Writings from the intersection of law enforcement and the Internet

Curiosity: A killer of networks and cats.

In 2016, Dr. Zinaida Benenson of the Friedrich – Alexander University (Bavaria, Germany) conducted a study to measure the rate at which students would click links in messages received from unknown senders. Of course, they clicked links. There is little value in that finding. The true value of the study is the reason why they clicked the links.

Dr. Benenson’s study involved 1700 university students. They were interviewed to learn their self-assessed security awareness and understanding of phishing attacks. 78% of the students expressed an understanding of the dangers of clicking a link received from an unknown sender.

The students were later sent emails and messages through Facebook from sender names they would certainly not known since the accounts were fictitious. The messages referenced a New Year’s Eve party and the link allegedly went to an online photo album of photos taken during the party.

The students previously told researchers they understood the dangers of clicking links in messages. They understood that links could lead them to malicious websites and unleash dangerous viruses on their computers. Yet, 56% of the test subjects that received emails clicked on the links and 40% of the Facebook message recipients clicked on the links. Why?

Probably the same reason why you would. The same reason why we open an unmarked envelope we find in the street, or a non-descript box you find in grandma’s attic, or why you read your sister’s diary: Curiosity. During the follow-up interviews, most of the study participants admitted they only clicked on the link because they were curious to see the photos of the party.

How do security practitioners overcome the human nature of curiosity? What hardware or software tool can overcome that desire? How do we train employees to resist that temptation?

The bad guys are masters of psychological manipulation and preying on human emotions. Your million-dollar security software is worthless if the attacker can get to the human. Security needs to refocus on the human.

#phishing #infosec #cybersecurity