Influence and manipulation are among the many faces of cybercrime. That’s why we need to protect our brains.
The influence of internet and social networks on our minds becomes more and more clear. And somehow it is frightening, as well at the individual level as for the society. Social networks are designed to be addictive. And the risk of manipulation grows as “experts” in fake information are taking full advantage. Algorithms offer powerful tools for merchants to predict the habits of the customers. Manipulation and profiling are also used in cybersecurity on the side of the hackers but also on the side of the cyber cops using more and more profiling techniques to catch the “bad boys”.
However, psychology is not only used for bad reasons. It can also be used to improve the level of security for businesses and organizations.
Some researcher propose to settle new Human Rights that would protect people from having their thoughts and other brain information stolen, abused or hacked.
Fadi Abu Zuhri is a brilliant “cyber psychologist”. He has over twenty years of experience in technical & security audit, digital forensics and technical investigation, governance, risk & compliance (GRC), technical process improvement. He has varied experience in Government, federal public institution, banking, financial services, education, properties and trading agencies. He wrote an exciting book: “The illusion of the cyber intelligence era”, that will interest anyone who wants to open their eyes in different dimensions
He accepted to share his experience and provided us with some invaluable advice and insight. He gave us his 5 best practices to use psychology in a virtuous way to strengthen the cybersecurity.
1. Focus on Security within the Organization’s Culture.
We first need to understand the organization. Who can have an influence on the organization, from inside and outside… How does it look to the outsiders? This is where you need to start… And then you can try to improve the culture of your organization: knowing what the organization really wants, who you are, where you are headed and when you want things to be applied… And remember that you cannot involve everybody in the same way, with the same approach. Let them be unique and melt into the organization’s culture. You have to recognize every individual, his background and needs…
2. Create Security Awareness Programs that are funny and engaging.
You learn better when you have fun and you are engaged. Not only because your brain is more efficient, but because we are living in a stressful society. A society where the stress and the pressure became the norm.
For example, if you ask people to use a strong password in order to comply with a certain regulation, they will not feel as compelled and concerned as if you ask them if they like their kid’s device to be misused by a stranger, or if they are ready to allow someone to commit a crime on their children’s behalf… The reaction will be very different. Generally, the people will feel emotionally engaged for someone they love and care about. You need to touch the people’s heart first.
So, education is not possible if the people are not involved. Engagement must be considered for individuals and groups of people alike. That said, it’s very important to make the difference between the real engagement and the virtual one, which is spreading like a drug on every social network. Blindly clicking, sharing or liking is just a fake kind of engagement and more importantly, it is dangerous because it can create an addiction. We are talking about mental health… And any HR department should take care about the health and the well-being of the employees in a company.
3. Find the best concept for driving behavioral change.
You have to first analyze the current behaviors. What is really happening? Without analyzing, you can do nothing, it is needed in order to push the people towards the desired goal. Within this change, they are to be guided and driven. You also need a champion to show the example and the road. Unfortunately, nowadays most of security is based on regulation and not on the culture and DNA of the organization…
4. Measure, report and learn from the previous mistakes.
Without mistakes, we garner no experience. How do you ensure that improvement is well established and will progress in the future? You need to consider that there is always space for improvement. Learning from mistakes is essential. The possibility to declare or report an incident must be made easy in order for the value of the incident to be assessed. Let the people be involved and initiate requests.
5. Choose the right channel and talk the talk of your audience
We are in a cyber era but most of us still believe we are in the 80’s and act accordingly. We are living with all these devices around us that come with positive and negative effects, but when we have to treat these effects, we act like before. The security awareness should not be limited to classical course sessions. We need to consider all the tools used in this period to engage people in a security awareness campaign. And these tools must be chosen accordingly to the profile of the target. It can be the radio if the people listen to the radio. And it must be on the smartphones if the people use it to access professional data.
As we can see, psychology is much more than a minor parameter to take into account. It becomes more and more a fundamental factor for any kind of organization. In the future we can envision that companies will open “brain fitness rooms” beside the classical fitness facilities.