Why the human element of cybercrime gets overlooked

Andrew Bycroft, Security Consultant (andrew.bycroft@fortian.com.au | Feb 25, 2022

It is clear that cyber criminals tend to target the weakest link in any organisation and more often than not, this is the people rather than the technology. This is evidenced by the fact that phishing is one of the most common ways to propagate ransomware and scams that prey on people who are too trusting or perhaps so burdened with other thoughts they fail to think it through and simply let their guard down.

In fact, every cyber-crime has human impacts. In the simplest form it could be operational impacts that require re-entry of data or cause technology downtime and amount to lost productivity. It could be more serious impacts such as those on reputation, such as was the case with cyber-attacks on Ashley Madison, Target and Equifax, whereby each CEO had to rethink their career and try to seek employment elsewhere. In the most dire of outcomes cybercrime could impact human lives given that pacemakers, cars and nuclear reactors are all based on computing technology nowadays. Let’s also not overlook cyber bullying which in the most extreme cases has caused suicides.

Why is it though given that people have always been the ones to suffer from cyber-crime that fighting cyber-crime falls within the domain of technology and not psychology?

One of the biggest problems is that understanding the complexity and unpredictability of people and their motives is far more challenging than understanding technology which, although complex to the average person, is based on logic and its patterns are completely predictable. As a result, treating cyber-crime as a technology problem was far simpler than addressing the human side of the problem. Also consider that technology has always been considered to be “superhuman”. It can be millions of times faster than humans, it never sleeps and it doesn’t make mistakes.

There is always a need for humans to play a role. Technology excels at making decisions where there is a clear distinction between right and wrong, however, when the situation falls into the grey area in between, it takes a human to consider the emotional impacts and to bring morals into the equation to make a final decision. This is precisely why anti-phishing technologies excel at identifying and blocking messages which are clearly spam, but for those that are more subtle and look legitimate pass through without further scrutiny.

Consider also that those who are behind cyber-crime are extremely creative, and somewhat gifted in their ways to thwart technology advances and exploit these for their own gain. There is an argument that “it takes a thief to catch a thief”. Could it also be that it takes a “gifted human to ultimately catch another gifted human”?

It is very likely that in the future the perfect cybercrime fighting team will include both technologists and psychologists working together to use technology as the first line of defence and psychology to identify and block anything that technology misses.