By Lisa Gilbert
When it comes to Cyber Warfare, biology is not on our side. This doesn’t mean you’re off the hook for the dumb things your brain might do that make you vulnerable to cyber criminals, but it does mean you need to learn to be extra vigilant. If you understand why your brain is wired to fall for social engineering attacks, you can begin to develop the defense of “healthy skepticism”.
I was fortunate to attend an excellent seminar on “The Psychology of Social Engineering”, presented by Erik Huffman at our local chapter is ISSA, and I have drawn much of my information for this article from that.
The Black Hat 2017 report by Thycotic reveals: “With the increase in our digital activities, hackers and cyber-criminals have changed the techniques they use to target people, with email (see my blog on phishing) being the number one
weapon of choice, followed by infected websites, social media scams, and stealing digital identities and passwords. Reports and statistics in the past years have shown that more than 80% of data breaches have involved an employee as
a victim—hackers claim that it is the fastest way to breach a company’s security controls.”
So why are humans so vulnerable? Much comes down to our survival instinct and the way we learn. We are designed with a built-in “fight or flight” response that helps keep us alive. This instinct does a great job of keeping us alive in an emergency situation. The response originates in the amygdala, in the limbic system of the brain. The amygdala is a primal, non-verbal portion of the brain which quickly identifies a stimulus and response.
It is the part of our brain that generates fear and helps us to determine trustworthiness of people we encounter — so our “gut feeling” originates in the most primitive region of our brain. Unfortunately, when we’re sitting in front of our computer, the frontal cortex of our brain is doing all the work and the amygdala is out to lunch. It’s not doing its job warning us of danger, because there is no physical stimulus; it’s all mental. Since our amygdala isn’t doing its job when we’re reading suspicious emails or websites or perusing social media, maybe we need this guy:
At the same time, we have been trained to believe what we read — from textbooks, to the Bible, to the newspaper — we default to expecting what we read to be the truth. Of course we all know that “You can’t believe everything you read on the internet” (isn’t that a quote from Abraham Lincoln?), but we have to overcome our natural tendency to believe and start to think critically about the information we’re reading. We need to develop healthy skepticism and look at everything we read with a critical eye. You almost need to become a little cynical, and assume that if someone you don’t know (or someone pretending to be someone you DO know) sends you an email, they are trying to scam you. Ask yourself, “How could this hurt me?” “What are they trying to get from me?” And take some good advice from Nancy Reagan: JUST SAY NO.
Additionally, a recent study by Weijer and Leukfeldt (2017) found that the personality traits that make a person most vulnerable to social engineering are “extraversion, agreeableness, conscientiousness, emotional stability, and openness to experience.” These are typically all considered positive personality traits, but in the case of cyber-crime, they work against you. So the hermits among us who are introverts, cynics, and reticent are more insulated from that type of crime.
Remember, your brain is pre-wired to be a sucker for this stuff, so you need to consciously be vigilant with regard to what you read. Often, we have a tendency to trust technology and not take responsibility for our own actions. We can’t assume because we have a firewall and a spam filter, that our technology is keeping us safe. We need to think about what we’re reading and be accountable for our actions. Be aware your amygdala may be off eating a donut and put your frontal cortex to work protecting you from making foolish mistakes.