Cognitive Psychology and Cybersecurity

 Introduction 

This post will aim to give an overview of the application of cognitive psychology to cybersecurity and how it can be used to enhance human factors within the field of cybersecurity.  Cognitive psychology is defined as the branch of psychology devoted to studying mental processes. There are many different types of mental processes and how people use them in their unique ways to draw conclusions and make decisions. Thus, cognitive psychology encompasses a very broad range of subjects. These include but not limited too; reasoning; judgment; attention and decision making. Which are the areas social engineering attacks aim to undermine to manipulate. An important thing to remember about cognitive psychology is that it isn't just about the thoughts that an individual have but also about how those thoughts impact their behaviour. Cognitions, or thought processes, are what happens to someone between perceiving something with their senses and behaviour in response. 

The reason that application of cognitive psychology to cybersecurity is possible it that as a discipline it addresses internal and external human experiences both as individuals and in groups. The tested principles of psychology allow the experts to understand why people are susceptible to threats.It has been written that with cybersecurity's emerging focus on behavioural analytics and biometrics also depend on psychology, which is heavily rooted in measuring and making sense of human behaviour. By understanding human psychology is critical for forensic investigations, constructing insider threat profiles, and to establish when to generate alerts to help with user education.

Applying (or not) Cognitive Psychology to cover the gaps in Cybersecurity


The mounting cyber-attacks, data breaches and ransomware attacks are often result of human-enabled errors with an estimated 95% of all cyber incidents being human-enabled. Research has indicated that existing information security plans do not fully account for human factors in risk management or auditing. We rely extensively on technology to avert cybersecurity incidents. There is a mindset that believe that technology is the key to improving security defences even though new technologies often create unintended consequences; nonetheless, technological induced errors are human-enabled either through the design or implementation to how it is used. Often the current perspective on the human factors problem information security is too narrow in scope and focuses heavily on the training problem. The management of complex cybersecurity operations accompanied by mounting human factor challenges exceeds the expertise of most information security professionals who tend to be technologists firsts; yet, there is a reluctance to seek the expertise of human factors specialists, cognitive scientists, and behavioural analysts to implement effective strategies and objectives to reduce human-enabled error in information security. Partly, this can be explained by people hiring people who have similar skill sets to themselves thus never closing the skills gap. It can take considerable effort to choose people who have different disciplines as there is always the fear of not knowing to how make use of them or integrate into a team with widely different skills. 


It is worth reminding ourselves that humans are social creatures. Human behaviour is influenced by  perceptions of those around them, often to a much greater degree than is realised. However, we tend to make mistakes in our understanding of those around us and the situations that we encounter. We do so because our cognitive resources have limits, meaning that we have developed systems of coming to quick conclusions based on limited information. These processes are known as heuristics. This is not a flaw; rather it is an adaptive strategy that allows us to navigate and survive in our social worlds. Nevertheless, these tendencies may lead people to engage in cybersecurity in risky ways, either as the instigators of attacks, the targets of attacks, or the cybersecurity professionals who seek to prevent and mitigate attacks. For example, failing to recognise the threat of cybersecurity risks that are difficult to visualise. It is why, social engineers aim to exploit these quirks of social influence and human decision making. Having knowledge and applying cognitive psychology to cybersecurity could give greater understanding of these processes by enabling us to develop more informed prevention and mitigation strategies in order to address the increasing challenges organisations face within cybersecurity.

Conclusion

Hopefully, this post has given an overview of how cybersecurity could make use of cognitive psychology. While its main application would be in human factors side it would also fit into the fields of user-experience design and human-computer interactions as they can affect people's attitudes to cybersecurity. There are also other disciplines which can be linked and used together with cognitive psychology including linguistics, anthropology and neuroscience. It is worth remembering there is no such thing as silver bullet solution as often it takes many different solutions to solve a problem.  

Sources

https://www.betterhelp.com/advice/psychologists/what-is-cognitive-psychology-examples-definition-and-benefits/

https://www.techrepublic.com/article/how-understanding-cognitive-science-can-strengthen-cybersecuritys-weak-links/ 

https://content.sciendo.com/configurable/contentpage/journals$002fhjbpa$002f9$002f3$002farticle-p71.xml

https://www.sciencedirect.com/science/article/pii/B9780128192047000014

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more