Unsure colleague showing fact checking and disinformation

Fact-Checking: An Essential but Untapped Security Tool

When it comes to online disinformation, fraud, and deception, fact-checking isn’t just nice – it’s necessary. But there’s a problem: Present someone with cold, hard facts, and they’ll often double down on their beliefs. That’s partly because we all suffer from trust issues and cognitive biases.

Furthermore, not everyone is a fan of fact-checking. Some people believe fact-checkers to be biased, pushing their own agenda. Others worry about who is fact-checking the fact checkers. In a world where truth and trust appear to be increasingly subjective, who gets to be the arbiter of reality? Here are some common concerns surrounding fact-checking:

  • Selective Perception:  The judgement that determines a fact can be affected by the fact-checker’s own thought-processes, experiences, or ideology.
  • Interpretation issues: Sometimes, the “truth” isn’t black and white; fact-checkers have to make judgment calls based on their own interpretation of the evidence.
  • Speed vs. accuracy: Fact-checkers might be under pressure to fact-check quickly, which can lead to errors, corrections, and retractions. These issues can create confusion, foster mistrust, or even fuel conspiracy theories.
  • Disconfirmation bias: If information shown to a fact-checker is in opposition to their inherent bias, then they might view counter-evidence unfavorably or even ignore it.

Why Fact-Checking Matters

Fact-checking is a crucial line of defense against the ever-growing deluge of online disinformation and social engineering risks. For example, a viral social media post claiming that drinking celery juice can cure cancer; or a social media post from a major retailer giving away $500 to anyone who fills out a brief survey. Viral disinformation and online scams can have real-world consequences. There are human and business costs associated – people might forgo necessary treatments in favor of juice cleanses, or employees could be lured by phishing scams disguised as medical advice, offers, or giveaways.

And let’s not forget artificial intelligence. AI apps are exploding everywhere, allowing users to create synthetic content (or deepfakes of voices, videos, images, situations) that can alter human perception or manipulate reality. Adversaries can fabricate fake incidents or narratives leading to distractions, chaos or mistrust; they can craft novel phishing attacks to deceive their targets. Moreover, AI itself is known to hallucinate and generate biased results. Earlier this year, Google’s new “AI Overview” feature was suggesting that users apply glue to pizza to prevent cheese from falling off. Training data and AI models can also be intentionally and maliciously poisoned to produce false results.

Why Organizations Need To Teach Employees To Fact Check

Critical thinking is perhaps the only and most powerful defense against outrageous fakery and dangerous social engineering attacks. Organizations cannot win this battle alone; they need support from employees on the front lines.

Employees play a crucial role in shaping and improving the security posture of the organization through their online behavior and choices. Their decisions on sharing information, engaging with content, and fact-checking significantly impact the information security environment.

Best Practices To Help Employees Learn The Art Of Fact-checking

Below are recommended best practices that can help build a habit of fact-checking among employees:

  1. Teach, not tell: Simply advising employees to fact-check will not serve the purpose. Teach them how to do it – to diversify their sources of information, to follow the evidence, to understand the context, to look for updates, to be open to having their views challenged, to practice the SIFT method (Stop, Investigate the source, Find better coverage, Trace claims to the original source) prior to sharing or clicking on links.
  2. Share fact-checking resources:  There are many fact-checking resources employees can use to cross-reference information. Popular ones include: Snopes, Politifact, AllSidesMedia, NPR Fact Check, and Quote Investigator. Remind employees that fact-checking resources are an aid, not a substitute for, critical thinking. Stress the importance of fact-checking and reporting phishing attacks and disinformation.
  3. Run games and contests: Don’t make your awareness training sessions a snoozefest. Try to make training fun and engaging. Run fact-checking challenges: Choose a controversial topic and ask employees to find the most reliable source in 10 minutes. Conduct social media scavenger hunts: How many emotionally manipulating social media posts can you find in 5 minutes. Gamify verification of a viral video: Choose a viral video and ask employees to trace its origin.

Nurture a Culture of Shared Responsibility

Fact-checking is a small but crucial part of an overarching culture of cybersecurity. The security team is not the only group that must live and breathe security; employees and business leaders must also do the same. As always, the more you practice something, the more it will become second nature. To cultivate such a shared culture, organizations must leverage the power of people, process, and training by making cybersecurity a pillar of the business strategy.