In February 2021, the State announced a billion-euro cyber-threat plan to respond to the increase in the number of cyberattacks affecting French organizations. Despite increasing budgets dedicated to cybersecurity, 52% of SMEs were victims of at least one cyberattack in 2021.
If attacks of a technological nature can be countered by protection solutions, attacks by social engineering are much more difficult to prevent and their increase is worrying. Employees are skillfully manipulated by hackers and are the cause of the success of cyberattacks in more than 90% of cases.
And yet, despite this reality, most organizations rely only on technology and push the human factor, the main flaw of organizations, into the background. To have a chance of stopping the exponential curve of cyberattacks, a paradigm shift must take place to finally approach cybersecurity from a neuroscientific angle.
Three cognitive factors are mainly exploited by hackers
Social engineering cyberattacks are computer attacks that exploit psychological and human flaws and weaknesses by trying to persuade an individual (a victim) to act as intended, according to a malicious and effective scenario at the same time. These computer attacks exploit weaknesses in human interactions and behavioral and cultural constructs.
They occur in many forms such as “phishing”, “CEO fraud”, or “sock puppets” on social networks. Three factors have been identified as influencing the vulnerability of employees: stress, reduced vigilance and excessive workload.
These factors lead the employee to an effect of “attentional tunneling”: attention is visually focused on some of the elements that are offered on the screen and the employee will be less attentive to other elements that could alert him, such as ‘spelling. These attacks are often personalized according to the interests of the collaborator and his digital history.
Identify the cognitive biases of each employee to train effectively
Little research has been conducted on the cognitive approach to “cyber-maliciousness”. However, they would make it possible to accelerate the understanding of the neurological and psychological mechanisms that make us fall into the trap of cyberattacks. A whole field opens up to the study of the cognitive biases involved in analyzing and evaluating the profiles of individuals and their personality traits.
Once these profiles (“psychotypes”) have been identified, employee awareness and training could be individualized in order to be more effective. Exploiting the neurocognitive flaws of each individual, they will materialize in the form of ultra-personalized e-mail attack simulations, often built with personal data present on the Internet. Once fallen into the trap, the collaborator will be much more receptive to learning. He will be able to follow a condensed and contextual training which will take up the elements of the attack by explaining to him in particular the “psychological” reasons for which he did not manage to thwart it.
In 1974, research in psychology and economics by Kahneman & Tversky gave birth to Behavioral Economics. In 2004, the studies of McClure and Read Montague, neuroscientists, revolutionized traditional marketing by discovering neuromarketing, subsequently declined in neuro-communication, neuro-advertising, neuro-finance, etc.
In 2022, we are witnessing a major paradigm shift in the field of cybersecurity from which arises a new discipline: cognitive cybersecurity. Just as in the fields of economics, marketing and finance, neuroscience is today the scientific discipline best able to develop the cybersecurity sector to better protect employees and make organizations less vulnerable and more resilient.