The intersection of cybersecurity and psychology is challenging to write about. Yes, there is a huge replication crisis in the field but that doesn't diminish its importance for successful cybersecurity strategy and software/product development in general. As Charlie Munger aptly noted:

These insights are profoundly important for cybersecurity leaders to formulate an effective strategy and avoid costly errors. (They're also crucial for product development leaders, but this post will focus on organizational psychology rather than customer psychology.) However, these concepts remain poorly understood and underrated by cybersecurity practitioners and leaders.

This shouldn't surprise us. It took us over 5000 years to apply the concept of ‘wheels’ to luggage. This underscores our human tendency to be ‘domain dependent’. We often struggle to transfer insights and solutions across different disciplines, even if the application seems obvious in retrospect.

The field of cybersecurity is inherently multidisciplinary and integrating ideas & insights from psychology has the potential to profoundly transform it. Morgan Housel illustrates this point through an analogy about healthcare - the difference between an expert in medicine and an expert in healthcare.. You can see how the expert in healthcare factors in the human element:

Perhaps it's time for the cybersecurity industry to reconsider its hyper-specialization approach and move beyond simply producing "certified" experts in specific "security domains."

Table of Contents

• The Human Element

• Cybersecurity: Fallible Humans vs Phishing

  • Secure-by-Default

• Management

  • Incentives

  • Deprival-Superreaction Tendency

• Appendix: Book Recommendations

The Human Element

Many cybersecurity leaders seem to conveniently ignore the human element - the psychology of our decision making and all the shortcuts, misjudgments and biases that come with it.

It is remarkable that understanding two fundamental ideas can help you explain most of human behavior - habits and social copying. It is even more remarkable how oblivious we could be about these phenomena. We are what we repeat (smoke daily vs walk daily) and I’ve written about ‘mimetic theory’ is a three-part series earlier starting with this post.

We aren't "rational" beings but rather "(post-)rationalizing" beings. Large parts of our decision-making apparatus remain opaque to introspection. Rory Sutherland elegantly explains this using the metaphor of the 'Oval office' and the 'Press Office.':

Effective cybersecurity (& tech) leaders deeply understand that their approach has to be socio-technical in nature and not just technical - we can’t ignore the social aspects and the human element. As Peter Thiel warns in Zero to One:

In today’s post, I’ll explore a couple of insights from psychology and apply them to both cybersecurity and leadership domains. We will continue to discuss other insights and their implications on cybersecurity in future posts.

Cybersecurity: Fallible Humans vs Phishing

It's simply not possible to "train" your way to security. Even if 100% of your employees complete cybersecurity training on phishing awareness, this doesn't guarantee they'll apply that knowledge when needed – particularly during a sophisticated spear-phishing campaign.

While security practitioners often mock spelling mistakes in phishing emails, attackers often demonstrate a sophisticated understanding of their victims' emotional dispositions. Most successful phishing attacks put the victim under some emotional condition where bypassing rational thought processes and triggering immediate emotional responses.

Phishing attacks exploit a range of emotional triggers to manipulate victims into taking desired actions. The primary tactics include:

• Urgency: Creating a sense of time pressure to prompt immediate, unthinking responses

• Fear: Instilling anxiety or panic through threats of negative consequences

• Trust exploitation: Impersonating legitimate entities to lower defenses

Attackers carefully craft messages to induce stress, impairing critical thinking and increasing susceptibility to deception.

The common but flawed response is to conduct simulated phishing attacks against employees, followed by naming and shaming, warning notices to managers, and mandatory training penalties.

Simply writing something on a piece of paper and calling it “security policy” or “security standard” or “control procedure” doesn’t guarantee that people will comply and that there will be effective real-world security outcomes.

Secure-by-Default

Humans are fallible – we make mistakes, especially under emotional duress or stress. The best of the cybersecurity practitioners have themselves fallen victim to such attacks. Smart executives have fallen victim to such attacks.

Rather than naming and shaming people, it's better to seek systemic solutions. For example, issuing every employee a FIDO key (a non-phishable credential) addresses a huge amount of attack surface.

The idea of ‘blame’ just doesn’t make sense in complex systems. Any modern security program worth its salt should abandon the concept of "blame."

Any security strategy that blames its employees and has “human error” in its “root cause analysis” reports is bound to fail!  As Phil Venables put it,

The principle of "secure-by-default" is well-established in cybersecurity, and we must understand its "why" from the fundamental nature of flawed human decision-making.

Subscribe to "I'm Serious" to read the rest.