Recently, we shared the results of a new survey on phishing knowledge and click habits of 7,000 workers in the U.S., U.K., Australia/New Zealand, Germany, France, Italy and Japan. In it, we focused a fair bit on COVID-19 and its effects on people and their online habits with the increase in WFH, as well as on cybercriminal tactics themselves. We then worked with Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, to get his take on the survey results.
Below are snippets from our interview with Dr. Rajivan, where we asked him about some of the nitty-gritty in the report and what he thinks the numbers mean.
Thanks for taking the time to share additional information with our Community. I’d like to dive right in by examining some the numbers around the mass shift to working from home. In the survey, 54% of workers worldwide said they had increased the amount of time they spend working from home due to the COVID-19 pandemic. In your expert opinion, what are some of the psychological implications here?
Wow, that is quite a loaded question. I really believe working from home could have very different effects on individuals, depending on their unique situations and personalities. But I think people who traditionally worked in offices before the pandemic are likely to face higher levels of distraction, higher uncertainty and anxiety, and lower motivation due to the lack of social support they usually receive in an office environment. The higher uncertainty and anxiety could definitely have an effect on their ability to make strong cybersecurity decisions. However, humans are also highly resilient, and reports worldwide have shown increases in productivity since the shift. So it’s clear that people are continuing to adapt to their respective “new normal”.
Interesting. Do you think that adaptiveness is why 31% of people said they feel more prepared to spot a phishing attack now than they did before switching to WFH due to the pandemic?
I think, in general, people are more on-guard in the current situation. Many people are following the news more closely, receiving more content from internet and social media sources, having more conversations about health and safety, etc. And people are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.
Overall, there appears to be a false sense of security, where most people in our survey said they know enough to keep their data safe, yet a significant number still fall prey to scams. What do you think leads to this false sense of security?
Well, as a continuation of my previous answer, I think there could be some false confidence that is specifically rooted in the current pandemic scenario. If we all feel hyper-aware of health and safety risks in general, it could translate into a perception that we are aware of other dangers, like cyber threats. But I also think there may be some cultural factors at play.
That’s interesting. I did notice that Japanese workers were the least confident about their ability to stay safe from attacks. But they also got phished the least. It seemed like workers in countries that expressed higher confidence got phished more. Any theories about that?
Yes. In particular, I see higher rate of confidence was mentioned among people in the US, UK, and Italy. If you look at the popular Hofstede’s cultural differences scores, you can start to evaluate the differences among these countries. For example, cultures that have higher individualism generally have lower risk avoidance, i.e. greater risk-taking behavior. But cultures that have less of an emphasis on individualism, such as Japan, have a much higher score for risk avoidance, i.e. lower risk-taking behavior. The countries that ranked high on individualism also generally self-assessed as knowing enough to stay safe from cyberattacks, even if their answers to other questions would suggest their confidence is a little … (pause)
A little “inflated”, maybe?
(Laughs) Well… yes! You said it, not me! But seriously, it does make some scientific sense. I focus on individualism because research has found correlations between individualistic cultures and higher self-confidence and risk-taking. Taking risks absolutely has its place in business – just ask any startup CEO – but it’s probably not the kind of behavior you want to see in your employees’ cybersecurity habits. Ultimately, when people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is a very important consideration for businesses that want to have a cyber-aware culture.
Beyond the consideration of cultural factors, do you think there are other things contributing to the general false confidence people seem to have regarding their phishing and cyber-safety know-how?
I absolutely think it’s due to a combination of factors. For example, the survey showed that only 14% of people worldwide believe a company’s cyber resilience is a responsibility that all employees share. So many people may be overconfident because they assume their IT personnel have taken appropriate steps to protect workers and work devices. Additionally, there’s also the Dunning-Kruger effect, which is a cognitive bias where people who are less skilled at a given task tend to be overconfident in their ability. It states that we tend to overestimate our capabilities in areas where we are actually less capable. Basically, for many, the less you actually know, the more you think you know.
What other trends have you seen – physiological, behavioral, etc. – now that more people are WFH due to the pandemic?
Well, there’s the matter of attentiveness. Like with distracted driving, working while doing other household chores or even watching TV seems easy enough when doing mundane tasks, such as email processing. But this type of distraction can also make people vulnerable. People might be less likely to properly notice and weigh the risks of a potential phishing message. That doesn’t mean they need to physically be in the office to be productive, but it does mean that the lines between work and home need to be front and center.
I know it’s a lot of data, but what would you say was the most surprising finding from the survey?
I was actually shocked by the percentage of people who said they click on links from unknown senders. Ranging from occasionally or under certain circumstances to “all the time”, wasn’t it something high like 70% of people who regularly click emails from unknown senders?
Yes, the number of people who open emails from unknown senders was 76%. And yet 81% say they take steps to determine if an email message is malicious. Why the discrepancy?
There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails. Knowing how to determine if an email is malicious is good, but the really necessary thing is to develop a healthy dose of suspicion while processing email. Humans, by nature, have a propensity towards truth. We generally assume the communications we receive from other people are honest. By developing a healthy dose of suspicion with regard to emails, it’ll help us be more alert, and actually put our phishing knowledge into practice.
You’re definitely right about the difference between “knowing better” and “doing better”. Along those same lines, how extreme do you think a phishing-related attack and its consequences would have to be to get a person to change their behavior?
I don’t think it’s necessarily a matter of an extreme or devastating event vs. a more manageable one. I think it’s more about having opportunities to put your knowledge into practice.
I am a strong believer in reinforcement learning. Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior and disincentivizes poor behavior.
This feedback and incentive structure needs to be carefully calibrated. Too much could lead to heightened anxiety and false alarms, but too little could lead to underweighted risk, i.e. people knowing the correct actions, but not taking them.
That makes a lot of sense. As we wrap things up, is there any advice you’d give businesses and workers with regard to phishing during the pandemic and beyond?
Develop that healthy dose of suspicion! You shouldn’t feel like you’re on high alert all the time. That’s much too stressful and, frankly, unnecessary. But you also shouldn’t click on everything you see and imagine it will be OK.
To help get us all in the right mindset, I recommend that businesses up their cybersecurity training and also run phishing training simulations. That will help show employees you are invested in enabling them to be successful and will also give them ways to operationalize their knowledge and get the kind of feedback they need to make lasting behavior changes.
And for the workers themselves, I recommend subscribing to cybersecurity content online. Follow security companies on LinkedIn or research some good podcasts. If you keep security top-of-mind, you’ll be better able to put your knowledge into practice to stay safe.