VI Reflections: Bolstering Cybersecurity with Psychology

By grigby1

The World Economic Forum found that 95 percent of cybersecurity problems stemmed from human error, and that 43 percent of all breaches were the result of either intentional or accidental employee behavior. These findings underscore the importance of integrating psychology into the field of cybersecurity. According to the American Psychological Association, psychology is the study of the mind and behavior, embracing all aspects of the human experience, from the functions of the brain to nations' actions. Therefore, the development of cybersecurity can greatly benefit from the contributions of psychologists. Although technological elements have been the primary focus of current research and development in the realm of cybersecurity, there is a human factor contributing to the issue that calls for additional behavioral research efforts.

Psychologists can improve cybersecurity in many ways. A paper titled "The Role of Psychology in Enhancing Cybersecurity," authored by Brenda K. Wiederhold, a licensed clinical psychologist with the California Board of Psychology, urges psychologists to introduce cultural and behavioral shifts towards improved security both individually and collectively. To make this contribution to cybersecurity, Wiederhold recommends exploring the behavioral economics that influence how people perceive risk and reward, with one step being the identification of social situations in which individuals are more likely to disregard the risk of sharing private information. For example, a study cited by Wiederhold found that individuals are likely to disclose personal and confidential information in casual conversations, social networking platforms, and other less formal settings. Wiederhold suggests that psychologists identify patterns of cybercriminal and malicious activities by observing deviations from normative behavior. Using these observations, psychologists could help inform technology providers in the development of security systems that can detect such activities while considering the psychological distortion influencing privacy decisions. Psychologists should also go beyond labs and journals in raising awareness among the public about cybersecurity risks to adjust perception as well as encourage following privacy best practices.

This year, the Intelligence Advanced Research Projects Activity (IARPA) launched a program focused on the psychology of cyberattackers. The "Reimagining Security with Cyberpsychology-Informed Network Defenses" (ReSCIND) program aims to use attackers' innate decision-making biases, cognitive vulnerabilities, and other human limitations to combat their malicious cyber activities. Although attackers often exploit human errors, most cyber defenses do not exploit attackers' cognitive weaknesses. ReSCIND seeks to change this by combining traditional cybersecurity practices with the field of cyberpsychology. IARPA will develop a first-of-its-kind cyber technology to make an attacker's tasks more difficult. According to Dr. Kimberly Ferguson-Walter, ReSCIND Program Manager, the program will allow the Intelligence Community's (IC) cyber defenders to penalize attackers with the costs of wasted time and effort, thereby delaying and potentially thwarting attacks, as well as exposing the operators behind them more quickly. ReSCIND wants to create novel methods for identifying and modeling human limitations or cognitive biases related to cyberattack behavior. The program also aims to understand, measure, and induce changes in cyberattack behavior and success, as well as provide algorithms for automated adaptation of these solutions in response to observed cyberattacker behavior.

Strengthening cybersecurity requires delving into psychological components and processes to enhance or create security systems and methods that better prevent, detect, and mitigate cyberattacks. 

To see previous articles, please visit the VI Reflections Archive.

Submitted by Gregory Rigby on