Cybersecurity and psychology. How much do the two relate?

Why care about psychology when talking about cybersecurity? - C3 Prague Blog

When writing on cybersecurity, one often moves in between several fields of expertise. As experts from ESET, a Slovak software-based company, warn – cybersecurity does not merely concern IT specialists, it requires a lot more complex approach.

What is currently trendy in the field of cybersecurity? That’s what we write about for ESET on the international content hub Data Security Guide. Principally, we engage in the most innovative types of cyberattacks. Nevertheless, we also write on how businesses can create more complex security records and more effective cyber strategies – all by means of personality-based tests and other similar tools.

At the end of 2020, ESET published a study named Cyberchology: The Human Element. The study originated as a result of a collaboration with The Myers-Briggs – a company focusing on personal support. The study discusses the impact of stress on various personality types and what are the weaknesses of the different types when they are faced with cyber danger.

At the time of the study’s publication, this topic was a hot issue. Due to the covid pandemic, businesses ecountered several technical and operational issues. Furthermore, remote workers became the main target of cyberattacks. This all combined with other stressful situations, such as the repeated lockdowns, made a lot of people more vulnerable to the hackers.

ESET warns that the majority of successful cyberattacks happens as a result of human errors – so without consistent education of employees, businesses will only be protected against the hackers’ attacks partly.

Is there a point in connecting cybersecurity with psychology?

Definitely. In any field related to cybersecurity, where humans occupy the central role, the concept of personality types and their characteristics may reveal crucial connections.
 
IT specialists claim that the security of businesses depends on building the so-called cyber aware culture – as it covers each member of the organization. According to this, it ought to include other departments as well, such as the department of personal relationships, for example. Owing to this connection, experts from the fields of psychology, pedagogy, and IT may all work together – and arrange a common training on cybersecurity.

What to be aware of while considering the relevance of psychological perspective?

Hackers aim to attack our weaknesses. They aim to evoke uncertainty, fear, shame, feeling of guilt, and human error. They are capable of deceiving their victims. They develop such abilities while employing the services of both artificial intelligence and mechanical training. Therefore, cybersecurity training includes quizzes through which various abilities can be tested – such as the ability to recognize phishing attacks or the skill of seeing the difference between fake and real videos.
 
This, however, won’t stop the hackers. They are conscious of the fact that people’s resistance to stress varies and that they may get even more vulnerable during critical periods. Moreover, some people don’t even care about cybersecurity. Psychological studies, in collaboration with IT specialists, are able to give name to such factors – and place them within the context of security measures.

Can we rely on such studies entirely?

It’s important to be aware of the context in which these studies originate. ESET employs the Myers-Briggs type indicator (MBTI) in their study. It is one of the most frequently used personality tests in (not only) businesses, and it is meant to predict the level of success people are capable of reaching in the workplace. However, according to a news server Vox, a number of psychologists criticize the test for its low validity and reliability. On the other hand, plenty of psychologists defend it, using various other studies as their supporting argument. Such studies examine both the level of the test’s accuracy and its updated versions, enriched with developed methods. The senior lecturer at the University of Central Missouri, Aqualus Gordon, insists that contemporary versions of the Myers-Briggs type indicator are sufficiently valid and reliable.
 
Notwithstanding the aforesaid, Gordon claims that many people become aware of their good and bad qualities after completing the test – which means a lot. And that’s exactly what the ESET’s study engages in. For example, it shows which personal characteristics increase the probability of an employee panicking and clicking on a dangerous link. Or it reveals who is more likely not to tell their IT team about a cyberattack. A person completing such a test has a better understanding of the dangers around them and also becomes aware of where to be especially careful. This helps to start a new discussion, to identify weaknesses, and eventually, to establish better security measures.

Read the whole study here