The dichotomy of cognitive bias in cyber security awareness

If it’s good enough for marketing gurus, it’s good enough for the fraudsters (and politicians…)…:

[…] Cognitive errors play a major role in behavioural finance theory, but their real world application has been used by fraudsters and cyber criminals for decades. Here are some of the most relevant cognitive biases in effect, and how they could impact you.

Confirmation Bias – This is one of the most common iterations of cognitive bias, whereby individuals will look to find information that confirms their pre-existing ideas. This form of bias has become all the more pertinent in the age of social media ‘filter bubbles’ whereby users surround themselves only with individuals that they agree with. This not only presents a challenging ethical issue in the world of fake news and disinformation, but can also allow a criminal the opportunity to steal money or trade secrets. In the Twitter hack instance, many unsuspecting users trusted unauthorised Tweets from verified accounts because they seemed to conform to their already existing conceptions of the business or CEO. Unfortunately, this type of bias may prevent individuals from looking at situations objectively, recognising a potential threat and stopping it before it has a real impact simply because many do not want to accept that their preconceptions are wrong.

Herd Mentality Bias – Herd mentality bias is when individuals follow what their peers are doing, assuming it is safe, or sensible to do so. Rather than taking an objective stance, individuals may follow their emotions and the momentum of the crowd. If a colleague sends a link to a work group chat and everyone is reacting to it, your fear of missing out may overcome your cyber security awareness training, and you might click on the link for a quick laugh. Deep down, we know that we shouldn’t click on random links, but the fact that your colleagues did it means that you’re the odd one out for not taking part.

Framing Bias – Framing is one of the most commonly exploited vectorsin business email compromise (BEC) scams. Framing is when an individual makes a decision because of the way information is presented, rather than examining the facts. If you received an email from your CEO who has an “urgent task for you”, your fear of getting fired may supersede analytical thinking. In this instance, a cyber criminal has framed this scam in such a way that you may not properly question it.

Narrative Fallacy – Similar to framing bias, narrative fallacy is a mainstay in a cyber criminal’s arsenal. Narrative fallacy bias occurs when we find it easier to understand a story, even if the outcome will be less desirable. This is a bias that is commonly used on the phone. Social engineering experts know exactly how to frame a story to pressure you to make predetermined choices. This can include playing the sound of a crying baby in the background to guilt individuals to conform to their wishes.


Original article