Cyber’s Human Condition

Italian Version

How to limit the incidence of cyber attacks targeting users’ needs, fears and hopes

During the outbreak of the COVID-19 pandemic, phishing attacks have been one of the most common and dangerous vectors for efficiently delivering malware and successfully spoofing the users’ digital identity.

In fact, according to the Anti-Phishing Working Group (APWG) report, phishing attacks doubled in 2020 with respect to 2019, with more than 220.000 new registered phishing websites. The monetary loss of this kind of attacks cannot be underestimated as well: most phishing attacks end with a financial fraud consisting of a wire transfer of approximately 75,000$ per user.

But why are phishing attacks so common? And why are they so successful?

The new Mastercard report called “Cyber’s Human Condition” examines the issue of the human factor when dealing with such situations. In fact, attackers have been studying the victims and developing a “sensitiveness” when dealing with the design and the delivery of an attack: they target users’ deep fears and hopes, making the malicious action way more effective.

The study of behavioural economics applied to cyber attacks has showed that users deviate from the rational and common behavioural patters when dealing with targeted attacks. According to the Mastercard report, employees are enticed to click on fraudulent links or share sensitive company data through fake coupons or fake messages from “team managers”.

Among the top cognitive biases highlighted in the report it is possible to find free coupons and discounts offers, communications from the CEOs and the top management exercising their authority, private offers propositions and many others. All of them leverage on employees’ specific needs, hopes and fears.

This leads to a great increase of the attack incidence and a consequent loss in terms of money, credibility, and resources inside the organizations. For this reason, the Nobel Prize winner behavioural economist Richard Thaler stated that this irrational behaviour that leads users to fall prey of cyber attacks can be modified and therefore people will be led towards more informed and secure choices. Organizations need to make their employees stronger and more conscious about subtle ways to deliver cyber attacks and train them in efficiently recognize and avoid even the most sophisticated attempts.

At this purpose, a sophisticated and complete cybersecurity awareness program needs to be put in place by all organizations across different market sectors. Cybersecurity awareness sessions introduce the employees to corporate security policies and most common cyber threats, providing them with the knowledge and tools to face the attackers.

The steps organizations should follow include:

  1. Educating the entire organization on cybersecurity basics and roles.
  2. Using artificial intelligence and data analysis for a surgical and targeted approach for high-risk users.
  3. Empowering employees to be the organization’s cyber eyes and ears.
  4. Providing a learning program that is relevant and personalized.

Although this approach is extremely comprehensive and educational, it is not very effective. Providing the employees with the relevant knowledge can be exhausting and redundant. For this reason, the Mastercard report suggests a new approach: educate the workforce through quick, constant, interactive tasks and immediate rewards.

This solution, called Mastercard SecurityAdvisor, allows the content to be customized to fit the organization’s needs, and the training administrator to set the curriculum to specific topics in a short format. Most sessions are less than two minutes, and delivered through videos, quizzes or short newsletters. The platform can also deliver training in text messages or application pop-ups with quick tips.

Furthermore, this approach uses AI technologies to understand which approach works better according to the organizational context, its employees, its activities.

In conclusion, it is fundamental to understand that the employees represent the first line of action in limiting cyber attacks and keeping the organization secure. For this reason, before investing in highly technological solutions and tools aimed at protecting the corporate assets, organizations need to invest in training adequately their workforce against increasingly sophisticated cyber threats.

There is the growing need to recognize that organizations need to abandon old and traditional ways to approach attacks and develop avant-garde strategies to face evolving and targeted cyber threats.

Cristina Bottoni