The document discusses the role of psychology in enhancing cybersecurity, noting that humans are often the weakest link. It provides statistics on internet users and connected devices to illustrate how everything is connected and vulnerable. It then outlines principles that social engineers exploit, like social proof, reciprocity, and scarcity. Examples are given of major data breaches from companies like Equifax and Marriott that involved human factors. Recommendations are made for governments, corporations, and individuals to improve cybersecurity through education, policies, and secure product development. The role of psychology in security is emphasized, as technological and social engineering techniques combined pose real threats.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
Hieupc-The role of psychology in enhancing cybersecurity
1. The Role of Psychology
in Enhancing
Cybersecurity
Government + Corporation + Individual
= Humans == The Weakest Link?
2. Summary of the Internet Statistics for 2020
“Everything is connected, everything is vulnerable”
1/ Over 4.33 billion active internet users worldwide.
2/ 57 percent of the entire world's population has internet access.
3/ Amount of companies all over the world is approaching to 200
millions. (Walmart, Amazon, Toyota…)
4/ 195 countries in the world (country = government)
5/ More than 22 billion devices connected to the Internet.
4. Principles social engineers exploit : Thinking - Feeling - Behaving
- Social proof: People tend to do things that they see other people doing.
- Reciprocity: People, in general, often believe that if someone did something nice for them,
they owe it to that person to do something nice back.
- Authority: People tend to obey authority figures, even when they disagree with the authority
figures and even when they think what they’re being asked to do is objectionable.
- Likeability: People are, generally speaking, more easily persuaded by people who they like
than by others.
- Scarcity: If people think that a particular resource is scarce, regardless of whether it actually
is scarce, they will want it, even if they don’t need it.
- Greed: Easy money.
- Goodness: Feeling bad, want to give favor….
- Consistency and commitment: social media, jobs…..
- Supportive: Like to get support or want to support.
- Taking advantage of moments: Covid-19, President election, natural disasters….
5. Human factor remains security’s
weakest link in cyberspace.
1/ A product is secure # A process is secure.
(Security technologies # human behavior - psychology in security.)
2/ Technological techniques + social engineering techniques.(Phishing, SMiShing,
Vishing,...) = Real Threat
3/ My testimony 2009 - 2013 (Microbilt, LibertyData, Locateplus, Court Ventures,
Experian)
4/ It’s all about psychology. (E.g. 2017 Equifax lost more than 150 million records -
, 2019 - Toyota lost $37 million, 2016 - USA’s Democratic Party - lost emails, 2020
- Marriott 5.2 million records,....)
6. What should we do?
1/ Government - establish different classifications of data, each with its own set of
related laws, policies, procedures, and technologies.
2/ Corporation - develop products with user-focused security, provide insurance
for user’s data, educate user with cybersecurity knowledge,.....
3/ Individual - users need to be educated through cybersecurity awareness
programs from the government, corporation and media news,.....
“Security holes in the delivered products are dangerous but security holes in the
deployed system (human factor) are even more dangerous.”
9. Spot Social Engineering attack!
– unusual requirements
– requiring respect for authority
- threatening with negative consequences
– giving praise and flattery
– offering something for nothing
– seems too good to be true, etc…
10. Social Engineering Countermeasure
– Slow down and Research the facts
– Delete any request for financial information or passwords.
– Reject requests for help or offers of help
– Don’t let a link in control of where you land
– Do not post yours personal data or photos
– Do not reveal sensitive data (e.g. passwords)
– Do not avoid policies and procedures – Report any suspicious activity
11. Helpful documents:
1/ Industry of Anonymity: Inside the Business of Cybercrime - Jonathan Lusthaus
2/ Human Factors in Cyber Security: User Authentication as a Use Case - Dr
Shujun LI.
3/ Behavioral Cybersecurity_ Applications of Personality Psychology and
Computer Science - Wayne Patterson, Cynthia E. Winston-Proctor
4/ The Art of Deception - Kevin Mitnick
5/ Eric Rutger Leukfeldt - Research agenda. The human factor in cybercrime and
cybersecurity.
6/ www.7onez.com (cybersecurity awareness blog)
7/ https://staysafeonline.org/stay-safe-online/online-safety-basics/
12. News:
1/ Top 5 Social Engineering Attacks of All Time
2/ 10 real and famous cases of social engineering attacks
3/ The Biggest Data Breaches in the first half of 2020
4/ Krebsonsecurity: Experian breach
Many cyber breach incidents may not be the result of the archetypal hacker using technological means to get into a system. Instead, cybersecurity attacks are increasingly based primarily on social engineering techniques – the use of psychological manipulation to trick people into disclosing sensitive information or inappropriately granting access to a secure system
Brainstorm session from audiences
Government: tends to make it easy for businesses, care more about their own benefits and do things on their own pace.
Corporation: tends to build cheap and quick product with a little or no user-focused security. Hiring careless developers who never mind about cybersecurity for users. They also didn’t follow the laws and security-privacy standard from their industry. It’s all about money at the end. Running their product/service with a mindset that “Deal with it later”
Individual: end-users tends to not care much or lack of cybersecurity and privacy knowledge. They need to educate themselves by spending their precious time to read more about cybersecurity - privacy guide. Besides that the government - corporation should educate the software developer, lawyer, policymaker and all of us users who are the most weakest point in the cyberspace.
We also need to understand that it’s difficult for government, corporation and individual to implement the use of best security practices.
As researchers and educators, we must address all the many different roles that we humans play in cybersecurity, beyond just the security practitioner who administers firewalls, tunes intrusion detection systems, set a stricter security/privacy policies, set a stricter privileges account access and monitors networks. We must also educate the software developer, lawyer, policymaker and all of us users who are unwitting accomplices of the attacker.’’
Collaboration between government - business - people