The objectives of hackers and cybercriminals haven\u2019t changed over the years: they still work to steal, exploit or disrupt. Their methods, however, have changed \u2013 because the weakest link is no longer in the machine, it\u2019s in the user.<\/p>\n
Cyber security is a top global concern. Only extreme weather events and natural disasters were deemed greater risks by the World Economic Forum in its 2018 Global Risks Report.<\/p>\n
Although cyber security is an ever-increasing problem for Australian organisations across all sectors, according to computer scientist Dr Nik Thompson, the failure of their counter measures lies in disregarding the impact of human behaviours.<\/p>\n
\u201cThrowing technology at the problem isn\u2019t working because many cyber incidents are caused by the actions of users,\u201d Thompson explains.<\/p>\n
\u201cPhishing remains the most common attack \u2013 in fact, many of the largest data breaches in 2018 resulted from employees falling for phishing scams.<\/p>\n
\u201cAnother concern is that employees are increasingly using smartphones to access and store organisational information. As the use of smartphones as a mainstream computing platform grows, so will the extent and severity of malware and attacks.\u201d<\/p>\n
Thompson also has a background in cognitive science, and he combines his two areas of expertise to study the links between human behaviour and cybersecurity.<\/p>\n
He says that successful cyber criminals are manipulating people through social engineering \u2013 a method made famous by notorious US hacker Kevin Mitnick, who obtained access to more computer systems by tricking users than by cracking into accounts.<\/p>\n
\u201cAttackers adapt their methods to [target] the human elements in the security chain. For example, email or phone scammers will exploit people by creating time pressure. They might stress that action is required to avoid imminent adverse consequences.<\/p>\n
\u201cOur decision-making processes change when we\u2019re under time pressure. Rather than complete the process of reasoning, we adopt a heuristic model and rely on a gut feeling.\u201d<\/p>\n
\u201cPlus, many users struggle constantly with conflicting goals. They have time pressures, heavy workloads and situations where they\u2019re splitting their attention. Processes like security can be drowned out.\u201d<\/p>\n
He points out that such circumstances can be a collective phenomenon for particular professions and environments, such as in hospitals and law firms, where workplace culture and the nature of the work can create risk.<\/p>\n
These can also link with basic social norms. Sharing passwords, for example, remains a common behaviour in many workplaces. These practices exist partly because we want to avoid offending colleagues, or even complete strangers, by implying they\u2019re not trustworthy.<\/p>\n
\u201cAnother example is tailgating in building or room access. If we swipe through a doorway when there\u2019s someone directly behind us, we don\u2019t close the door in their face, or tell them to stop and swipe their own card.<\/p>\n
\u201cThere\u2019s a strong behavioural influence exerted by the social environment. We need to consider social norms, or organisational and national culture, as part of deeper research into cyber security.\u201d<\/p>\n
It seems that our typically human mental models \u2013 which combine our general knowledge with our perception of a situation \u2013 are our downfall. Add to this some basic forms of \u2018cognitive bias\u2019, and you can see why typical human behaviours can undermine the most stringent security tech.<\/p>\n
\u201cMany users believe they won\u2019t be targeted because they\u2019re not important enough, that they don\u2019t have useful information,\u201d Thompson says.<\/p>\n
\u201cAnd there\u2019s an interesting paradox in that tech-savvy users take more risks.\u201d<\/p>\n
He also points out the need for research into how other demographic differences influence information security behaviour. An example could be whether users of a particular generation are more vulnerable.<\/p>\n
\u201cScammers exploit our perceptions of authority, and some groups could have a greater tendency to not question communications from apparent authorities \u2013 such as the tax office.<\/p>\n
\u201cInstead of relying solely on technical counter-measures like filters and blocking, it will be more effective to apply our understanding of human behaviours.\u201d<\/p>\n
By drawing on the evidence about human behaviours, he says, organisations will better understand their staff \u2013 how they assess cyber risks and make decisions. This will enable the design of better workplace practices and systems.<\/p>\n
So, we can boost cybersecurity right now without touching a single bit of tech?<\/p>\n
\u201cYes, I absolutely agree with that,\u201d Thompson says.<\/p>\n
\u201cOrganisations can immediately boost their security through education and training that supports IT users. But it has to be an interactive process that is actionable and provides feedback.<\/p>\n
\u201cThat\u2019s not to say technical protections aren\u2019t part of the solution, but security is mostly about behaviour change.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"
Why do we presume that our workplace information is worthless to cybercriminals? Dr Nik Thompson explains our downfalls in data breaches.<\/p>\n","protected":false},"author":618,"featured_media":7530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","wds_primary_category":0,"wds_primary_research-areas":0,"footnotes":""},"categories":[49,3],"tags":[],"research-areas":[],"class_list":["post-7529","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business-innovation-and-law","category-campus-and-global-community"],"acf":{"post_options":{"":null,"additional_content":{"title":"Research on the right side of the law","content":"
At Curtin\u2019s School of Management, Dr Nik Thompson is collaborating with law societies around Australia to investigate the cybersecurity practices of lawyers.<\/p>\n
The research is a first in Australia. The results will reveal the extent to which the behaviour or beliefs of staff in legal practices are placing digital information at risk of theft, loss or misuse.<\/p>\n
The outcomes will inform recommendations for counter-measures.<\/p>\n
A recent US survey of more than 200 law firms found they\u2019d all had cyber incidents targeting confidential client data. Thompson isn\u2019t surprised, given that much of the information a law firm deals with is highly sensitive.<\/p>\n
Data collection is underway in South Australia and the Northern Territory, with other regions scheduled for later this year.<\/p>\n","image":false},"related_courses":false,"credits":{"author":"","photographer":"","media":false},"display_author":true,"banner":{"image":false}}},"featured_image":"https:\/\/www.curtin.edu.au\/news\/wp-content\/uploads\/2022\/07\/cybersecurity-hacking-1588x840-1-1000x500.jpg","author_meta":{"first_name":"Karen","last_name":"Green","display_name":"Karen Green"},"publishpress_future_action":{"enabled":false,"date":"2026-04-22 02:53:36","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/posts\/7529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/users\/618"}],"replies":[{"embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/comments?post=7529"}],"version-history":[{"count":0,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/posts\/7529\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/media\/7530"}],"wp:attachment":[{"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/media?parent=7529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/categories?post=7529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/tags?post=7529"},{"taxonomy":"research-areas","embeddable":true,"href":"https:\/\/www.curtin.edu.au\/news\/wp-json\/wp\/v2\/research-areas?post=7529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}