The document discusses the role of psychology in enhancing cybersecurity, noting that humans are often the weakest link. It provides statistics on internet users and connected devices to illustrate how everything is connected and vulnerable. It then outlines principles that social engineers exploit, like social proof, reciprocity, and scarcity. Examples are given of major data breaches from companies like Equifax and Marriott that involved human factors. Recommendations are made for governments, corporations, and individuals to improve cybersecurity through education, policies, and secure product development. The role of psychology in security is emphasized, as technological and social engineering techniques combined pose real threats.

1. The Role of Psychology
in Enhancing
Cybersecurity
Government + Corporation + Individual
= Humans == The Weakest Link?

2. Summary of the Internet Statistics for 2020
“Everything is connected, everything is vulnerable”
1/ Over 4.33 billion active internet users worldwide.
2/ 57 percent of the entire world's population has internet access.
3/ Amount of companies all over the world is approaching to 200
millions. (Walmart, Amazon, Toyota…)
4/ 195 countries in the world (country = government)
5/ More than 22 billion devices connected to the Internet.

3. Best way to defeat the firewall?

4. Principles social engineers exploit : Thinking - Feeling - Behaving
- Social proof: People tend to do things that they see other people doing.
- Reciprocity: People, in general, often believe that if someone did something nice for them,
they owe it to that person to do something nice back.
- Authority: People tend to obey authority figures, even when they disagree with the authority
figures and even when they think what they’re being asked to do is objectionable.
- Likeability: People are, generally speaking, more easily persuaded by people who they like
than by others.
- Scarcity: If people think that a particular resource is scarce, regardless of whether it actually
is scarce, they will want it, even if they don’t need it.
- Greed: Easy money.
- Goodness: Feeling bad, want to give favor….
- Consistency and commitment: social media, jobs…..
- Supportive: Like to get support or want to support.
- Taking advantage of moments: Covid-19, President election, natural disasters….

5. Human factor remains security’s
weakest link in cyberspace.
1/ A product is secure # A process is secure.
(Security technologies # human behavior - psychology in security.)
2/ Technological techniques + social engineering techniques.(Phishing, SMiShing,
Vishing,...) = Real Threat
3/ My testimony 2009 - 2013 (Microbilt, LibertyData, Locateplus, Court Ventures,
Experian)
4/ It’s all about psychology. (E.g. 2017 Equifax lost more than 150 million records -
, 2019 - Toyota lost $37 million, 2016 - USA’s Democratic Party - lost emails, 2020
- Marriott 5.2 million records,....)

6. What should we do?
1/ Government - establish different classifications of data, each with its own set of
related laws, policies, procedures, and technologies.
2/ Corporation - develop products with user-focused security, provide insurance
for user’s data, educate user with cybersecurity knowledge,.....
3/ Individual - users need to be educated through cybersecurity awareness
programs from the government, corporation and media news,.....
“Security holes in the delivered products are dangerous but security holes in the
deployed system (human factor) are even more dangerous.”

7. What should we do?

8. We are united as one

9. Spot Social Engineering attack!
– unusual requirements
– requiring respect for authority
- threatening with negative consequences
– giving praise and flattery
– offering something for nothing
– seems too good to be true, etc…

10. Social Engineering Countermeasure
– Slow down and Research the facts
– Delete any request for financial information or passwords.
– Reject requests for help or offers of help
– Don’t let a link in control of where you land
– Do not post yours personal data or photos
– Do not reveal sensitive data (e.g. passwords)
– Do not avoid policies and procedures – Report any suspicious activity

11. Helpful documents:
1/ Industry of Anonymity: Inside the Business of Cybercrime - Jonathan Lusthaus
2/ Human Factors in Cyber Security: User Authentication as a Use Case - Dr
Shujun LI.
3/ Behavioral Cybersecurity_ Applications of Personality Psychology and
Computer Science - Wayne Patterson, Cynthia E. Winston-Proctor
4/ The Art of Deception - Kevin Mitnick
5/ Eric Rutger Leukfeldt - Research agenda. The human factor in cybercrime and
cybersecurity.
6/ www.7onez.com (cybersecurity awareness blog)
7/ https://staysafeonline.org/stay-safe-online/online-safety-basics/

12. News:
1/ Top 5 Social Engineering Attacks of All Time
2/ 10 real and famous cases of social engineering attacks
3/ The Biggest Data Breaches in the first half of 2020
4/ Krebsonsecurity: Experian breach

13. Thank you very much!
By Hieupc