Why psychology could be the answer to cyber-attacks

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. One of the largest ever cyber attacks is slowing global internet services after an organisation blocking "spam" content became a target, with some experts saying the disruption could get worse.        To match INTERNET-ATTACK/      REUTERS/Kacper Pempel/Files (POLAND - Tags: BUSINESS SCIENCE TECHNOLOGY) - RTXXZVX

Psychology plays a role in understanding cyber-attacks. Image: REUTERS/Kacper Pempel/Files

John Blyth
Research associate, UCL
Cameron Lefevre
Research associate, UCL
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Internet Governance is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Internet Governance

Two scientists were recently able to take over the lights of an office building using a drone and some clever computer hacking. They demonstrated how “smart” lightbulbs connected to the internet were vulnerable to a virus that could spread from one infected light to any bulb in range. The researchers flew a drone up to the building, transmitted a signal that hacked into one light and then took control of the whole floor. In theory, such an attack could be used to take out the lights of an entire city, if smartbulbs were to become commonplace.

These bulbs are just one example of devices that can be connected to the Internet of Things (IoT). The IoT refers to any everyday object with the ability to collect to and exchange data over the internet. The technology can allow you to remotely and automatically control the heating, lighting, sound-system and other devices in your home, based on your normal routine.

 Global number of security incidents
Image: Financial Times

But these devices are also vulnerable to cyber attacks. The lightbulb example may have been a research experiment, but in a major attack recently, hundreds of thousands of IoT devices were captured by hackers and used to bring down many popular websites. So we need to make these objects more secure. One way to do this is to use psychology to understand users’ capabilities and motivations and try to change people’s behaviour.

Changing behaviour

Behaviour change when it comes to technology is an under-researched area. But recent work has started to take more of the theory into account, for example by focusing on “nudging” users towards better security and privacy. Nudge theory focuses on presenting choices to people in ways to steer them towards better decisions.

For example, one study explored Facebook privacy nudges by getting users to consider the content of what they are posting – and who will see the post. The researchers found that showing users pictures of their friends when posting a status prevented them from unintentionally disclosing things they would regret (such as a colleague seeing a nasty comment about their boss).

But we also need to think about longer-term behavioural change that focuses on people’s capabilities and what motivates their behaviour when it comes to security. One route to doing this is by asking whether people don’t know how to be secure or are just too lazy to do anything about it.

To answer this question, we need to understand behaviour in context using theory. For example, one model of behaviour, known as the “COM-B” model, says that to behave in a certain way, people need to have the capability and opportunity to do so – and be more motivated to do so than behave in any other way. They have to want to perform the behaviour and feel that they should.

By understanding what drives people’s behaviour in this way, we can come up with ideas for how to change it. For example, the reason a person does not use a password on their device may be that they do not know the risk they are taking. In this case, we need to improve the user’s capability through teaching them about security risks.

By contrast, the reason could be that the device is hard to interact with and it takes up a lot of time to set up a password. Then we need to increase users’ motivation perhaps by providing inbuilt incentives to having a password, such as offering additional services and features to users.

But looking at IoT security in this way also brings to how important it still for manufacturers to change their devices. Ultimately, most people don’t have the ability to remember lots of complex passwords and may not even have the opportunity to create a password for their device. So we need to make sure security features are built into IoT devices and that they are simple and convenient enough for anyone to use, even if they have little or no technological skill. Only then can we start to make significant advancements towards making the IoT secure.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Tinder Swindler: How 'romance fraud' became a multi-billion dollar cybercrime

Robin Pomeroy and Sophia Akram

May 24, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum