As a technologist and cybersecurity researcher, Erik J. Huffman is well-versed in hacker tricks. Yet Huffman nearly fell victim to a scam after receiving an email purportedly from his mother asking for financial help. The email immediately reminded him of how much his mother had done for her family. He says he heard her voice in his mind as he read the words on the computer screen. And although Huffman knew she had never before asked for money, he quickly replied: \u201cHow much do you need?\u201d\n\nIt wasn\u2019t until another email came back, asking how quickly he could send money \u2014 another uncharacteristic ask \u2014 that Huffman questioned the exchange. \u201cSome red flags had been raised,\u201d Huffman says as he recounted the story in his TED Talk, titled \u201cHuman Hacking: The Psychology Behind Cybersecurity.\u201d\n\nIn both his TED Talk and in a follow-up interview with CSO, Huffman explains why he almost fell for the scam: he could hear his mother\u2019s voice in his head as he read the email, which made the request seem real. He wanted to be helpful. And, in the rush of the everyday, he didn\u2019t pick up on the danger right away.\n\nPhishing reactions are part of the human DNA\n\nHe\u2019s not alone in those reactions. Huffman and other cybersecurity leaders say they\u2019re a typical part of the human DNA, which hasn\u2019t yet evolved to trigger the flight-or-flight response when encountering online dangers. That reality has spurred a growing interest in how the science of human behavior can inform and improve the discipline of cybersecurity. Authorities in this space say the interest is warranted.\n\n\u201cPeople act in ways that are unpredictable, so while it\u2019s great to have multifactor authentication and other security technologies, it only takes one person to respond to one email on one day to put the organization at risk,\u201d says Lee Hadlington, a senior lecturer in cyberpsychology at Nottingham Trent University, a chartered psychologist and a member of the university\u2019s cyberpsychology research group. \u201cThat\u2019s the human factor side in cybersecurity, and it\u2019s something CISOs have to start thinking more about.\u201d\n\nThe intersection of cybersecurity and psychology\n\nCyberpsychologists and enterprise cybersecurity practitioners both stress the need to better understand how people interact with technology to create a stronger cybersecurity posture. They point to statistics showing that most breaches involve some sort of human misstep. Verizon\u2019s 2023 Data Breach Investigations Report, for example, found that \u201c74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.\u201d\n\nAs Huffman says, hackers \u201cdon\u2019t want to go toe-to-toe with your firewall. They don\u2019t want to challenge your antivirus, because that\u2019s very difficult, not when they can exploit the largest vulnerability on every network on the planet right now \u2014 that\u2019s us, people. Cybercriminals are not just hacking computers; they are hacking humans. Because \u2026 unlike computers, we actually respond to propaganda.\u201d\n\nPsychology gets at why humans do what they do, says Huffman, founder of cybersecurity services firm Handshake Leadership. There are multiple psychological reasons why people fall for phishing schemes and other hacker scams, according to Huffman, Hadlington and others looking at the role of human nature in cybersecurity.\n\nFor a start, many workers click when they shouldn\u2019t because they\u2019re focused on their job. \u201cThey\u2019re thinking, \u2018I\u2019m just trying to get my job done. I want to get my boss off my back,\u2019\u201d Hadlington says. \u201cOr it\u2019s just an accident: They thought they were doing the right thing,\u201d he says, adding that most people want to be helpful when receiving a request at work.\n\nEmployees don\u2019t have a sense of \u2018stranger danger'\n\nAt the same time, workers haven\u2019t been conditioned to be wary of strangers online; they don\u2019t think \u201cstranger danger\u201d as they would in real life, Huffman says. And people still have the tendency to think that they won\u2019t be scammed.\n\n\u201cThey have plausible deniability. They think, \u2018It won\u2019t happen to me, and the less I think about it, the less I\u2019ll be a target,\u2019\u201d Hadlington explains.\n\nThe hackers understand all that, says Stephanie Carruthers, chief people hacker at IBM. She says they frequently design attacks that create a feeling of fear, a sense of urgency or an aura of authority to get people to react. That\u2019s why a message like \u201cYou\u2019ll lose your benefits if you don\u2019t complete these forms today\u201d is effective, Carruthers says. A message like that hijacks the reader\u2019s amygdala \u2014 the portion of the brain that detects and responds to threats. \u201cYou\u2019re reacting really fast,\u201d she says. \u201cAnd when you have those strong emotions, you stop looking at the red flags.\u201d\n\nWhy bring psychology into security?\n\nApplying the science of psychology to cybersecurity helps cybersecurity professionals understand where, how, and why they\u2019re falling short in building a security program that works, experts say. \u201cWe need to design security with people in mind because if security doesn\u2019t work for people, it just doesn\u2019t work,\u201d says John Blythe, a behavioral scientist and director of cyber workforce psychology at Immersive Labs, maker of a cybersecurity training platform.\n\nBlythe points to password requirements as a case in point: requiring complex combinations of letters, numbers, and symbols as well as mandating frequent changes, taxes workers\u2019 memories so they end up using weaker passwords (and writing them down) so they can get into the systems needed to do their work. (That\u2019s why, he says, asking workers to use three random words \u201cworks best for human memory\u201d as well as security. The UK\u2019s National Cyber Security Centre reinforces that point, noting that three-word passwords are \u201clong enough\u201d and \u201cstrong enough\u201d for most purposes.)\n\nHuffman cites another example where the science of psychology shows where security might be working against itself, explaining that security practitioners who say \u201cit\u2019s not if there\u2019s a breach, but when\u201d (or some variation of that) may actually be doing more harm than good. He says it has to do with the Pygmalion effect, a psychological phenomenon in which setting high expectations leads to higher performance while setting low expectations gets low results.\n\n\u201cWhen we say \u2018it\u2019s not if, but when,\u2019 we\u2019re taking the control away from the user,\u201d Huffman says. He asks: What\u2019s the incentive for users to follow best practices, especially when those practices require extra effort, if they\u2019re being told it won\u2019t necessarily matter? \u201cInstead, give every user power and control [by saying]: \u2018We can stop these attacks. We can overcome this. We will not get attacked because we will follow the right processes,\u2019\u201d Huffman adds.\n\nPsychology-aware security is effective security\n\nAs CEO and founder of RevolutionCyber, Juliet Okafor helps organizations move from cybersecurity awareness to adoption and offers fractional business information security officer (BISO) services. Okafor, who is also an attorney with a background in communications, focuses on the human component of building a cyber-resilient organization. She says she draws on marketing and sales principles that convince people to make a purchase or take an action.\n\n\u201cThey\u2019re selling someone on making a decision they wouldn\u2019t normally make. Cybersecurity is the same. You\u2019re convincing people that cybersecurity is part of their job. And to do that, cyber must use psychology. It demands psychology for it to be effective,\u201d Okafor says.\n\nLike a marketing professional, Okafor has developed and uses personas to help her fine-tune the cybersecurity messages she delivers to individuals. Those personas consider their roles, their motivations, how they prefer to learn and other factors. \u201cWhen we do this, we can personalize campaigns, we build better awareness and we better mitigate risks,\u201d she says.\n\nOkafor says cyberpsychologists have also used their training to identify enterprise vulnerabilities. She points to research that shows how people\u2019s more-rushed behaviors at certain times of day, such as just before lunch and right before leaving, make them more prone to click through emails including phishing attacks. (Cyberpsychologists call such rushed moments a \u201chot\u201d visceral state.)\n\nSecurity teams that understand this dynamic can act on that information, she says, for example by adjusting its security information and event management (SIEM) platform to create more gates for emails to travel through during those times.\n\nCyberpsychology works in training, too\n\nOkafor has also applied psychology to training security teams, having worked with companies looking to improve their incident response times. She used competitions to train teams and asked winners to share their strategies \u2014 the former leveraging security workers\u2019 typically competitive nature and the latter leveraging their motivations to do good and be seen as trusted stewards. As she explains: \u201cIt\u2019s taking what you know about how people work and creating policies to make sure the right controls are in place.\u201d\n\nChristie Wilson, cyber resilience manager with UniSuper, says she, too, is bringing psychology into her organization\u2019s security program. Wilson, who has both a bachelor\u2019s degree and a post-graduate diploma in sociology, says she\u2019s working to \u201canalyze and predict human interactions, motivations, and vulnerabilities, which are important considerations for protecting against cyber threats and designing effective security measures.\u201d\n\nWilson says this has helped her develop awareness training that better resonates with people and helps them better understand why they need to buy into the company\u2019s cyber resilience program.\n\nPeople are an attack vector, not a weak link\n\nThis mindset has even brought Wilson to adjust her thinking around people as \u201cthe weakest link. \u201cPeople aren\u2019t the weakest link,\u201d she notes. \u201cThey are the primary attack vector. It\u2019s important we understand this when creating awareness and training content. As security professionals, we need to put ourselves in our people\u2019s shoes. Security might be the most important thing in the world to us, but for others it can be anything from a blocker to something they never consider.\u201d\n\nShe adds: \u201cUnderstanding that behavior change needs motivation, ability, and prompts has been a key component of our cyber resilience program.\u201d\n\nBlythe says the most effective way for CISOs to incorporate psychology into their security program is to bring a cyberpsychologist on board, saying \u201cA cyberpsychologist would know what the science is and how it works.\u201d\n\nOthers agree, but they acknowledge that\u2019s a big ask \u2014and one that\u2019s hard to do. For one thing, there are few people trained in the discipline. Cyberpsychology, which focuses on how the mind reacts when people interact with technology, is still a relatively new field, Hadlington says. Moreover, not all cyberpsychologists and cyberpsychology programs focus on cybersecurity. CISOs already working with slim budgets may not have the money for such a position.\n\nStill, interest and information about the intersection of psychology and cybersecurity is spreading. Hadlington is taking a \u201ctrain the trainer approach.\u201d Huffman researches and speaks on the topic. And institutions are adding courses in this space; for example, the SANS Institute, a training organization, is running a Managing Human Risk Summit in August 2023, which will address in part the psychology factor.\n\nAdding psychology to the security department\n\nExperts say CISOs can learn to layer psychology into their security programs to boost the effectiveness of their work. To start with, Hadlington and Huffman both recommend that CISOs engage in more communication. They should ask workers about where they struggle with security controls, why they circumvent security policies, why they clicked on the link in a simulated (or real) phishing scam, what would motivate them to be more security-minded, etc. \u00a0Then they should address those human elements.\n\nCISOs should also empower workers with ways to solve their challenges and also clearly articulate the ways workers make a difference in security. \u201cThat feedback loop is really critical,\u201d Hadlington says. \u201cPeople want to know \u2018Why am I doing this? What\u2019s in it for me? Am I helping the organization? Is what I\u2019m doing effective?\u2019\u201d\n\nAdditionally, Huffman says CISOs can work with their marketing teams to learn techniques for influencing behavior. And, as marketing does with the messages it sends to its audience, Huffman says security can personalize security awareness and training.\n\nAddress issues that create a \u2018psychological hot state\u2019\n\nCISOs can also work with their executive colleagues to address cultural issues that foster that psychological hot state, Huffman says, noting that a workplace where employees are constantly worried or unreasonably busy \u201cgives hackers another advantage.\u201d\n\nLance Spitzner, director of research and community at the SANS Institute, says he advises CISOs to take a broader view of this topic, applying psychology and behavioral sciences to affect not just individual workers but organizational behavior as a whole.\n\n\u201cYou\u2019re trying to create an environment in which humans exhibit strong security behaviors,\u201d he says. \u201cTo secure organizations, we need to secure people. And to secure people, we need to change their behaviors. And to change their behaviors, we need to both motivate and empower them to change. That\u2019s where the cognitive sciences come in.\u201d