20 cognitive biases that hackers target and strategies to train them out

Yes, organisations need to fortify their physical and technical defences with advanced and innovative technologies, but they also need to address many aspects of the human factor – in this case: cognitive biases and how to train them out.

Cyber security is not just about firewalls and antivirus software; it is about the employees who interact with your system and network … and the hackers looking to exploit their behaviours.

This edition of The Insider sheds light on the often-overlooked realm of cognitive biases in cyber security and offers insights into how organisations can leverage cyber security training and awareness to mitigate these risks effectively.

What cyber security cognitive biases are targeted by cyber criminals?

In cyber security, cognitive biases represent systematic patterns of deviation from rational judgment, leading individuals to make decisions based on subjective factors rather than objective evidence. Recognising, comprehending, and training out these biases is paramount for organisations aiming to fortify their security posture.

Let us dive into a detailed exploration of various cognitive biases prevalent in cyber security:

• Confirmation bias: Confirmation bias occurs when individuals favour information that aligns with their pre-existing beliefs, often disregarding or downplaying contradictory evidence. In cyber security, this bias can manifest in overlooking potential threats or neglecting to adopt additional security measures due to an unwarranted sense of confidence in existing protocols.
• Affect Heuristic bias: Affect heuristic bias involves making decisions based on emotional responses rather than logical analysis. For example, employees might click on suspicious links or attachments due to positive emotional reactions, inadvertently exposing the organisation to potential cyber threats. Solid and comprehensive phishing training can help prevent this bias from taking effect.
• Recency effect: The recency effect leads individuals to give undue importance to recent events while overlooking historical or contextual information. Cyber attackers exploit this bias by launching targeted attacks immediately following a high-profile event, diverting attention and resources away from standard security protocols.
• Anchoring bias: Anchoring bias refers to the tendency to rely too heavily on the first piece of information encountered when making decisions. In the cyber security landscape, this could lead to a failure to adapt to emerging threats, as individuals anchor their decisions to outdated or irrelevant information.
• Overconfidence bias: Overconfidence bias occurs when individuals overestimate their own abilities or the accuracy of their judgements. In relation to security behaviours, this bias can result in complacency, perhaps your security team believe they are impervious to cyber threats, leaving vulnerabilities unaddressed because they have the expertise to deal with anything.
• Availability Heuristic bias: This bias arises when individuals base their decisions on readily available information rather than seeking a more comprehensive understanding. Cyber attackers exploit this by crafting attacks that align with common knowledge, increasing the likelihood of success.
• Authority bias: Authority bias involves the unquestioning trust in perceived authority figures. In the cyber security landscape, hackers may exploit this bias by impersonating senior executives or IT personnel to deceive employees into divulging sensitive information. We have written extensively about how deepfakes and emerging AI (Artificial Intelligence) attacks are really playing on authority biases by deepfaking the voice of CEOs and executives to trick employees lower down the corporate ladder into expensive mistakes.
• Bounded Rationality: Bounded rationality acknowledges the limitations of individuals in processing information in complex situations. In the cyber security context, this can lead to suboptimal decision-making, leaving organisations susceptible to sophisticated cyber threats that exploit gaps in understanding or bombard employees with an overload of information, hurrying them into unsafe behaviours and decisions.
• Normalcy bias: Normalcy bias leads individuals to underestimate the possibility of a disaster, assuming that things will continue to function normally. In cyber security, this bias can result in a lack of preparedness for potential incidents, leaving organisations vulnerable to unforeseen cyber threats. If an organisation has never encountered a cyberattack, existing in a state of not being harmed is normal to them. They do not believe the threat of a cyberattack exists because they have never encountered one. You can see why threat actors like to prey on normalcy bias.
• Choice Overload: The phenomenon of choice overload occurs when individuals are presented with too many options, leading to decision paralysis. In the context of cyber security, this can result in individuals overlooking essential security measures in favour of simplicity or convenience.
• Aggregate bias: Aggregate bias involves relying too heavily on group opinions, potentially overlooking critical security flaws due to a false sense of collective agreement. In the cyber security landscape, this could lead to the adoption of insecure practices if the group consensus is misinformed or complacent. Working alongside a third-party cyber security training and awareness partner like TSC, can give you an objective breakdown of your security culture and posture, ensuring you are not collectively overlooking major gaps in your armour.
• Decision fatigue: Repeated decision-making can lead to decision fatigue, wherein individuals become more prone to making hasty or careless choices. In cyber security, decision fatigue can result in neglecting security measures and falling prey to social engineering tactics because of a persistent and targeted spear phishing campaign against a susceptible employee.
• Loss Aversion: Loss aversion refers to the tendency to avoid risks to prevent losses rather than pursuing potential gains. In the context of cyber security, this bias can lead to a reluctance to adopt innovative technologies or security measures out of fear of potential negative consequences.
• The Ostrich Effect: The Ostrich Effect manifests when individuals purposefully ignore potential threats, assuming that by doing so, they can avoid the associated risks. In cyber security, this behaviour can leave organisations vulnerable to attacks that go unnoticed or unaddressed. You want your employees to be working as one unit with the same goal … if employees are breaking the barrier individually, the greater whole will collapse in on itself.
• Herd Behaviour: Herd behaviour involves individuals making decisions based on the actions of the majority, without critical evaluation. In cyber security, this can result in the adoption of insecure practices if the majority within an organisation follows suboptimal security measures.
• Licensing Effect: The licensing effect occurs when individuals, having exhibited positive behaviours in the past, feel they have earned the right to take subsequent risks. In cyber security, this bias can lead to lapses in judgment as individuals may believe their past adherence to security protocols grants them immunity.
• Optimism Bias: Optimism bias involves individuals having an overly optimistic view of their own abilities or the likelihood of experiencing negative events. In cyber security, this can result in complacency and a failure to adopt stringent security measures. Incorporating assessments, games and quizzes in your training and awareness campaign will allow your employees to obtain tangible and quantitative data on their security level and posture.
• Hyperbolic Discounting: Hyperbolic discounting refers to the tendency to prioritise immediate rewards over long-term considerations. In the cyber security context, this bias can lead to the neglect of long-term security strategies in favour of immediate convenience.
• Ego Depletion: Ego depletion occurs when individuals experience a depletion of self-control resources, leading to lapses in cyber security vigilance. This can result in the neglect of security protocols and an increased susceptibility to cyber threats.
• The Curiosity Effect: The curiosity effect involves an excessive desire for novelty, leading individuals to click on potentially harmful links or engage in risky behaviour out of curiosity. In cyber security, this bias can be exploited by cybercriminals who craft enticing traps to lure individuals into compromising situations.

Understanding these cognitive biases is the first step towards building a resilient cyber security culture. By incorporating this knowledge into training programs, organisations can empower their employees to recognise and overcome these biases, fostering a more secure and vigilant workforce.

But how do we do that?

Leveraging cyber security training and awareness to mitigate cognitive biases

Successfully navigating the intricate landscape of cognitive biases in cyber security necessitates a comprehensive approach, intertwining effective training strategies with a robust organisational culture. Here is what we recommend:

1. Train consistently:

Consistency is key when it comes to cyber security training. Regular, ongoing training sessions ensure that employees remain informed about the evolving threat landscape. Develop a curriculum that not only addresses current cyber threats but also delves into the intricacies of cognitive biases and emerging threats. By weaving these biases and innovations into routine training, organisations foster a culture of continuous learning, helping employees stay vigilant against emerging cyber risks.

Instead of relegating cyber security training and awareness to one session or one month, implement a monthly or quarterly cyber security gaming session to keep employees on their toes or a newsletter that highlights recent threats, incorporates real-world examples of cognitive biases in action, and provides practical tips for mitigating these biases.

2. Deploy targeted and personalised training:

A one-size-fits-all approach to training is insufficient in addressing the diverse roles and responsibilities within an organisation. Tailor training materials to specific job functions, ensuring relevance and engagement. Personalised content enhances understanding, enabling employees to connect cyber security principles directly to their daily tasks.

Design role-specific eLearning modules that simulate realistic scenarios, highlighting how cognitive biases can impact decision-making in different departments. For instance, the finance teams might face different threats than those at Reception or in HR, and tailored content can reflect these nuances.

3. Make cyber security culture a core part of your organisational culture:

Embedding cyber security into the fabric of organisational culture is pivotal. It is not merely a set of rules; it is a shared responsibility embraced by every member of the organisation. Leadership should champion a proactive and security-centric mindset, emphasising the importance of cyber security in achieving broader business goals.

Integrate cyber security discussions into regular team meetings, especially at the board level, fostering an environment where employees feel comfortable reporting potential threats or discussing cyber security concerns. Recognise and reward proactive security behaviours to reinforce the cultural shift.

4. Use behavioural assessments to measure attitudes and pinpoint lax security behaviours:

Behavioural assessments serve as valuable tools for gauging the efficacy of cyber security training efforts. By measuring attitudes and pinpointing lax security behaviours, organisations can identify areas for improvement and tailor future training initiatives accordingly.

Conduct regular simulated phishing exercises to test employees' susceptibility to phishing attacks. Work with TSC to run a SABR (Security Awareness and Behaviour Research) survey on your business and your employees to gather a comprehensive pack of security behaviour data and recommendations on maximising your training and awareness initiatives.

5. Incorporate interactive elements:

Enhance engagement by incorporating interactive elements into training materials. Cyber security games, quizzes, and interactive scenarios not only make training more enjoyable but also provide practical, hands-on experience in recognising and addressing cognitive biases.

For instance, if your organisation utilises a virtual reality space, why not deploy one of TSC’s Virtual Reality games or scenario-based exercises? Employees will hardly realise the skills and tricks they are learning whilst they enjoy a simulated virtual environment.

6. Utilise microlearning modules:

Break down complex cyber security concepts into bite-sized, digestible modules. Microlearning allows employees to absorb information in short sessions, increasing retention and understanding. This approach accommodates different learning styles and fits seamlessly into busy schedules.

It is why all of TSC’s eLearning courses are between 5 to 20 minutes long. If you cannot get these concepts across to employees in that time, your content is not as engaging as ours! Employees can access these modules at their convenience, reinforcing key concepts without overwhelming them with lengthy training sessions.

7. Encourage reporting and learning from security incidents:

Establish a reporting mechanism for security incidents and near-misses. Encourage a culture of transparency and learning from mistakes, fostering an environment where employees feel empowered to share their experiences and insights. Implement a confidential reporting system for security incidents and provide regular updates on lessons learned.

Conclusion

By intertwining these strategies, organisations can create a resilient cyber security culture that not only mitigates cognitive biases but also empowers employees to proactively contribute to the ongoing security posture of the organisation. The combination of consistent training, targeted initiatives, and a cultural shift towards cyber security consciousness positions organisations to navigate the dynamic and evolving cyber threat landscape effectively.

At The Security Company, we specialise in boosting cyber awareness, targeted training, customised projects and role-based solutions. Through our tailored subscription services, targeted and customised eLearning and awareness materials and our behavioural assessments, we're committed to helping organisations like yours instil long-term, security-conscious behaviours.

Our method is distinct. We begin by diving deep into your team's current mindset, pinpointing lax behaviours, security gaps and departments in need of focus and attention. From there, we craft tailored solutions that encourage better cyber practices from your employees. With comprehensive training and seamless integration into your current systems, we're here to fortify your team against modern cyber threats and be your trusted cyber security and awareness partner.

Ready to take the next step?

We can help you to formulate an effective and comprehensive cyber security training and awareness program for your organisation year-round and be your dedicated partner for employee behaviour change and, ultimately, security culture change. 

Do not hesitate to contact us for further information.