Psychological Security Definition
Psychological Security is the practice of protecting humans from being manipulated and exploited by technology through training their brains to recognize and react. From hyper-targeted ads to phishing attacks, technology and data are used to influence us every day. This is the reason that phishing is so successful. We’ve learned to trust and depend on the technology we use, the brands we buy, and the people we know.
Psychological Security is the Third Stage of Security.
When it comes to security, and more specifically cybersecurity, we’ve are familiar with two types of security: Physical Security (PhySec) and Information Security (InfoSec). Psychological Security (PsySec) is a natural progression in the evolution of security. As we’ve come to realize the importance of protecting the human side of security differently than information or physical security, a need has evolved for this new category.
Physical Security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm.
Information Security is the protection of computer systems from theft or damage to hardware, software, and electronic data, as well as disruption or misdirection of the services a company provides.
Psychological Security describes security measures that are designed to protect the human mind from psychological manipulation that leads to a compromise of Physical Security or Information Security.
InfoSec vs. PsySec
The practice of protecting humans, until now, has been largely lumped into Information Security because protecting people played into the ultimate goal of protecting information and data.
The problem we have now is that as InfoSec focuses on tools, software, data, and now even moving towards A.I and Machine Learning, the focus on the human side of security doesn’t align with the goals of InfoSec.
But with Psychological Security as the third stage of cybersecurity, that’s not such a bad thing!
InfoSec will keep evolving to take on tomorrow’s technical threats, and PsySec will focus on protecting humans from psychological threats.
Why Psychological Security?
Cybercrime grows more sophisticated by the day. So do the defenses which stand against it. Yet, the human element remains mostly the same. Air-tight firewalls, a gratuitous suite of antivirus software, and a password written in hieroglyphics are no match for the raw destructive force of an employee clicking on a simple phishing email.
Psychological security refers to the human component of cybersecurity. It calls for educating the workforce on the signs of social engineering, filling in the gaps of vulnerability where the technological components of your cybersecurity infrastructure fall short.
PsySec represents a new paradigm in corporate cybercrime—a necessary and urgent shift in the balance of cybersecurity spending. It’s the only way to avoid the ever-increasing expenditures fueling a battle of brinkmanship between hackers and their prey.
What is “Manipulation by Technology”?
When we say that Psychological Security protects humans from manipulation by technology, what exactly does that mean?
Technology is used as a method for influence every day, and this practice is not limited to the “bad guys”. Think about all different ways you interact with technology, and how it might influence your decisions. Here are a few, for example.
Marketers use techniques like “illusion of choice”, fear of missing out (FOMO), and peer pressure to influence you to buy products or use certain services. If you are a “trendy mom” in your 30s, advertisers can use audience targeting to show you an ad of, you guessed it, a trendy mom in here 30s using their product or wearing their clothes.
Popular social networks and other applications, while it may seem like they are made to make your life easier, usually prioritize their own objectives over yours. Designers make specific, calculated design decisions to influence you to do certain things on an app, and ultimately use the app for a longer period of time.
The way these companies achieve success is by making sure that the choices they want you to make are easy, and the choices they don’t want you to make are hard.
If we take a meal delivery service, for example, while it may be very easy to reorder, upgrade, or view recipes, it might be much harder to say, cancel your account. The buttons for cancellation, unsubscribing, etc. are often much harder to find.
In some instances, companies will require you to visit their website on your computer to cancel, in the hopes that you’ll forget or change your mind by the time you reach your computer.
Social media is a powerful thing. It creates/ends careers, launches businesses, and gives people a window into each other’s lives. But most people will agree this doesn’t come without its disadvantages.
Similar to the psychological effects of advertising, social media can create feelings of inferiority, FOMO, and peer pressure. Many people show the best aspects of their lives on social media, leaving out the hard parts of life that everyone faces. This can lead to anxiety, depression, isolation, and the feeling of inferiority.
Phishing and Social Engineering
While the above are just a few examples of manipulation by technology in the world, for the purposes of cybersecurity, we tend to focus on two primary areas: Phishing and Social Engineering.
What is Social Engineering?
Social engineering refers to the psychological manipulation of targeted individuals in an effort to gain access to devices, networks, or information that would otherwise be restricted. This access is typically considered either unauthorized or fraudulently authorized.
Unauthorized Access: a hacker or fraudster sends their target an email, posing as the victim’s bank. The target is urgently advised to change their login credentials (typically their username and password). Their new credentials are recorded and later used to gain unauthorized access to their online bank account.
Fraudulently Authorized Access: a hacker or fraudster sends their target an email, posing as the assistant to a company executive. They claim the executive needs access to Salesforce for an urgent matter and is requesting the victim’s login credentials. The target complies, giving the hacker fraudulently authorized access to their username and password.
Social engineering lies at the heart of the most common forms of cyberattack, and the primary form of successful social engineering is phishing.
What is Phishing?
Phishing is the fraudulent or malicious use of email communication to deceitfully acquire confidential information or gain access to devices, servers, and networks. In most cases, threat actors will impersonate government officials, corporate partners, or even members of your own organization while attempting to get team members to divulge information.
Phishing is most commonly done via email, but other forms of phishing include:
Spear Phishing: the targeted application of phishing attacks to breach the defenses of a specific individual, network, or organization.
Vishing: extracting sensitive or confidential information over the phone.
Smishing: the use of SMS messaging (also known as “instant messaging” or “text messaging”) to gain unauthorized access to confidential intel.
Of course, the applications of social engineering extend far beyond the mold outlined above. Ultimately, human psychology has proven to be a much easier vulnerability to exploit than a secure network infrastructure, and attackers have used this to their advantage.
Why does Social Engineering Work?
A study published in the proceedings of the Third International Conference on Human Aspects of Information Security, Privacy and Trust defined five key principles of persuasion used in social engineering: authority, social proof; liking, similarity and deception (LSD); commitment, reciprocation, and consistency (CRC); and distraction.
We are conditioned—throughout our upbringing—to avoid questioning authority. Question a teacher’s orders and you’re liable to wind up in detention. Question the judgment of your supervisor and paint a target on your back on the battlefield of office politics. It’s no wonder, then, that phishing schemes in which hackers impersonated a CEO grew 100% over a 14-month period from 2018 to 2019 and cost over $26 billion between June of 2016 and July of 2019.
People tend to let their guard down when conforming to the behavior of a larger group. Group behaviors are often perceived as carrying less risk (as the burden of any consequences is more widely dispersed).
Liking, Similarity, and Deception
It’s easier to let down your guard or comply with the requests of someone you like or to whom you feel similar. This could be a coworker, family member, supervisor, close friend, etc.
Commitment, Reciprocation, and Consistency
The desire to appear consistent can increase one’s tendency to commit to and follow through on an action. Agreeing to do someone a favor often has some expectation of reciprocity. Social engineering almost always involves an “ask” of some sort.
If you suspect an email may be a phishing attempt, it can help by identifying the “ask” before considering whether the remaining four principles of persuasion seem fishy—like they lend themselves to a quick read and a near-thoughtless response. Hackers don’t want you spending too much time admiring their handiwork; the more time you spend, the more likely you are to get suspicious.
As it’s defined within the five principles of persuasion, a “distraction” is akin to a sales tactic used to create a false sense of urgency or heightened stakes. That urgency often stems from scarcity (of time, supply, etc.). Hackers heighten the stakes of a social engineering attack by presenting an opportunity, which—whether lost, gained, or unclaimed—makes you want to act fast.