The Impact of the Six Principles of Influence on Cybersecurity
It’s another busy day at the office. You receive an email from your personal bank’s fraud team, alarms bells go off – what do they want? Whatever it is, it’s urgent. The bank has noticed suspicious activity on your account and are requesting that you review the details of an unusual transaction.
Hurriedly, you open the attachment to find the details of an unfamiliar transaction. Puzzled, you close the document and fail to realize that in the background, malware is downloading that will enable cyber-criminals to steal your personal data. You’ve been hacked.
What’s unusual about this story? Nothing is unusual about it. In fact, this story is a quintessential example of social engineering. The email appeared to be sent from a bank, an authoritative and therefore influential body in the eyes of the target. The attacker also created a perception of urgency, a scarcity of time, which increased the likelihood of action.
Essentially the hacker pulled the psychological levers necessary to influence the target to act in accordance with a malicious agenda.
Tactics such as these originate with behavioral economics, the study of irrational economic decisions that don’t comply with the classical view of people as rational, selfish and driven by mathematical judgements about the relative costs and benefits of their choices.
Cyber-attackers exploit the social, emotional and psychological behavioral drivers identified by this field of study to influence and to manipulate. They understand that every cyber-defense is composed of technological and human elements, and while security technologies continue to rapidly develop, human instincts take much longer to evolve.
Put simply, hackers recognize that it is easier to hack a human than it is to hack a machine.
Weapons of Influence
In examining the methods of manipulation employed by hackers, the ideas of Dr Robert Cialdini are never too far from view. Cialdini is recognized worldwide for his inspired field research on the psychology of influence. His seminal work Influence: Science and Practice described six principles that can be used by any individuals or groups who want to influence the behavior of others.
- The Reciprocity Principle: People feel obligated to pay back what they have received from others.
- The Commitment & Consistency Principle: People tend to stick with whatever they’ve already chosen.
- The Social Proof Principle: People tend to have more trust in things that are endorsed by people that they trust.
- The Liking Principle: People are more likely to comply with requests made by people they like.
- The Authority Principle: People follow others who appear to know what they’re doing.
- The Scarcity Principle: People are always drawn to things that are perceived to be exclusive.
Cialdini highlighted the power of these “weapons of influence” in the context of sales and marketing, but they are equally applicable to a security context where cyber-attackers frequently use them to bypass cyber-defenses.
Hackers, for example, commonly seek to exploit the principle of reciprocity through the practice of “reject and retreat” tactics. The fraudster will open a conversation by asking for something extreme. When the target says “no”, he or she will “retreat” to a second more “reasonable” request. By compromising, the target will feel compelled to reciprocate by giving in to the fraudster’s second more tolerable request.
Hackers also exploit the principle of authority by manufacturing phishing emails to appear as if they have been sent from authoritative bodies. And we should all be wary of “friend requests” from unfamiliar yet attractive members of the opposite sex, as it is very likely that this is an attempt by a cyber-attacker to exploit the liking principle to compromise our personal data.
These are just a few examples of how hackers regularly employ Cialdini’s ideas on persuasion for nefarious purposes. However, the theory of influence is a double-edged sword. While the techniques described can be used to manipulate, steal and destroy, they can also be used to safeguard and protect.
Organizations can substantially improve how they address the human aspect of cybersecurity by utilizing the tactics of their cyber-antagonists to change behaviors and reduce risk.
Influencing Cyber Best Practices
One of the most powerful ways to promote safe cybersecurity behaviors is to capitalize on the social proof principle by creating the perception that cyber best practices are the social norm.
IKEA, a company famous for its distinctive cultural identity, has in the past promoted its organizational principles through “cultural agents”, employees who were specially selected and trained to be vocal proponents of the company’s culture. Similar culture tactics can be applied to cybersecurity. If an organization can get one or two individuals to claim during a team meeting that they change their passwords regularly, then others will follow their lead.
Internal marketing initiatives that incorporate messaging designed to highlight how the majority follow cybersecurity best practices, e.g., “90% of your colleagues do not click on email attachments sent from unknown sources”, are also an effective method to promote positive behaviors by social proof.
We have seen how hackers exploit our tendency to obey and be influenced by authority. Equally, however, an IT security team can utilize this natural predisposition by ensuring that that all the leaders within the organization, starting at the very top, engage with cybersecurity, understand its importance and lead by example.
The commitment and consistency principle describes how people have a general desire to appear consistent in their behavior. IT security teams can capitalize on this powerful behavioral driver by asking employees to publicly confirm that they will follow the company’s security policy. What’s more, if they can get employees to put their commitment in writing, all the better. “People live up to what they write down”, said Cialdini.
These are but a few ways that an IT security team can adopt the theory of influence to promote safe online behaviors. With a little thought and creativity however, any organization can come with a multitude of low-cost, low-effort initiatives that can have a high-impact in terms of reducing cyber risk exposure.
It has been said that to triumph, you must know your foe and to know your foe, you must become your foe. This sentiment may be old, but it still carries water in a modern cybersecurity context.
IT Security teams can substantially strengthen their human firewall by learning from the behavioural nous employed by cyber criminals to promote cybersecurity best practices.
Intuition – Securing Your Company Culture
Intuition is a leading knowledge solutions company. We work with our clients to reduce cyber risk exposure through unrivalled employee education.
Our holistic approach to the human aspect of security includes training solutions for both software developers and non-technical staff, so that your organization can both make and use technology in a safe manner.