How businesses can use psychology to safeguard against cyber criminals

The world of business is increasingly aware of the need to protect operations from cyber criminals. Now psychological profiling could offer an innovative new way to do just that

Over the past few years, we have seen some of the most prolific and damaging cyber attacks of our time. WannaCry brought down organisations across the globe, including the National Health Service (NHS) and has since caused serious damage to these organisations in terms of both money and reputation. A month later, cyber criminals, NotPetya, also graced our headlines after devastating Ukrainian accounting software.

Many infamous hacking groups, particularly in Russia, China, Ukraine and Korea, have been linked to these attacks, but we need to acknowledge that not all attacks are state sponsored. Some hacks come from closer to home, with cyber crime now accounting for £26m of losses to business and individuals in London per month, and we often skirt around the motivations that drive these people to turn to a life of cyber crime.

It’s easy to attribute these attacks simply to a group with a quirky name or a nation state with a dark agenda, but it is also important to look at the individual and break down their behaviour. There are very real people behind these attacks – and the crimes that they are committing are very much real too and, some might say, a natural consequence of the evolving digital era.

There are very real people behind these attacks – and the crimes that they are committing are very much real too

Although most of the business community knows that they are at risk from a potential cyber attack, there is often confusion about the appropriate security measures to take. As such, it is more important than ever to understand the mentality behind cyber crime and the personality traits of cyber criminals that may be hiding in plain sight. This can also enable businesses to be more vigilant and aware of both potential internal and external threats.

The identity of hackers can come as a surprise, with a report released last year by the National Crime Agency (NCA) revealing that individuals as young as 17 are being arrested for dipping their toes into the muddy waters of cyber crime, but with hacking tools more readily available than ever on forums and the dark web, it should come as no surprise that some young people are swayed this way.

There are four factors that determine what drives a person to commit cyber crime; psychological, socio-environmental, genetic and neurological. Using this four-fold-lens approach can help us to break down the factors that contribute towards cyber violence and behaviour.

Profiling cyber criminals

By retrospectively applying psychological research to people’s behaviour and looking at the pre-determined factors that can cause digressional behaviour we can get a better idea of the tendencies and traits that can lead an individual to commit a cyber crime. For many cyber criminals, there may be an inherent social disposition or asocial personality disorder that leads them to behave in unpredictable and aggressive ways. According to a study from Buckels in 2014, online trolls exhibit personality traits such as sadism and psychopathy, exhibiting enjoyment for the harm they are causing online.

Many of these traits are often found in another form of cyber criminal: the social engineer, who will manipulate and exploit others, often through targeted emails with the aim of extracting or gaining access to sensitive information. They then use this information to exploit the individual or the organisation they work for. The social engineer will often exhibit traits of disinhibition and a disregard for social conventions, that leads them towards this criminal behaviour. Like online trolls, these cyber criminals tend not to care about the consequences and repercussions of their behaviour – both for themselves or for their victims.

The social engineer will often exhibit traits of disinhibition and a disregard for social conventions, that leads them towards this criminal behaviour

This indifference to the consequences of their actions, along with the comfort of sitting behind a computer screen, can lead these types of cyber criminals to act in ways that they would never do in their offline life. By the time they have committed a security breach or caused the breakdown of a national infrastructure, it’s far too late for them to turn back. Social engineering is already a very common technique used by cyber criminals, and as the real world becomes ever more connected to the online one, we can only expect this to get worse, with more people who exhibit these personality traits throwing their hat in the ring to earn some “easy” money.

Cyber crime in the workplace

Businesses need to recognise that employees, both internally and externally, that exhibit any of these tendencies may have the capability of committing cyber crime, and take appropriate action to mitigate this threat, including stepping up security measures. This is even more crucial in situations where socio-environmental factors, such as being fired from a job, may lead an employee to revenge. A recent report shows that a man went as far as to hack his ex-employer’s computer system after being fired from the company, causing disruption by changing system passwords, erasing documents and deleting emails from several accounts. Understanding and anticipating the possibility for these attacks is key to preventing insider threats.

Once business begin to safeguard themselves from the different types of threats that can drive an individual, or even an employee, to turn to cyber crime, they will then be able to prepare the security defences necessary to prevent insider or external threats. Common prevention techniques include restricting admin privileges, implementing robust firewalls or even reaching out by communicating with individuals that they have any concerns about. Remaining vigilant and understanding the make-up of a cyber criminal can help us to strengthen our defences in order to thwart their attacks.