Behavioral economics offers valuable insights into why humans fall for phishing.
Behavioral economics is a field of study applied to human behavior in an attempt to explain why we do the things we do. For instance, why do employees avoid or delay making 401k contributions, eating healthy, or exercising more, even though its well known these things can offer personal benefit?
The concept of behavioral economics has been translated and explained from a business standpoint by behavioral economist Dan Ariely, author of numerous books on the subject, including, “Predictably Irrational: The Hidden Forces that Shape Our Decisions,” based on his own experiments into human behavior and decision-making.
In contrast to traditional economics, which applies rational thought to human actions, behavioral economics focuses on cognitive biases, emotional influences, and social pressures that impact the decisions we make.
Behavioral economics has implications in the world of cybersecurity too—helping to explain why employees fall prey to the machinations of cyber attackers.
The influence of cognitive bias and emotional vulnerability
Concepts of behavioral economics are widely used in the field of marketing to influence human behavior in making purchase decisions. For instance, Ariely examined The Economist’s subscription offers to show how presenting pricing options in a specific way can result in the choice of a desired price point. When presented with three pricing options—web-only for $59, print-only for $125 or print and web combo for $125—most people chose the combo offer. But, when the print-only option was removed, they were more likely to choose the less expensive web-only offer. Why? Because the print-only option served as a “decoy” designed to influence what would otherwise be an irrational decision.
It’s all about deeply and thoroughly understanding human behavior and how these behaviors are impacted by influences that use cognitive biases, emotions, social influences, and contextual factors to drive decisions.
Bad actors in the world of cybersecurity also prey upon these human tendencies to drive actions that put organizations at risk.
How hackers exploit cognitive biases
Threat actors exploit cognitive biases in a number of ways to carry out their nefarious activities. For example:
- Social proof. Phishing emails often appear to come from trusted sources—your bank, legal authorities, or the government. If we trust the sender, we’re more likely to open the email.
- Authority bias. Similar to social proof, authority bias relies on our tendency to comply with requests we receive from authority figures—like our boss, or the CEO. There are plenty of examples of this including a situation where a CFO impersonator was able to defraud Children’s Healthcare of Atlanta to the tune of $3.6 million.
- Scarcity and urgency. Appeals like “limited-time offer,” or “your account is about to be suspended” create a sense of urgency that can be hard to resist. Hackers know this and use this type of appeal to get people to make hasty decisions without careful consideration.
- Anchoring bias. This involves the use of legitimate information initially to establish trust before moving forward with the malicious aspects of the hacking attempt.
Humans are social creatures that trust those they believe are authorities. They’re driven by fear, greed, and curiosity that can cloud their judgement. And they’re prone to cognitive shortcuts—biases that often drive behaviors. Understanding the power of these drivers can help organizations put strategies into place to thwart them.
How to thwart behavior-based attacks
For most organizations and in most instances of cyberattack, the failure wasn’t driven by a technological breakdown, but a human one. A combination of communication and technology, though, can help to thwart the impact of these attempts. Here are some important steps that can help employees make better decisions:
- Training employees about the threat of cyberattacks, the form these attacks generally take, and their role in helping to avert them is an important first step. Training should be ongoing, not a single instance or once a year event.
- Phishing simulations have proven to be a very effective way to tangibly reduce security breakdowns. These simulations serve to test employee awareness and identify areas of opportunity for improvement.
- Strong authentication measures can help keep accounts secure by requiring two or more methods of identification and verification—muti-factor authentication—before allowing access to information or systems.
- Regular security audits can identify and address potential vulnerabilities in systems and processes and ensure that methods used are current and working as intended.
Using a combination of technical safeguards, along with an informed understanding of human behavior and its weak spots, can help organizations defend against attacks from bad players.
The human factor is both the weakest link and the biggest defense against cyberattacks. Consider how applying behavioral economics to your system and data protection efforts can strengthen and support a healthy security culture. Ensure that your security program and processes work with rather than against human nature. This will help you leverage human behavioral tendencies to your advantage and not to hackers’ advantage.
