On the surface, psychology and cybersecurity may not have that much in common. Upon closer examination, both psychology and cybersecurity are intricate systems that analyze the vulnerability and logic of a particular network or structure. The security and stability of each structure rely on the strength of your analysis, critical thinking and consistent maintenance. Psychology looks at our brain chemistry, personality, thoughts and social behaviour. Cybersecurity looks at the infrastructure of our computer networks and defence systems. To ensure systems are in good health, both psychology and cybersecurity professionals require expertise, insight and ongoing professional development through cybersecurity courses or other continuing education courses.
How do you approach a problem or vulnerability in the system? Both psychology and cybersecurity require a methodical process and careful analysis to find an appropriate, sustainable solution. Your process should typically include the following steps:
- Investigate a vulnerability or challenge within the system
- When appropriate, identity and diagnose the problem
- Document the investigation and your findings
- Brainstorm possible solutions and action items
- Implement a solution to support the stability and effectiveness of the system
- Create an action plan for ongoing maintenance and support
- Revisit the vulnerability as needed to ensure ongoing effectiveness
Why is it helpful to learn about psychology and behavioural theories in relation to cybersecurity? Consider the power of social engineering. In their article about the social psychology of cybersecurity, authors John McAlaney, Helen Thackray and Jacqui Taylor argue that “cybersecurity attacks are increasingly based primarily on social engineering techniques.” What does this look like in practice? Phishing emails and online identity theft are perhaps the most obvious examples of social engineering in the context of cybersecurity. These types of scams play off our natural fears, creating a sense of urgency and panic which seems to require immediate action. The resulting fear increases the risk of human error. McAlaney, Thackray and Taylor argue that the phenomenon of social engineering relies on “the use of psychological manipulation to trick people into disclosing sensitive information or inappropriately granting access to a secure system.” One of the greatest vulnerabilities in any cyber defence is human error and manipulation, regardless of how strong your network is.
The reality of social engineering as a threat to cybersecurity is echoed by academics from around the world. In their article on dissecting social engineering, Finnish educators Pekka Tetri and Jukka Vuorinen identity three distinct areas of social engineering that affect cybersecurity measures. They pinpoint nefarious attempts to persuade, fabricate, or collect sensitive data as key examples of social engineering, leading to human error and data breaches. On the other side of the world, researchers from the Chinese Academy of Sciences recently published an article with the goal of defining social engineering in cybersecurity. In their publication, computer science experts Zuoguang Wang, Limin Sun and Hongsong Zhu argue that “social engineering has posed a serious security threat to infrastructure, user, data and operations of cyberspace.” Their argument emphasizes the power of social engineering to influence users and impact the overall structure and stability of a network. Wang, Sun and Zhu also warn that the danger of human error “is universal, and independent of platform, software, network or age of equipment.” That means you can have all the latest software and gadgets, but you will still need to educate and support your team to reduce your overall risk and ensure an adequate cyber defence.
Building Insight and Expertise
To combat the rise of clever social engineering techniques, your organization or team will need ongoing education and development. There are many options out there, including the foundational CompTIA a+ certification training, security+ certification, network+ certification training or the more advanced cysa+ certification training. Upskilling in cybersecurity is particularly important for business leaders and senior managers because it demonstrates your expertise and enables you to better support the team.
Remember that understanding social psychology can broaden your cybersecurity perspective and help you to better defend your organization or business. When you develop your cybersecurity plan and determine a budget, remember the importance of a methodical threat assessment process and the logical implementation of sustainable solutions.
Check out our previous blog: Times Pop Culture actually understood Coding