By Emily Wang
To click, or not to click, that is the question. How do people make that decision?
Behavioural economics states that we think with both an intuitive mind and an analytical mind. Most of the time we rely on our intuitive mind to make those “quick and dirty” decisions such as fight or flight. If we see a tiger coming from a distance, we don’t need our analytical mind to list all the pros and cons before we know to quickly run away.
This also applies to cybersecurity, and with phishing specifically:
1) We have difficulty perceiving a threat. We may not see the tiger unless we’re aware it could also be in plain sight
2) many of us haven’t harnessed our intuitive thinking to create a habit of spotting and reporting phishing emails
While traditional security training tries to improve our analytical mind’s capacity, it doesn’t focus on sensing and handling dangers intuitively. The difference between what we know – and what we feel, can lead us to make a wrong decision.
Greater phishing awareness from employees can help prevent phishing attacks. One study confirms that those with a deeper understanding of the web environment and how to correctly interpret URLs are less vulnerable to phishing attacks. But the perceived severity of consequences doesn’t predict behaviour. This suggests that education efforts should be trying to increase intuitive understanding, rather than just warning about risk (Downs, Holbrook, & Cranor, n.d.).
Since New Zealand is far away from the rest of the world geographically, we like to think we are better shielded and safer from any physical or virtual attacks. There is also a sense that because we are a smaller ecosystem, the chances of us becoming a target are reduced. Let’s not forget though, we are only ¼ second away from anywhere in the world online!
This illusion may make us even more ill-prepared when disaster strikes. The truth is that we are aligned with the rest of the world when it comes to phishing attacks, which includes our susceptibility, phishing as the primary data breaching method and damage impact of attacks.
Turning awareness into habits
Security mindsets are not natural for people, which is why an alarming percentage of employees still fall for a highly effective phishing scam just months after they were trained to watch for it.
Once people are aware of phishing dangers, it is time to build safe email/internet browsing behaviour into habits. We need to harness our intuition and be able to quickly and effortlessly handle most of the phishing attempts.
Habit formation is a powerful means to behavioural change. Scientists have found that habits are formed and operated separately from the part of the brain responsible for memory (Duhigg, 2012). Studies confirmed that we make unconscious choices without having to remember anything about decision making.
Our brains are constantly looking for new ways to form automatic routines. For example, riding a bike or driving a car requires over a dozen separate actions, but we do them daily without a second thought.
How can we leverage habits to avoid phishing attacks with our intuitive mind? By repetition. When we repeat an action enough times, a process known as ‘chunking’ will take place where the brain converts a series of conscious actions into an automatic routine.
The habit process:
1. Cue. A trigger that tells your brain to go into automatic mode and which routine to use.
2. Routine. A physical, mental, or emotional behaviour that follows the cue.
3. Reward. Positive feedback to tell your brain that the routine works well and is worth remembering.
How to form the habit of defending against phishing
Let’s look at the case of checking emails and how we could tweak a routine to protect ourselves.
Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from http://payaccount.me.uk/cgi-bin/webscr.htm?cmd=_login-run
Duhigg, C. (2012). The power of habit :why we do what we do in life and business. New York: Random House.