January 31, 2023

Drive Risk Awareness by Supporting Human Heuristics

By Laura Bishop, Director of Human Risk Science at OutThink

Human heuristics and biases are normally perceived negatively in cybersecurity. However, those vulnerabilities cybercriminals use when targeting their victims can also be used to strengthen the defense against them.

Humans develop mental strategies to help process decisions intuitively. These enable us to focus on the most important ones. Intuitive thought can be useful but can sometimes result in less optimal decisions than those made consciously. An example is an employee applying more cognitive energy to an important conversation with a colleague while intuitively opening emails. The potential consequence is clicking on a link in a phishing email.

Why isn’t conventional awareness training enough?

Employees may receive cybersecurity compliance training from their organization but when working intuitively they are unable to cognitively access this education to benefit from its learnings. Instead, they use predetermined strategies or habits, for example following the opinions of experts or the majority to make a quick decision. Cybercriminals are aware of this and other heuristics and will in turn position themselves as experts or suggest many others have performed an action to further influence a fast decision. Employees must be supported by being trained on new cognitive strategies that can be built into current habits.

How does debiasing work?

The word debiasing may sound technical and somewhat foreboding, however the concepts involved can be straightforward to apply. An example of a debiasing technique is always placing your keys in the same spot each day to avoid their loss.

Debiasing is an intervention in which people are given the information required to improve their current decision-making rules. It is about educating employees how to recognise when a strategy should be applied and allowing the opportunity to practice until it becomes habitual. Debiasing is a multi-step approach involving 5 stages:

Making the decision-maker aware the bias exists
Informing them on how to detect it
Motivating them to want to change it
Teaching them how to apply the more optimal strategy
Showing them how to practice and maintain it

Debiasing techniques in cybersecurity is still in its infancy but has shown great promise in healthcare, forensic mental health, and education. My own research involving debiasing techniques has found promise for their use in detecting phishing emails. Debiasing offers more than nudging alone as humans can become habituated to continuous pop-ups.

Examples of debiasing

There are several debiasing strategies that support your employees with a focus on providing techniques that can be easily remembered and implemented. Two simple examples of such strategies are a ‘consider-the-opposite’ intervention and a checklist/maxim intervention.

‘Consider-the-opposite’ requires employees to consider the evidence available for an alternative outcome. For example, assuming all people in your building do not have authorised access unless an ID badge is produced. This technique interrupts automaticity, encouraging more conscious thought.

Another potential debiasing intervention is the implementation of a maxim or mental checklist. Repeating information or a behaviour until it becomes habit. Heuristics are inbuilt mental checklists and therefore replacing elements of them with new forms can help reduce susceptibility to social engineering while avoiding reductions in productivity.

The key message is, do not just provide education. Support your employees’ intuitive decisions, ensuring they are aware of biases that may result in vulnerability, when to expect them and how they can create more secure strategies to practice until they become automated. Don’t just educate your employees, help them apply secure strategies even when thinking fast.

OutThink

FUEL has partnered with leading cybersecurity company OutThink to include its award-winning human risk management platform as one of the software solutions we offer clients.

OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.

To find out how the OutThink Cybersecurity Human Risk Management platform can raise awareness, drive more secure behaviours, and increase motivation across your organisation please get in touch at info@fuelonline.co.za.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Drive Risk Awareness by Supporting Human Heuristics

Why isn’t conventional awareness training enough?

How does debiasing work?

Examples of debiasing

Related Posts

The New Phishing

The Benefits of Online Training to Franchise Companies

Incorporating Mentoring to Encourage Employee Growth