A photograph of three people working at computers in an office setting. The focus is on a man with a beard and short hair in the middle of the image, who is concentrating on his screen. In the foreground, a blurred figure is seen working on a laptop, while in the background, another person is also focused on their computer. The setting is well-lit with natural light coming from a large window.

Cybersecurity training for employees: How to teach behaviorally-informed counter strategies

85% of hacks exploit our fundamental behaviors

While most people think of hacks as attacking a line of code or correctly guessing a password, the reality is that an estimated 85% of cyber attacks across the world occur because hackers understand our core behaviors - such as trust and curiosity - and exploit them through carefully crafted scams.1 This psychological manipulation, which has the end goal of getting victims to share information or carry out an action, is called social engineering.2 Understanding why it works is key to preventing its success.

A closer look at persuasion strategies

Hackers, aware of our behavioral propensities, exploit our hardwiring to gain information. Even employees with the most cybersecurity experience and education can fall victim if they are unaware of how their reflexes and habits can be used against them.

The most widely accepted definition of persuasion strategies include a wide array of core behaviors that bad actors use to manipulate our nature as social creatures.3 According to this definition, there are six components: reciprocity, conformity/social proof, liking, scarcity, commitment, and authority.3

Six persuasion strategies hackers use

  1. Hackers exploit Reciprocity to take advantage of our nature of giving something in return when feeling indebted to someone. 
  2. We also tend to seek Conformity by imitating others’ behavior. 
  3. Similarly, cyber criminals try to make their persona similar to the victim because we tend to Like people who are similar to us. 
  4. When items are Scarce, people view the product or service as more valuable and desirable than others. 
  5. Individuals generally Commit to promises, so when hackers coerce them into making a promise, they can usually trust that their target will follow through. 
  6. Lastly, people tend to obey requests from those who have Authority over them. 

References

  1. Verizon 2021 Data Breach Investigations Report. (2021). Verizon. verizon.com/dbir
  2. Mitnick, K. D., & Simon, W. L. (2011). The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons.
  3. Cialdini, R. (2009). Influence: The Psychology of Persuasion. Harper Collins.
  4. Gobet, F., Richman, H., Staszewski, J., & Simon, H. A. (1997). Goals, Representations, and Strategies in a Concept Attainment Task: The EPAM Model. In D. L. Medin (Ed.), Psychology of Learning and Motivation (Vol. 37, pp. 265–290). Academic Press. https://doi.org/10.1016/S0079-7421(08)60504-6
  5. Social Theory at HBS: McGinnis’ Two FOs. (2004, May 10). The Harbus. https://harbus.org/2004/social-theory-at-hbs-2749/
  6. Buglass, S. L., Binder, J. F., Betts, L. R., & Underwood, J. D. M. (2017). Motivators of online vulnerability: The impact of social network site use and FOMO. Computers in Human Behavior, 66, 248–255. https://doi.org/10.1016/j.chb.2016.09.055
  7. Hadlington, L., Binder, J., & Stanulewicz, N. (2020). Fear of Missing Out Predicts Employee Information Security Awareness Above Personality Traits, Age, and Gender. Cyberpsychology, Behavior, and Social Networking, 23(7), 459–464. https://doi.org/10.1089/cyber.2019.0703
  8. Gundu, T. (2019, May 13). Acknowledging and Reducing the Knowing and Doing Gap in Employee Cybersecurity Compliance. International Conference on Cyber Warfare and Security, Stellenbosch, South Africa.
  9. Schaab, P., Beckers, K., & Pape, S. (2017). Social engineering defence mechanisms and counteracting training strategies. Information & Computer Security, 25(2), 206–222. https://doi.org/10.1108/ICS-04-2017-0022
  10. Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: Reducing the success of social engineering attacks. Journal of Experimental Criminology, 11(1), 97–115. https://doi.org/10.1007/s11292-014-9222-7
  11. Briñol, P., Rucker, D. D., & Petty, R. E. (2015). Naïve theories about persuasion: Implications for information processing and consumer attitude change. International Journal of Advertising, 34(1), 85–106. https://doi.org/10.1080/02650487.2014.997080
  12. Alutaybi, A., Al-Thani, D., McAlaney, J., & Ali, R. (2020). Combating Fear of Missing Out (FoMO) on Social Media: The FoMO-R Method. International Journal of Environmental Research and Public Health, 17(17), 6128. https://doi.org/10.3390/ijerph17176128
  13. Caldwell, T. (2016). Making security awareness training work. Computer Fraud & Security, 8–14. https://doi.org/10.1016/S1361-3723(15)30046-4
  14. Blau, A., Alhadeff, A., Stern, M., Stinson, S., & Wright, J. (2017). Deep Thought: A Cybersecurity Story. ideas42. https://www.ideas42.org/wp-content/uploads/2016/08/Deep-Thought-A-Cybersecurity-Story.pdf

About the Authors

Lindsey Turk's portrait

Lindsey Turk

Lindsey Turk is a Summer Content Associate at The Decision Lab. She holds a Master of Professional Studies in Applied Economics and Management from Cornell University and a Bachelor of Arts in Psychology from Boston University. Over the last few years, she’s gained experience in customer service, consulting, research, and communications in various industries. Before The Decision Lab, Lindsey served as a consultant to the US Department of State, working with its international HIV initiative, PEPFAR. Through Cornell, she also worked with a health food company in Kenya to improve access to clean foods and cites this opportunity as what cemented her interest in using behavioral science for good.

A man in a blue suit and red tie smiles while standing indoors, surrounded by office plants.

Dr. Brooke Struck

Dr. Brooke Struck is the Research Director at The Decision Lab. He is an internationally recognized voice in applied behavioural science, representing TDL’s work in outlets such as Forbes, Vox, Huffington Post and Bloomberg, as well as Canadian venues such as the Globe & Mail, CBC and Global Media. Dr. Struck hosts TDL’s podcast “The Decision Corner” and speaks regularly to practicing professionals in industries from finance to health & wellbeing to tech & AI.

A man in a blue, striped shirt smiles while standing indoors, surrounded by green plants and modern office decor.

Dan Pilat

Dan is a Co-Founder and Managing Director at The Decision Lab. He is a bestselling author of Intention - a book he wrote with Wiley on the mindful application of behavioral science in organizations. Dan has a background in organizational decision making, with a BComm in Decision & Information Systems from McGill University. He has worked on enterprise-level behavioral architecture at TD Securities and BMO Capital Markets, where he advised management on the implementation of systems processing billions of dollars per week. Driven by an appetite for the latest in technology, Dan created a course on business intelligence and lectured at McGill University, and has applied behavioral science to topics such as augmented and virtual reality.

About us

We are the leading applied research & innovation consultancy

Our insights are leveraged by the most ambitious organizations

Image

I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.

Heather McKee

BEHAVIORAL SCIENTIST

GLOBAL COFFEEHOUSE CHAIN PROJECT

OUR CLIENT SUCCESS

$0M

Annual Revenue Increase

By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.

0%

Increase in Monthly Users

By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.

0%

Reduction In Design Time

By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.

0%

Reduction in Client Drop-Off

By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%

Read Next

Notes illustration

Eager to learn about how behavioral science can help your organization?