Features 13.04.2023
Mindfulness: A Weapon Against Cyber Threats?
The human operating system is flawed and leaves people vulnerable to cyber attack. But mindfulness might be a defence mechanism, finds Etashe Linto
Features 13.04.2023
The human operating system is flawed and leaves people vulnerable to cyber attack. But mindfulness might be a defence mechanism, finds Etashe Linto
Humans will do anything to stay safe. This is nothing new.
Our ancestors crafted spears, played with fire, lived in caves, and moved from place to place to repel predators and survive life’s elements. Ancient kingdoms were equipped with fortifications to protect against invaders, forming structures like the Walls of Benin, the castles of Europe, and the Great Wall of China.
This desire for safety has burrowed into modern society. As a result, we have built several mental and physical systems to ensure safety: office politics for job security, vaccines against infectious diseases, surveillance cameras as third eyes, insurance policies against the unknown, and, as we move deeper into an internet-reliant society, security systems to fight cybercrime.
Most cybersecurity efforts have centred around technological countermeasures. While there is no denying these are valuable, 82% of breaches involve the human element, a statistic quoted in the Verizon Data Breach Investigation Report.
Humans are complex creatures with thoughts, emotions, and a body vulnerable to stress. To combat cyber threats, there needs to be a multi-pronged attack. Technical measures alone will not suffice.
For centuries, humans have used mindfulness to fight stress and improve behaviour. Mindfulness has a footing in psychology. But is there also scope for improving cybersecurity behaviours and awareness?
You get an email with the subject line, ‘Your mail storage is full’. You open it, discover a message warning you of insufficient space, and find a prompt to archive old emails or else. Worried, you click the link, enter your login details, and breathe a sigh of relief, only to notice unauthorised activities on your files or bank statement later.
We’re describing a phishing attack in which cyber criminals veil their fraudulence in look-alike brand elements designed to lure us into spilling sensitive information. Unfortunately, these attacks continue to grow in popularity, revealing how humans are often the weak link in the cybersecurity chain, making us easy targets for cyber attacks.
Cyber criminals use several psychological tools to catch prey: scarcity, authority, familiarity, intimidation, and a sense of urgency. Typically, these tools serve as shortcuts for the cognitive work of decision-making. We rely on the effect of scarcity to seize an opportunity, familiarity for less research, an authority figure to trust information, etc. However, they double as persuasive devices for criminals, targeting our thinking process and attention level.
In his 2011 book, Thinking, Fast and Slow, psychologist Daniel Kahneman describes how we operate with two thinking processes: intuitive and rational. Our intuitive mind runs on autopilot, uses emotions, and relies on familiarity and past experiences to verify information. While the rational arm is more deliberate, uses logic, and relies on analytical reasoning for the same purpose.
“When we’re present, we’re more aware of our thoughts and emotions, curious about what’s in front of us, intentional about our choices, and consequently more competent” Dr Kimber Shelton
Intuitive reasoning is faster and effortless, meaning humans easily deploy it in daily decisions. Cyber criminals count on this dependence, using techniques like phishing to prey on fear, desire, anxiety, and even happiness.
The rational mind can help us overcome these tactics, but it also has limits. For example, the rational mind weakens when physically tired, and ignoring red flags is easy when the threat comes from a familiar source. These weaknesses make it easier for cyber criminals to exploit a victim’s attention.
Stress strains our prefrontal cortex, a brain region for attention, working memory, and decision-making. We make more hasty decisions when these cognitive functions are impaired. Additionally, our rational mind can be influenced by biases when processing information from familiar sources (or at least what we believe to be familiar sources) such as our boss or bank. These biases cause errors in judgment.
How do we improve our attention and prevent our minds from making unreasonable choices?
“The best tool for fighting cybercrime is knowledge of the attacks, how they work, and how to protect against them,” Marcin Ganclerz, a senior cybersecurity awareness and training analyst, told Assured Intelligence.
As we’ve established, psychological manipulation is the chief weapon in a criminal’s toolkit. This knowledge helps us adopt countermeasures that match the nature of the attack and have an enduring impact. This is where mindfulness comes in.
Although easily stereotyped as an activity for the spiritually inclined and best performed in yoga pants, mindfulness is a psychological exercise with tremendous health benefits that can improve our cybersecurity behaviours and awareness.
In the academic paper, Mindfulness and Phishing Email Detection, researchers at Ryerson University found that mindfulness helps us catch phishing emails from seemingly familiar sources, even if the cues are hard to detect. In addition, mindfulness improves working memory capacity, supports how our body processes stress and helps us react better to stressors.
“It’s a slowing down process where we become more present,” says Dr Kimber Shelton, psychologist and owner of KLS Counseling & Consulting Services.
“When we’re present, we’re more aware of our thoughts and emotions, curious about what’s in front of us, intentional about our choices, and consequently more competent,” Shelton adds, explaining that “one of the biggest issues we have when faced with a cyber threat is that we think we need to act immediately. We don’t. And mindfulness handles that feeling by allowing us to slow down and ask thoughtful and intentional questions before responding.”
Organisations can include mindfulness in their arsenal, which will contribute to a more robust culture and safeguard their digital territory.
Given all of this, how can organisations put mindfulness into practice? Making mindfulness a cybersecurity measure requires building a different culture around security. Organisations can achieve this by integrating mindfulness into existing programs and keeping an ongoing communication line. Here’s what that can look like.
Mindfulness is about changing behaviour, which is, of course, the same objective as cybersecurity awareness training. This shared vision means organisations can teach their teams mindfulness practices by integrating them into existing awareness and other human-centred programmes. Two birds, one stone and all that…
Collaborate with the HR department to make mindfulness a part of wellness and onboarding programmes, teach specific principles of mindfulness during security training sessions, and include it in your team’s professional development programme.
Ganclerz advises taking this integration one step further by making training immersive. “Show people examples of attacks and ways that mindfulness can help them doublecheck their emotions and analyse a message,” he suggests. “This way, they can better identify potentially dangerous messages.”
Integration is easy because it leverages existing resources, saving organisations the cost of launching an entirely new programme. It also makes mindfulness training more accessible, which can increase its sustainability and employee participation. Overall, each training should instil patience, promote focus, and improve vigilance.
While training increases knowledge, it’s often a one-off event with lessons easily forgotten. Mindfulness should always stay top of mind, but that’s not to say that cybersecurity training shouldn’t!
Organisations must communicate consistently because, let’s face it, people are busy, says Wendy Battles, cybersecurity awareness advisor at Yale University. “We all have different parts of our lives in motion. You can’t tell people something once and expect them to remember it forever. So we need to keep the communication lines open and consistent. Make it easy for people to get valuable information and report incidents.”
One way to make communication ongoing is to publish evergreen content through accessible channels like podcasts, which are device-friendly and easy to consume. Another approach is implementing regular check-ins with employees through team huddles or one-on-one meetings. This creates a space for ongoing dialogue to address issues on time and improve cybersecurity hygiene.
As with all cybersecurity measures, mindfulness has its challenges and limitations.
Firstly, mindfulness is only a part of the security toolkit. Organisations should implement other measures to protect against cyber attacks, including backing up data, regularly updating security systems, creating comprehensive cybersecurity policies, and using firewalls and anti-virus.
Secondly, organisations with a global talent footprint might find it hard to encourage ongoing mindfulness. This is because they face many obstacles, from cultural and language barriers to work style and time zone differences. However, organisations can overcome this challenge by recruiting and collaborating with advocates to promote a mindfulness culture. “Security advocates can help educate others and give insight into what’s happening in your organisation across different parts of the world,” Ganclerz advises.
Resistance is another challenge. Mindfulness practices can only be implemented with buy-in from leadership and relevant departments. Executives must believe it benefits everyone or won’t provide the required budget and backing. Other departments must also support the mission. For example, publishing educational materials requires the involvement of the communications team, and implementing training requires the learning and development department.
Finally, training is often limited to abstract threats. It’s hard to take abstract threats seriously, and we tend to respond better to immediate problems or threats we’ve already experienced. This leaves us at risk of forgetting our training and falling for an attack. Ganclerz recommends using security simulations to manage this limitation. “It’s better to let people experience a security threat rather than just talking to them,” he explains, “and simulations allow us to check people’s behaviour in real situations.” Simulations also help measure the effectiveness of mindfulness in training programmes, which is vital for demonstrating compliance and ROI, allocating resources, and improving future programmes.
Despite these challenges and limitations, mindfulness remains valuable for improving cybersecurity behaviours and awareness.
Of the respondents in Delinea’s Balancing Productivity and Security Report, 79% believe they’re not important enough to become cyber attack targets. With this false sense of security, they engage in risky behaviours despite knowing the security dangers. This is a concerning trend, considering that humans are the bullseye of cyber attacks.
Mindfulness, alongside other cybersecurity awareness techniques, helps improve behaviour toward security risk. An instrument of attention, mindfulness helps us look more critically and think more rationally, making it easier to perceive hidden cues in seemingly legitimate messages. It also helps restrain other risky internet behaviours, like our bizarre and ill-advised tendency to share our location and personal information on social media.
The human operating system is unreliable, and cyber criminals know that. They understand that organisations spend more on software and less on human-centred solutions, which makes humans cheaper targets. By investing more in people, including in mindfulness, organisations can make attacks more painstaking for criminals and, therefore, security easier to handle.