Cognitive Psychology and Cybersecurity
This post will aim to give an overview of the application of cognitive psychology to cybersecurity and how it can be used to enhance human factors within the field of cybersecurity. Cognitive psychology is defined as the branch of psychology devoted to studying mental processes. There are many different types of mental processes and how people use them in their unique ways to draw conclusions and make decisions. Thus, cognitive psychology encompasses a very broad range of subjects. These include but not limited too; reasoning; judgment; attention and decision making. Which are the areas social engineering attacks aim to undermine to manipulate. An important thing to remember about cognitive psychology is that it isn't just about the thoughts that an individual have but also about how those thoughts impact their behaviour. Cognitions, or thought processes, are what happens to someone between perceiving something with their senses and behaviour in response.
The reason that application of cognitive psychology to cybersecurity is possible it that as a discipline it addresses internal and external human experiences both as individuals and in groups. The tested principles of psychology allow the experts to understand why people are susceptible to threats.It has been written that with cybersecurity's emerging focus on behavioural analytics and biometrics also depend on psychology, which is heavily rooted in measuring and making sense of human behaviour. By understanding human psychology is critical for forensic investigations, constructing insider threat profiles, and to establish when to generate alerts to help with user education.
Applying (or not) Cognitive Psychology to cover the gaps in Cybersecurity
The mounting cyber-attacks, data breaches and ransomware attacks are often result of human-enabled errors with an estimated 95% of all cyber incidents being human-enabled. Research has indicated that existing information security plans do not fully account for human factors in risk management or auditing. We rely extensively on technology to avert cybersecurity incidents. There is a mindset that believe that technology is the key to improving security defences even though new technologies often create unintended consequences; nonetheless, technological induced errors are human-enabled either through the design or implementation to how it is used. Often the current perspective on the human factors problem information security is too narrow in scope and focuses heavily on the training problem. The management of complex cybersecurity operations accompanied by mounting human factor challenges exceeds the expertise of most information security professionals who tend to be technologists firsts; yet, there is a reluctance to seek the expertise of human factors specialists, cognitive scientists, and behavioural analysts to implement effective strategies and objectives to reduce human-enabled error in information security. Partly, this can be explained by people hiring people who have similar skill sets to themselves thus never closing the skills gap. It can take considerable effort to choose people who have different disciplines as there is always the fear of not knowing to how make use of them or integrate into a team with widely different skills.
It is worth reminding ourselves that humans are social creatures. Human behaviour is influenced by perceptions of those around them, often to a much greater degree than is realised. However, we tend to make mistakes in our understanding of those around us and the situations that we encounter. We do so because our cognitive resources have limits, meaning that we have developed systems of coming to quick conclusions based on limited information. These processes are known as heuristics. This is not a flaw; rather it is an adaptive strategy that allows us to navigate and survive in our social worlds. Nevertheless, these tendencies may lead people to engage in cybersecurity in risky ways, either as the instigators of attacks, the targets of attacks, or the cybersecurity professionals who seek to prevent and mitigate attacks. For example, failing to recognise the threat of cybersecurity risks that are difficult to visualise. It is why, social engineers aim to exploit these quirks of social influence and human decision making. Having knowledge and applying cognitive psychology to cybersecurity could give greater understanding of these processes by enabling us to develop more informed prevention and mitigation strategies in order to address the increasing challenges organisations face within cybersecurity.
Hopefully, this post has given an overview of how cybersecurity could make use of cognitive psychology. While its main application would be in human factors side it would also fit into the fields of user-experience design and human-computer interactions as they can affect people's attitudes to cybersecurity. There are also other disciplines which can be linked and used together with cognitive psychology including linguistics, anthropology and neuroscience. It is worth remembering there is no such thing as silver bullet solution as often it takes many different solutions to solve a problem.