Many of the most common cyberthreats, including phishing emails and social engineering calls, are designed to prompt fast, reactive decisions. Think an email from someone you think you know with an attachment, a limited-time offer, or a threat of your account closing. Unless you have a reason to doubt the sender, you may be tempted to give them what they request. If you are a business owner or leader, it is vital to take time to train employees to understand the urge to click and to proactively choose a more careful, reasoned response.
Attention Is a Commodity
The digital age has transformed attention into what is arguably the most highly prized commodity in existence. As early as 1971, American psychologist Herbert Simon warned that “a wealth of information creates a poverty of attention.” Fascinatingly, this paradox now defines what it means to live in a ubiquitously connected world. Every website, app, brand, influencer, and political figure competes for a limited cognitive resource, and they are developing increasingly sophisticated tools to capture and exploit it. For instance, social engineering callers are trained to sound legitimate, instil a sense of urgency, and promise relief once the desired actions are taken.
System 1 and System 2 Thinking
The psychology of the click can be better understood by understanding the different ways human beings think. In his seminal work Thinking, Fast and Slow (2011), Daniel Kahneman stated that there are two types of thinking. One (System 1 Thinking) is fast, automatic, intuitive, and emotional. It serves as our default system for daily decisions. The other (System 2 Thinking) is slow, deliberate, analytical, and effortful. It engages our complex, conscious thought. High-pressure players push people into System 1 thinking through tactics such as urgency, perceived sender authority, scarcity, fear, loss aversion, and curiosity. It is vital to make staff aware of the difference between these two ways of thinking and the importance of applying System 2 thinking whenever information is requested online.
Teaching Staff About Common Scams
Cybersecurity for staff should begin with examples of how attackers exploit human nature to obtain sensitive information. Social engineering methods include phishing, tailgating, watering hole attacks, and baiting. Common phishing attacks include urgent-sounding language, legitimate-looking sender addresses, and fake login pages. In tailgating, attackers physically follow employees into restricted areas by posing as employees. They may pretend to be delivery or cleaning staff and even carry fake credentials. In some cases, employees may be sent emails asking them to effect a wire transfer. The email may look legitimate, containing the correct name, business logo, and tone. Baiting is another common tactic; it involves offering targets something that seems too good to be true, such as free ebooks, movies, or software. Newer schemes include pharming (secretly redirecting users from a legitimate site to a scam site), smishing (phishing via text messages), and pretexting (for instance, scammers may pose as an IT support technician and ask for a password to fix a bug).
Teaching Employees to Pause
During training, employees should be taught to pause and verify, taking at least 10 seconds before acting. They should be wary of language that rushes them and normalise a sceptical response, even toward authority figures. Policies can be adopted that require employees to obtain secondary confirmation before sending money, clicking on an attachment, or providing sensitive information. Teaching employees simple frameworks can help. One popular framework is STOP. It requires individuals to stop, think, observe, and proceed cautiously. Training should be consistent and frequent, so that cybersecurity is always on employees’ minds. During sessions, employees should be exposed to realistic simulations that replicate threats, include emotional triggers (such as urgency and fear), and provide employees with real-time feedback. Finally, managers can encourage and reward reporting. It is best for employees to raise a few false alarms rather than be reluctant to bother managers. Whenever sensitive data or money is involved, reporting or questioning should always be the norm.
Companies wishing to boost cybersecurity literacy in their workspaces must begin by presenting staff with common threats, ranging from phishing to newer tactics such as smishing. They should provide them with regular training and expose them to realistic simulations. Finally, they should encourage communication, verification, and reporting. Staff should err on the safe side instead of making decisions based on a false sense of security.
