In the time it takes you to read this article, twelve cyber-attacks will have occurred. And while many high-profile attacks target information like emails and bank account credentials, some have shown how hackers can make an attack with even greater consequences. Despite the billions spent worldwide to build new technologies to prevent these attacks, cybercrime is not only continuing but seems to be increasing. Why?
Most investments in cybersecurity go towards building more complex technology and tougher firewalls. But in doing so, we neglect the human beings that are at the center of these systems. While it been made to believe that rogue hackers pose the greatest threat to our cybersecurity application, experts estimate that 70-80% of the cause contributed to cyberattacks are a result of human error. Developers who unintentionally build errors into software, and users who procrastinate installing security updates and use ineffective passwords. IT administrators neglect to manage their access control permissions of employees and vendors, providing pathways to sensitive information. Key level executives don't always invest enough at the right time and in the right places.
It's time to apply behavioral science to what has traditionally been a technological problem. Context matters and awareness does not always guarantee action. We all have predictable biases and we should focus less on how people should act, or how we expect them to act, or even how they intend to act– and instead focus on how they behave. When it comes to cybersecurity, it means realizing that human behavioral factors provide a rich opportunity to make your system safer, more robust and resilient. Let's take a C-level executive for instance; classic economists believe that the investment decisions C-level executives make come from carefully weighing the cost, risks, and benefits using all the information they have. Behavioral economists on the other hand, recognize that's not likely the case. Uncertain about a cost, executives may simplify a question or take shortcuts, instead of ensuring security. When determining if additional investments need to be made, they may ask "did we have a breach this year?", choosing to invest only if the answer is yes and neglecting that they could have just been lucky.
To improve investment decisions, you will need tools that help your executives see cybersecurity not as an investment, but as a key aspect of operations. We might need to refrain from finding failures in cybersecurity systems as important and elevate cyber risk as the key risk area for companies. But this is just the start. By turning the lens of behavioral science on various human challenges in cybersecurity, we not only identify new opportunities and interventions to improve human behavior but to improve security in general.