Here’s why emotional intelligence is so important for strengthening cybersecurity defences. Report by Sanela Osmic.
Cybersecurity is technically a bunch of algorithms that defend your organization from digital threats – this is a commonly, but painfully mistaken belief held by many professionals. In fact, cybersecurity starts well beyond your screen, right at the fingerprints of your employees – when threats are filtered through their cognition and emotional reactions.
Nadia El Fertasi, former NATO senior executive and Human Readiness and Resilience Expert, beautifully explains this transition during the Cybersecurity Readiness Podcast:
“While there’s significant emphasis on constructing agile systems and technology, the question arises—how do we foster agile people? Individuals, unlike programs, exhibit varying degrees of flexibility. The Kubler-Ross model aptly illustrates the myriad emotional states experienced by individuals in times of loss or change, originally conceptualized for grieving processes but equally applicable to any transformative experiences. In cultivating emotional intelligence, we navigate through these emotions and adapt to changes more proficiently.”
Status Quo of Cybersecurity – an Era of Social Engineering
95% of cybersecurity breaches were attributed to human mistakes, according to the “IBM Cyber Security Intelligence Index Report“. Choosing the right firewall is essential for your cyber resilience strategy, but addressing and mitigating human-related errors is equally important, even more so.
Human factors represent critical vulnerabilities, often resulting in significant security and data breaches within ICT infrastructure. Human error is identified as the most fragile component, contributing substantially to the security risks and threats companies and organizations face daily. 91% of cyberattacks zoomed in on spear-phishing emails, which are painstakingly tailored to resonate with a particular individual, according to Micro Trend. But here’s the rub: it’s not just about emails.
Intriguingly, it’s not the robustness of a firewall or the sophistication of encryption that hackers primarily target; it’s the predictability and emotions of the people behind the screen.
How Hackers Tap into Human Emotions
Cybercriminals manipulate emotions like fear, greed, surprise, anger, or curiosity, inducing rash, uncritical responses to phishing attempts. This exploitation of human psychology is illustrated by Daniel Kahneman’s dual-system theory of thinking.
System 1, fast and intuitive, is responsible for daily, routine decisions, operating on mental shortcuts or “auto-pilot” responses, which, while efficient, can jeopardize our decision-making. It has an inherent truth bias, leading to possible indiscretions like clicking on dubious email attachments.
System 2, in contrast, is deliberate and employed for complex decisions requiring thoughtful consideration. Cybercriminals bank on individuals neglecting this reflective system and acting impulsively based on System 1 responses.
Such errors mostly arise from misinformation and a lack of awareness among users and employees. Cyber attacks predominantly exploit emotions such as fear, greed, surprise, anger, and curiosity, aiming to trigger impulsive actions and overshadow rational thinking. Due to their unawareness, individuals can inadvertently compromise their personal information and company data, potentially resulting in security incidents with severe economic repercussions.
In this context, Social Engineering Attacks represent a cyber manipulation that targets humans to compromise systems, typically executed in the following steps:
- Research: Attackers analyze the target to devise convincing lures.
- Hook: Victims receive a deceptive email inducing urgency or desire.
- Play: Interaction with the malicious content gives attackers access.
- Exit: Attackers acquire unauthorized data access, completing the exploit.
Based on these instincts and reactions, hackers deploy the subsequent strategies:
- Authority: Exploiting fear of legal repercussions, attackers impersonate authority figures, a common tactic in phishing and vishing.
- Liking: Leveraging charm and helpfulness, attackers manipulate victims into disclosing sensitive information. This approach often intertwines with reciprocity and exploits curiosity and surprise.
- Scarcity: Employing constraints of quantity or time, attackers create urgency. For instance, a deceptive email may impose a tight deadline for a task, exploiting fear and surprise.
- Social Proof: By name-dropping, attackers feign authority to make demands, exploiting fear and surprise by masquerading as familiar figures.
- Reciprocity: When information is requested in return for something offered, like a purported raise, it taps into emotions of surprise, curiosity, and greed.
Why should you focus on Emotional Intelligence?
Recent studies testify the role of emotional intelligence is a predictor of better cyber security behaviours in the following ways:
- Emotional Awareness – A person’s emotional awareness may cause them to halt, assess their emotions, and question the veracity of a phishing email that scares or surprises them. Understanding the difference between legitimate and malicious communications helps avoid crucial information leaks.
- Self-Regulation: Mastering emotions helps people avoid impulsive acts driven by fear or greed. This part of EI helps people stay calm in critical or stressful circumstances, promoting reasoned replies and reducing the danger of fraud.
- Improving Empathy and Social Skills: Enhanced empathy and social skills may help people understand others’ motives and intentions, detecting discrepancies or manipulation in communication. A strong sense of empathy might help people spot someone who is manipulating emotions like curiosity or rage.
- Better Decisions – Even in stressful conditions, EI drives logical decision-making. It helps people evaluate information, consider the repercussions of their actions, and make choices without being influenced by greed or fear.
- Proactive Learning and Adaptation – High EI individuals are more comfortable adjusting to new knowledge and surroundings. They learn about new social engineering approaches fast and adjust to fight them, making them more resilient.
Implementing Emotional Intelligence in Business Cybersecurity
Emotional intelligence in cybersecurity is about speaking the employees’ language and aligning the cybersecurity narrative with their roles and daily rhythms. Instilling training around practical and applicable aspects of their duties, we illuminate the intersections between cybersecurity and their lives, fostering a deeper, more personal connection to safeguarding the digital space.
But how do we move beyond mere compliance to breathe life into this cybersecurity ethos? It’s about crafting an engaging narrative, a dialogue punctuated with recognition and fueled by incentives that stoke the flames of commitment and vigilance within every employee. It’s about ensuring that the whispers of cybersecurity resonate in every corridor, becoming the shared language and the common thread binding the organization.
Emotional intelligence constitutes a pillar of cybersecurity, stemming from its ability to comprehend the behavioural patterns and motivations that are often at the root of cyber intrusions. This way, it is feasible to scan and understand the intricate human elements and emotional triggers behind cyber attacks, enabling them to anticipate and detect anomalous behaviours and vulnerabilities with greater precision. Concurrently, emotional resilience, the ability to remain stable and function effectively under stress or adverse conditions, stands as a crucial element during the incident response and recovery phase.
For conglomerates and larger enterprises, the workforce is not just a set of hands but a reservoir of untapped potential, a powerful asset waiting to be harnessed. Herein lies the opportunity to sculpt comprehensive and nuanced training programs that are not one-size-fits-all but tailored, adapting to the unique roles and the multifaceted responsibilities that compound the organizational structure.
Now, it’s time to venture beyond the monologue of traditional training and embrace the dynamic dialogue of interactive learning. Employ real-world scenarios, immersive simulations, and engaging hands-on exercises. And to improve it, cybersecurity awareness requires an empathetic and supportive organizational culture. It’s a culture where every whisper of potential threat is met with attentive ears and responsive actions.
Integrating EI into the narrative of the company, and developing awareness, comprehension, and proactive actions is essential for making the leap from simple compliance to a meaningful cybersecurity ethos. Having a culture of support and empathy, as well as individualized training programs may be essential during this time of change.
About Sanela Osmic
Sanela Osmic GAICD is the Founder and Managing Director of Ethical Governance. She has around 20 years of experience in governance and working with boards in various capacities.
Sanela has helped corporations, non-profits, governments, and other organisations build effective boards, improve ethical governance practices, and maximise their impact.
She has just published her book Leading with Emotional Intelligence: A guide for board directors, available on Amazon.