Digital technologies have invaded our professional and personal spaces, ultimately changing the way we work, interact and perceive reality. In recent years there have been significant technological developments in the field of cybersecurity; accordingly, these places should, in theory, be getting more and more secure. Yet, quite contrary to expectations, ‘attacks in the cyberspace have become increasingly common and sophisticated; defense is no longer sufficient for organisations to survive,’[1] faced with this increase in cybercrime.
Recent surveys show that 60 to 90% of cyber incidents are caused by human error. In view of such alarming numbers and of the economic and strategic risks entailed, it is becoming imperative and necessary to rethink cybersecurity, and no longer consider it only in terms of technical solutions, but also in terms of ‘human solutions’. The issue of cybersecurity should be considered globally to reinforce resilience – i.e. how quickly the organisation would detect, analyse and respond to a cyber incident – and improve it through a multidisciplinary approach, involving and promoting action by psychology professionals in order to develop ‘a better understanding of why people become involved in hacking, and how they may be encouraged to use their skills and abilities for the protection of cyber systems.’[2]
The recurrent failure of awareness campaigns[3] shows that merely sharing knowledge is clearly not enough to substantially change mindsets and cyber behaviours. People have a natural tendency to resist change. Besides, in terms of cybersecurity, self-assessments of best practices are often biased by the Dunning Kruger effect; a cognitive bias in which people less qualified in a field overestimate their competence while better qualified people underestimate theirs.
Today, no organisation is immune to cyber-attacks. And it seems clear that once data protection is covered, the next cybersecurity challenge will be tackling the human side, i.e. understanding the socio-psychological aspects of a cyber-incident in order to mitigate, and even prevent, attacks; identifying human challenges and basic principles at the individual, community and organisational levels; finding ad hoc ‘human solutions’ for organisations to prevent, train and process cyber-incidents; in order to achieve efficient cyber-resilience and ensure business continuity.
As a result, in the future, ‘a greater knowledge of psychology by cybersecurity practitioners and students [technical side] may better equip them to understand and address some aspects of cybersecurity [human side]. Relevant areas of psycho logy that can be taught include social psychology, group dynamics, trust, individual differences and the role of emotions when using sociotechnical systems (and how this may link to poor decision-making and risky behaviour). […] Delivering this content may not be easy. There can be differences in pedagogical, epistemological and ontological approaches to how material is typically taught in Psychology versus Computing departments […]. Nevertheless, […] there is a need for greater synergy between disciplines,’ [4] a strong multidisciplinary dialogue, and bridges, in order to rethink cybersecurity as a whole, including the human aspect.
[1] Conseil général de l’économie, de l’industrie, de l’énergie et des technologies, « La cyber résilience » (‘Cyber Resilience’), 30 January 2018, n° 2017/02/CGE/SR.
[2] J. McAlaney, J. Taylor and H. Thackray, ‘Behaviour Change: Cybersecurity’, Department of Psychology, Faculty of Science and Technology, Bournemouth University.
[3] M. Bada, A. Sasse and J. Nurse, ‘Cyber Security Awareness Campaigns: Why do they fail to change behaviour?’, January 2019, https://arxiv.org/abs/1901.02672.
[4] J. McAlaney, J. Taylor and H. Thackray, ‘Behaviour Change: Cybersecurity’, Department of Psychology, Faculty of Science and Technology, Bournemouth University.