The price tag of social engineering
“Even the best security systems will not be able to protect people from becoming victims of manipulative procedures (by social engineering) or financial and social damage because of attacks from cyberspace.”
This change is also necessary to reduce the high costs that cybercrime causes to society, government, business and the organisations, companies and individuals concerned. The pure focus on technology will not be able to increase security. The psychological factor – the human factor – must urgently come back to the fore.
There are countless studies circulating on the costs of cybercrime and they all have something in common: the dizzying height. The comparability of these studies is not possible because the underlying database was chosen differently in each case. Depending on the publisher, they should be treated with caution, as should other studies about white-collar crime and non-compliance. The number of unreported cases remains high, and for this very reason the high measurable costs are already an indication that cannot be neglected.
However, the impact of cyber-attacks goes far beyond the financial damage. Research shows that those affected show symptoms like those of victims of post-traumatic stress disorder (PTSD). Individuals confronted with cyber-attacks experience a massive – psychologically caused – disadvantage. In most cases, they lack the basis for decision-making in the form of sufficient information to make a professional decision. This is independent of the fact whether the decision situation and thus the initial situation is in the private or professional environment. The trade-offs between risk and opportunity for the individual are clouded. Even if sufficient information were available, there is a tendency for decision-makers to be tempted to become victims of criminal activities by influencing various factors.
The virtual network for data exchange
In an informal setting, people are much more willing to disclose personal and confidential information than in a formal setting.
Informal settings include social virtual networks (social media channels) as well as occasions and opportunities for personal exchange in the form of invitations to events, which emphasise the informal part more strongly. This must be considered and addressed accordingly when raising awareness and training employees. Similarly, the (Western) practices of consuming stimulants in this context are among the accelerators of information gathering.
Behavioural and cultural adaptation
With the knowledge of human behaviour, an adaptation of behaviour in dealing with the newly created territory “cyberspace” is required. Through this adaptation the security of the individual and the collective can be increased.
The following measures are recommended by psychology:
1) the priority is to understand the economic behaviour of individuals in the face of the expectations of risk and reward in relation to the limitations outlined above. Also important is the social situation or environment that leads individuals to disclose personal (or company-specific) information by minimizing the inhibition threshold or potential risk of this action of information disclosure.
2) The identification of criminal and malicious activities and patterns of behaviour by deviating from the norm and the corresponding technological adjustments of security systems are also among the core priorities for measures to recognise these patterns. The psychological distortions that affect privacy decisions must be considered (see also point 1).
3) it is necessary that legislators, law enforcement agencies and internally commissioned investigators take the psychological and social impact of cybercrime into account to the same extent as the “classic” cases of crime. One of the greater dangers associated with cybercrime is fragmented legislation and procedures that stop at their respective borders.
4) raising awareness! Only public awareness of cyber-security can raise and change human expectations and subsequently their corresponding behaviour, which affects privacy. It is of great necessity that the topic is not only dealt with on an intellectual academic level, but also for the broad masses. Through the channels that people use and to which they disclose (too) much confidential information – virtual and social networks of all forms.
5) It is important to understand the influence cybercrime has on its victims (those affected) and the different stages through which they go. The psychological reactions on the part of the individual are varied and complex. It is important that those affected can be guided through the stages according to their individual needs and symptoms. At the same time, it is essential that the experts have the appropriate knowledge of the topic.
Diverse backgrounds and expertise to protect the assets
Experts for (potential) victims of white-collar crime, non-compliance and cybercrime play an essential role in prevention and incident management. Among other things, they address the various roles we play as individuals in this environment.
It is not just about the IT security officers who monitor the firewalls, but above all about the different roles that each of us carries within us and performs daily – across hierarchies and functions. We must support all functions to protect our assets and not leave the task with IT.