The past few years have exposed a staggering amount of personal and financial consumer information while damaging the reputations of major brands such as Sony, Yahoo, eBay, Equifax and Target.
The economic losses are significant. The average cost of a corporate breach was $11.7 million in 2017, up 23% from the previous year, according to a recent Accenture study .
Here’s the really bad news: 95% of all cybercrime results from human error, according to a 2014 IBM study. Despite the advanced security technologies available today—including nascent applications that can take matters out of human hands—most major hacks target vulnerabilities rooted in human behavior, not just those in systems and networks.
Most major hacks exploit vulnerabilities rooted in human behavior, not systems and networks. Here are some typical human behaviors that play into the hands of cybercriminals, with tech solutions that organizations can deploy to strengthen their defenses.
Research has shown that waves of security warnings and the constancy of threats actually makes employees less likely to respond to them. In psychology, this pattern is known as habituation. For decades, therapists have been using habituation to treat phobias, according to Andrew Blau, vice president at behavioral design firm ideas42.
In the wake of every high‑profile global attack, security pros generally rush to prevent the same thing from happening within their organizations—while often ignoring known threats such as critical patch upgrades. This is the result of availability bias: people tend to overemphasize the likelihood of something happening again, based on how easy it is to remember.
Most people never change the default security settings on their computers and don’t opt into extra security features such as simple encryption, even when they know it will protect their data from being stolen. This pattern has given IT departments headaches for decades.
Employees tend to model peer behavior. This phenomenon, called social proof, can significantly influence behavior, especially when trying to get users to embrace security hygiene practices that appear more abstract than real.
When employers train their employees, they may increase knowledge but rarely change behavior. Data security training programs may increase employee knowledge, but they rarely change behavior. However, the chances of success rise sharply when training becomes a constant feedback system for users. […]