AN INTERVIEW WITH A DOCTORATE IN CYBERPSYCHOLOGY
By Laura Baker, Cyber Wyoming
Despite constant technological security innovations like firewalls, email protection software and antivirus software, phishing and social engineering have continued to increase. Dr. Erik J Huffman is part of a small group of PhDs studying cyberpsychology which can be summed up as the human side of cybersecurity.
“We spent years trying to patch the human with technology,” Huffman stated. “It didn’t work.”
This is why cyberpsychology became an emerging field.
Huffman is the founder and CEO of Handshake Leadership in Colorado Springs who received his Doctorate in Management and Post-Doctoral research in cyberpsychology. He is also a Lead Technical Instructor at SecureSet Cybersecurity Academy. In 2018 he was awarded the Colorado Springs Mayor’s Young Leader Award and the Pikes Peak SBDC Young Entrepreneur of the Year Award.
In 2017, Huffman’s team surveyed 250 hackers at the Defcon conference and it was revealed that 73% of those found traditional perimeter security hardware and software to be irrelevant. Employees were the weakest link and, therefore, are primary targets.
But why are employees the weakest link in business? This is where Huffman’s research explains the situation.
When speaking to a stranger in person, one may get a gut feel that they are untrustworthy and thus pull away. That’s the limbic system kicking in with the stranger danger and fight-or-flight response. But when reading an email, if the person isn’t known, the reader substitutes his or her own voice. Me, myself and I are the most trustworthy person known to me, myself and I. Thus, the limbic system is completely bypassed.
In the case of spoofing, the email will look like it was sent by someone known to the reader, like their mother or their boss, for instance. In this case, they read the email in the supposed sender’s voice and it also becomes more trustworthy.
Thus the reader is at a biological disadvantage when reading the email. His or her limbic system isn’t activated.
This biological disadvantage is complicated by the “unfortunate environment that tech people have created” according to Huffman. The feeling of “you’re dumb” and of “shame” leads to many employees not reporting cyber crimes for fear of being fired. These feelings are perceived to come from the cybersecurity professionals.
Huffman’s research has identified different personality traits that make humans more likely to succumb to phishing and social engineering scams. The number one risky trait is impulsiveness. However, the more extroverted you are, the more likely you are to be phished.
When asked how to combat personality traits to gain higher levels of security in businesses or our personal lives, Huffman responded, “self-understanding and reflection.” Huffman continued, “When you see an urgent email from your mom, you care! This is how we are built.”
While Huffman cautioned that the field is really new and future research may change today’s findings, applications of the research are beginning and in the idea stage.