The social psychology of cybersecurity

Online interactions are often based on trust, the sharing of information and a degree of interdependence, as found with many offline relationships. The recent events at companies such as TalkTalk and Ashley Madison are the latest in a series of high profile cybersecurity incidents that demonstrate what happens when this trust relationship is breached. Despite the common media depiction, incidents of this type may not be the result of the archetypal hacker using technological means to hack into a system. Instead cybersecurity attacks are increasingly based primarily on social engineering techniques, which refers to the use of psychological manipulation to trick people into disclosing sensitive information or inappropriately granting access to a secure system (Tetri & Vuorinen, 2013). One of the more well-known examples of social engineering that many of us will have encountered would be phishing emails, which attempt to fool the recipient into opening a link or attachment that will install malicious software onto their computer. These phishing emails draw upon many of principles of social psychology, consumer psychology and behaviour change by, for example, using a fear appeal or invoking a sense of scarcity or urgency if the recipient does not act quickly. These phishing emails may only be successful a fraction of the time, but with the ability to send out tens of thousands of emails at once, at no or zero cost to the sender, this can still be a productive means of gaining access to individuals’ computers. Yet despite the intrinsically psychological nature of many cybersecurity attacks, research into the role of psychology in cybersecurity is still limited. Indeed, even research into social engineering is often conducted from the discipline of computing rather than social psychology.