave a lasting impact.
- Provide Hands-On Training and Interactive Scenarios: Simulations that mirror real-world cyber threats enable employees to comprehend their own vulnerabilities and the critical role they play in defence. This fosters empathy and understanding towards the broader mission of cybersecurity.
- Reward Compliance and Encourage Feedback: Recognise those who excel in training modules, adhere to proper protocols, and contribute to a safer cyber environment within the company. Encourage feedback to continuously adapt and improve the program.
Take Your Next Step
By clicking here , you'll get a free trial of our Awareness Educator - a leading security training platform trusted by over 2 million people worldwide. Our platform delivers customised training, a variety of diverse educational materials, engaging storytelling, and more.
All of these resources are meticulously designed to fit your unique needs and elevate your security culture. Don't wait, embark on your free trial now and experience the transformative power of comprehensive security awareness.
Additionally, experience our complete product demo by watching our informative video below: