A few weeks ago I was at the Houses of Parliament to attend ‘CyberCrime – The Next Threat’, organised by Parliament Street and featuring a debate by panelists Dr. Robert Nowill, Chairman of the Board of Directors at Cyber Security Challenge UK Ltd; Andy Settle, Cyber Security Analyst and Senior Cyber Security and Threat Intelligence Consultant with IBM and Yair Cohen – Founder, The Internet Law Centre and author of The Net is closing: birth of the e-police.
One recurrent theme from the debate was the need for a greater psychological understanding of cybersecurity. This applies to all the parties involved – those who are attacking the system, those who are defending the system and the every day users of the system. This discussion reflected a call made by myself and my colleagues in a recent Psychologist article in which we note the increasingly social nature of cybersecurity incidents(1). These factors go beyond social engineering, in which psychological techniques are used by a attackers to manipulate a target, and encompasses the wider social psychological processes that influence behaviour such as group dynamics, motivation and perceptions of risk. In our article we acknowledge that what may be deemed cybercrime by some parties may be considered a form of social protest, or hacktivism, by others. We suggest that one approach for psychologists working in this area is to promote informed decision making in which individuals are empowered to understand the risks and possible outcomes of their actions, without imposing any values on how they should behave.
To turn this discussion to the focus of this blog it could be expected that social norms may be especially important in cybersecurity. Protection of computer systems and online information relies heavily on the behaviour of the users of the system. For example, many of the recent high profile cybersecurity breaches that have been in the media were, at least in part, a result of individuals within a targeted company opening up links in phishing emails. How people respond in such situations will depend on what they think is the normal course of action – without an organisational norm of treating links within emails with suspicion phishing emails will continue to be successful. Similarly cybersecurity incidents appear to often be instigated by groups. Individuals in these groups may adhere to group norms and participate in attacks without a full understanding of the risks they are exposing themselves to. Finally cybersecurity practitioners themselves operate within teams and as part of larger profession. As such they will as a group inevitably determine their own norms of behaviour and attitudes, which may lead them to act differently as individuals than they would otherwise do.
Furthermore, all of the above groups will be susceptible to additional social psychological process such as group think and risky shift, which can lead to impaired decision making and group actions that may be harmful to the individual involved. The increasing acknowledgement of the importance of individuals in cybersecurity is a good step – but to fully understand the behaviour of individuals in complex socio-technical systems it is important that we do not overlook the fundamentally social nature of people.
Dr John McAlaney, Bournemouth University
(1) McAlaney, J., H. Thackray, and J. Taylor, The social psychology of cybersecurity. Psychologist, 2016. 29(9): p. 686-689.