CISO and author George Finney explains why neuroscience and psychology are powerful weapons in the fight against cybercrime
As author and CISO at Southern Methodist University George Finney presented the results of his phishing study to researchers at MIT they noticed something striking.
The times of day that people are most likely to click on a rogue email correlate closely with the natural fluctuations of Cortisol, also known as ‘the stress hormone’, in the body.
“Psychology and neuroscience say that you’re better at problem-solving or analytical tasks in the morning. You’re also eight to 10 times more likely to click on a phishing message in the afternoon versus the morning,” Finney says.
“So, I charted that graph of my 20,000 phishing messages. And one of the guys in the faculty was like, ‘holy cow, this exactly mirrors the cortisol level of humans throughout the day,’” he continues.
This revelation demonstrated to Finney the importance of behavior, and how understanding the science behind that behavior might be the key to unlocking better cybersecurity outcomes.
“[It shows that] our security training is working because, in the morning, they’re getting it right. It’s in the afternoon when biologically we’re not wired to be able to recognize those same kinds of threats,” Finney says. “And I think if we know we’re vulnerable at a certain time of day then we can change our behaviors to protect ourselves.”
Focusing on Behavior over Skills
Understanding our teams’ behavior and measuring improvements to their security habits are crucial stepping stones to achieving better cybersecurity outcomes, Finney says.
“I want to be able to make a difference in how we think about security awareness,” Finney says. “As a CISO, I’ve implemented a lot of different security awareness training programs over the years. And I think my observation about them is that none of them are really outcome-focused. But really, we need to be able to measure behavior change.”
To help, Finney has developed a cyber personality test as part of his research for his latest book, Well Aware. The test is designed to be taken by both technical and non-technical staff and assesses participants’ cybersecurity personality profiles.
As well as providing an overarching cybersecurity archetype, the test results also reveal the participants’ key cybersecurity habits, just some of the nine cybersecurity habits that Finney details in his book.
“There’s something about personality tests, people like them,” Finney remarks. “It doesn’t define who you are, but it helps jumpstart your own introspection process.”
Learning about your strengths and weaknesses in terms of cybersecurity is a crucial part of becoming more cyber aware, Finney says.
“Whatever area of the business you’re in, we all have, have a role to play in security,” he continues. “As security practitioners, we’ve got to make [security] more approachable. We have to stop using fear to stop getting people to do things and instead inspire them and find ways to connect with them to help them grow.”
Using FUD to fight FUD
The fear-based approach to cybersecurity is, of course, epitomized by the budget negotiation strategy described by the acronym FUD, or fear, uncertainty, and doubt.
For Finney, however, an over-reliance on fear as a motivator may ultimately have the opposite to the desired effect.
“Fear is a really great tool for getting people not to do things,” Finney says. “The problem with [fear] is that it’s one dimensional. You can get people to not do things, but where I think we struggle in security is with getting people to do things proactively.”
He continues: “If you want to get people to make positive changes in their life, to act differently, to proactively do the things that they need to do. What do we have? Well, I think we need to use not fear, but inspiration.”
To do this, Finney suggests an alternative FUD to drive better cybersecurity outcomes: fearless, unshakable, and determined. These three characteristics can help cybersecurity teams to master the habits required to build a better cybersecurity organization.
“How do you get your organization motivated collectively?” Finney concludes. “We’ve got to stop using fear as the motivator. We’ve got to stop selling cybersecurity with fear.”