By Laura Bishop, Director of Human Risk Science at OutThink
Human heuristics and biases are normally perceived negatively in cybersecurity. However, those vulnerabilities cybercriminals use when targeting their victims can also be used to strengthen the defense against them.
Humans develop mental strategies to help process decisions intuitively. These enable us to focus on the most important ones. Intuitive thought can be useful but can sometimes result in less optimal decisions than those made consciously. An example is an employee applying more cognitive energy to an important conversation with a colleague while intuitively opening emails. The potential consequence is clicking on a link in a phishing email.
Why isn’t conventional awareness training enough?
Employees may receive cybersecurity compliance training from their organization but when working intuitively they are unable to cognitively access this education to benefit from its learnings. Instead, they use predetermined strategies or habits, for example following the opinions of experts or the majority to make a quick decision. Cybercriminals are aware of this and other heuristics and will in turn position themselves as experts or suggest many others have performed an action to further influence a fast decision. Employees must be supported by being trained on new cognitive strategies that can be built into current habits.
How does debiasing work?
The word debiasing may sound technical and somewhat foreboding, however the concepts involved can be straightforward to apply. An example of a debiasing technique is always placing your keys in the same spot each day to avoid their loss.
Debiasing is an intervention in which people are given the information required to improve their current decision-making rules. It is about educating employees how to recognise when a strategy should be applied and allowing the opportunity to practice until it becomes habitual. Debiasing is a multi-step approach involving 5 stages:
- Making the decision-maker aware the bias exists
- Informing them on how to detect it
- Motivating them to want to change it
- Teaching them how to apply the more optimal strategy
- Showing them how to practice and maintain it
Debiasing techniques in cybersecurity is still in its infancy but has shown great promise in healthcare, forensic mental health, and education. My own research involving debiasing techniques has found promise for their use in detecting phishing emails. Debiasing offers more than nudging alone as humans can become habituated to continuous pop-ups.
Examples of debiasing
There are several debiasing strategies that support your employees with a focus on providing techniques that can be easily remembered and implemented. Two simple examples of such strategies are a ‘consider-the-opposite’ intervention and a checklist/maxim intervention.
‘Consider-the-opposite’ requires employees to consider the evidence available for an alternative outcome. For example, assuming all people in your building do not have authorised access unless an ID badge is produced. This technique interrupts automaticity, encouraging more conscious thought.
Another potential debiasing intervention is the implementation of a maxim or mental checklist. Repeating information or a behaviour until it becomes habit. Heuristics are inbuilt mental checklists and therefore replacing elements of them with new forms can help reduce susceptibility to social engineering while avoiding reductions in productivity.
The key message is, do not just provide education. Support your employees’ intuitive decisions, ensuring they are aware of biases that may result in vulnerability, when to expect them and how they can create more secure strategies to practice until they become automated. Don’t just educate your employees, help them apply secure strategies even when thinking fast.
FUEL has partnered with leading cybersecurity company OutThink to include its award-winning human risk management platform as one of the software solutions we offer clients.
OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.
To find out how the OutThink Cybersecurity Human Risk Management platform can raise awareness, drive more secure behaviours, and increase motivation across your organisation please get in touch at email@example.com.