May 26, 2020

Cyber vulnerability during the pandemic: Unpacking the psychology

By Mark Sirkin

As the world faces an unprecedented pandemic, cybercriminals are finding ways to exploit the situation, taking advantage of growing cyber vulnerability.

We’re already seeing a concerning rise in cyberattacks, with a 400% increase in March alone. With the risks spiralling day by day, in order to address the situation head on, we need to look deeper into it. This is where psychology and the theory of human behaviour comes in.

The psychology of human behaviour can tell us a lot about how and why cybercrime occurs. The truth is, despite the fancy hardware and software solutions available, most cybersecurity breaches occur due to human error or phishing attacks. Unless businesses have relatively sophisticated automated solutions, their employees often represent their greatest internal threat.

The coronavirus pandemic has transformed every part of human behaviour and the cyber sphere is no different. So, what are the human factors that affect cybersecurity and how are these unfolding over this time?

The neuroscience of a crisis

As humans, we are prewired for crisis. This has been proven over a number of recognised psychological models. There’s Paul MacLean’s notion of humans having a ‘reptilian brain’, that is, a structure that controls our heart rate, breathing, body temperature, and balance, and ultimately ensures our survival as a species. We can draw similar from the fight-flight reaction of the sympathetic nervous system, which is buried deep in the interior of the human brain and protects us in times of danger. This is ‘System 1’ thinking, as opposed to ‘System 2’, where people take their time and consider options before taking action.

These models show us that when there is a perception of crisis, the need to act is immediate. From an evolutionary point of view, in times of danger, those who acted first were often safer than those who took their time. The coronavirus pandemic is a crisis. You’ve no doubt noticed people are saying they’re more tired, even though we’re rarely leaving the house. This is because crisis mode requires more energy. During a crisis, the thoughtful, reflective parts of our brain shut down.

In other circumstances, people might hover over a suspicious link, processing whether it seems risky or not. But that requires fully functional frontal lobes, or executive functioning, which need time and undivided attention to work properly. In crisis mode, frontal lobe functioning is significantly diminished, or may go offline altogether, in favour of a quick – albeit less considered – action or reaction.

The problem we face is that cybercriminals are turning this science into opportunity. They know what emotional buttons to push to make people afraid (“just click the link”), try to help (“just click the link”), or even just register an opinion (“just click the link”). The consequences of clicking can be dire, this simple action easily lets criminals into their personal computer and, by sometimes by default, into their company’s IT system. The key is to equip people with knowledge, so they feel comfortable and are naturally more towards operating in ‘System 2’ thinking mode.

Psychology, cyber vulnerability and the pandemic: Motivating factors ripe for exploitation

After the fear, inherent in crises, comes a desire to help. This is one of the many ways in which cybercriminals exploit well-meaning people. Whether it’s a donation or a message of support, people are again motivated in ways that leave them open to online criminal behavior.

McClelland’s Social Motive Theory suggests there are three primary social motives; achievement, affiliation, and power. In times of individual crisis, the need for achievement – for example, successful social distancing – or power to control the situation come to the fore. But in a social crisis, many are hard-wired to help, triggering a need for affiliation. That desire may cause people to act impulsively without due consideration and cyber criminals can exploit this – “just click the link” to make a donation, show your support, and so on. Like the very best advertisers, these actors are clever about pushing emotional buttons.

Cybercriminals are also counting on the psychology of information fatigue, that is, where too much bad news or a desire to put positive energy back into the world leaves people more vulnerable. To avoid falling victim to this, people need to practice basic cyber hygiene. This means avoiding clicking on suspicious links without doing basic checks such as hovering over it and seeing if the URL or address correlates with who the email purports to be from.

Playing into personality

The science of personality is a complex beast, but my view boils down to the belief that personality is a story we tell ourselves and the world about who we are. This story comprises our identity and who we think we are, which together dictate how we behave in the world and process information.

Cybercriminals will use the ideal images people have of themselves to manipulate thoughts, emotions, and purse-strings. Those who see themselves as good may be tricked by scams that purport to raise money for the sick and needy. Those who feel a big part of their identity is being a good parent may fall susceptible to links that claim 10 ways to protect their family from infection. Cybercriminals are using sophisticated tactics to further this play, such as hacking social media profiles to understand what makes people tick and then using that information.

The coronavirus crisis has significant psychological implications for all parts of human life, and the first step in addressing these is understanding them. In the context of cybersecurity, businesses and individual employees need to be aware of how cognitive function and motivations are being preyed upon at this time, and take steps to remain rational, alert, and smart in the face of rising threats.

Read more: Coronavirus hackers face the wrath of the cybersecurity community