How people can take proper precautions online without even having to think
I imagine you’ll have experienced something like this before.
You’ve been tied up in a report for the last hour or two. Your concentration is waning and you need a change of pace.
So you turn to your emails and delete any junk. You read through emails that require consideration and make a note to respond in due course. Then you turn your attention to one specific email from a colleague.
The email links to an online article and it asks you to take a look. You’ve got some time and the article is of relevance.
Given the situation, would you be happy enough clicking through to the article, as instructed?
A world filled with risk
Although we rarely consider it, ultimately, every email we receive comes with a certain amount of risk.
The same goes for every phone call we answer. And every new programme we download.
Every conversation we have, every photo we share, every network we join, every password we key in; all of these actions all come with a small amount of risk.
If we were entirely rational beings, we’d compute the exact expected outcome of taking each risk in turn. It’d be an exhausting life, and one in which we wouldn’t get much done.
Which is why we don’t exist as entirely rational beings at all. Instead we rely on what social psychologists label heuristics to guide our actions.
Unfortunately, heuristics increases our chances of suffering a cyber attack.
Easing cognitive strain
Briefly, heuristics are guidelines that allow people to conserve mental energy in an extremely demanding world. They allow us to make remarkably accurate judgements instantly, entirely without thought.
In the example set out in the introduction, the email is signed by a colleague and sent from a reliable email address. Heuristics indicate that the email is safe – despite the fact we’re unable to calculate the precise probability of risk.
Thanks to heuristics, we’re usually happy enough to follow the instructions in such emails, which usually lead to our intended outcomes.
Sadly, cyber criminals understand heuristics – and routinely exploit them when launching cyber attacks.
Misfiring heuristics
Consider a variant on the email discussed in the introduction.
This time, the email isn’t sent from a colleague. Instead, it’s sent from a supplier.
The sender is not someone you’ve spoken to before – but then your supplier is a large company, so you frequently deal with new people.
The email doesn’t contain a link.
Instead, it contains an attached invoice, which the email asks you to inspect.
Given the situation, would you be happy enough to open the attachment?
Acting without thinking
Maybe you wouldn’t.
But, actually, most people would open the attachment without thinking twice.
Thanks to heuristics, in fact, most wouldn’t think once.
The sender and the email address appear legitimate, and opening such attachments usually leads to an intended outcome.
Every so often, though, such emails are malicious.
Misfiring heuristics mean we don’t spot the danger.
Combating misfiring heuristics
Heuristics aren’t going away anytime soon and, given their usefulness, it’s unlikely we’d banish them even if we could.
What cyber security professionals need to focus on, then, is controlling heuristics to decrease the chances of a socially-engineered cyber attack.
Interestingly, heuristics themselves might be the solution.
As I mentioned previously, heuristics are a set of guidelines that allow people to conserve mental energy – and one such guideline is known as the “availability heuristic.”
The availability heuristic helps us judge the likeliness of an event happening based on how easily similar events come to mind, which explains why cyber security professionals take so many more precautions than those in other fields.
However, it’s important to understand how this heuristic could also work against us, especially in the context of phishing attacks.
Consider a scenario where you receive an email that seemingly comes from a supplier, and it contains an attached invoice, requesting you to inspect it.
You’ve dealt with new contacts from your supplier before, so the email address doesn’t raise immediate red flags, and the attachment seems harmless. In such situations, the availability heuristic can lead us to quickly assume it’s legitimate and open the attachment without much thought.
The availability heuristic could help people acknowledge the true risks of cyber attack – so long as people can easily recall examples of other cyber attacks. Given hackers attacked one in five firms, the case studies clearly exist. All organizations need to do is make them more prominent.
We can then rely on the availability heuristic to redefine our estimates of the dangers and modify our behavior accordingly. By reinforcing the memory of past phishing incidents or using simulations to create similar experiences, we can enhance people’s ability to recognize and respond to phishing emails effectively.
Despite their shortcomings, properly harnessed heuristics can keep us safe online, but only if we actively manage and educate ourselves about the ever-evolving tactics of cyber attackers.
With heightened awareness and a cautious approach, we can empower ourselves to navigate the digital landscape more securely, without anyone stopping to think.