Webinar: The Psychology of Cybersecurity--Now Available on Demand

Psychology of Cybersecurity webinar August 3, 2022

The Psychology of Cybersecurity

Free Webinar: The Psychology of Cybersecurity
Date: Wednesday, August 3rd 12:00 noon to 1:00 PM Pacific Time
Presenter: Dr. Erik J. Huffman
Cybersecurity Researcher, Cyberpsychologist, TEDx Speaker, Award Winning Entrepreneur
Now available streaming on demand! Click the video below to start streaming.



KELLY PALETTA: Good afternoon, everyone. I'm Kelly Paletta, Director of Sales and Marketing at EXP Technical and welcome to our webinar.

Our topic today is The Psychology of Cybersecurity and joining me is Dr. Erik Huffman.

I'll be... Hey Erik!

I will be introducing Dr. Erik Huffman in just a minute here.

I have a few administrative announcements to run through very quickly and then we'll get into the you know the “meat” of our presentation here very quickly.

So, let's dive into some of these.

Our presentation will take about… We have about 45 minutes of prepared material and it's all one contiguous chunk, but we should have a little bit of time at the end of our presentation for questions and answers. And so, we ask that you submit your questions via the chat feature, or the Q&A feature in the Zoom chat session… Or in the Zoom presentation session.

And you can see those are… I’ve copied an image of what that might look like on your display there.

And if you do that, those questions will go to me as the moderator, and we should have a few minutes at the end. I’ll pose those to our guest speaker at the end of the session.

One question that always comes up is, “Is this presentation being recorded?” It is! And I will make that available as soon as possible—hopefully before the end of this week—but it might not be until next week. So be patient with me I’ll do what I can to get that to you quickly.

And then just a few acknowledgements before we get started here.

About EXP Technical

I’m here from EXP Technical. We provide it support to hundreds of small and medium-sized businesses here in the Seattle area and across the Pacific Northwest.

We have folks on staff and we have clients that are all the way down into the south sound area from Tacoma, Bremerton all the way up to the north end in Bellingham. And on the east side in Spokane.

So, broadly, we cover Washington State, but most of our clients are here in the in the Puget Sound region.

EXP Technical is a Microsoft Gold Certified Partner.

I also include the Microsoft logo because they contributed some marketing dollars to make this event possible.

You see at the bottom of my display here [points the wrong way] oops like pointing through… over here at the bottom of the screen there I also included the Datto logo. Frankly this event would not be possible if it weren't for generous support from Datto. If you're not familiar with Datto, they make products that are focused on business continuity backup and disaster recovery services and they're a great resource for small and medium-sized businesses. They also do a great job of helping organizations like EXP present educational presentations like this one that you're seeing right now.

And then finally one other logo that you see here that you might not be familiar with, is the BombBomb logo.

Dr. Huffman here is director of IT from BombBomb and I’m an enthusiastic user of that product. BombBomb is a video messaging platform. It enables you to create a video message, kind of like what I’m doing right now, where you can communicate with people, and you can create these messages as easily as you create a voicemail message. And the advantage to that is that there is so much communication that is lost frankly in email and text messages. And there's so much emotional content or concern that you just can't convey in a text message, or an email. And video messaging is a great way to include all of that in your message. And frankly, in these times we're all working remotely. It's a great way to kind of rehumanize our work life too.

And with that, that's probably a good segue…

I hope I did a good pitch for BombBomb there.

But I I’ll offer an introduction here.

Our guest speaker today is Dr. Erik Huffman he is a pioneering researcher in the field of cyberpsychology. He is adjunct professor at Westcliff University.

Today he's going to be speaking to you on some of the research that he did as part of his doctoral studies and some of the continuing research that he does as head of his organization Handshake Leadership.

And with that, I’m going to mute myself and yield the stage to you, Erik.

The Psychology Behind Cybersecurity

DR. ERIK HUFFMAN:  I thank you so much. I’d like to thank you for giving me the opportunity to be here and to be able to present some of my research, because as a research nerd this this kind of what I’m all about.

Hey Kelly, could you just let me know you can see the presentation okay, correct?


DR ERIK HUFFMAN: Thank you so much I just wanted to make sure, before I got too far.

So as a researcher what led me to cyberpsychology?

It’s the notion that every time we talk about security. Or every time we talk about a cyberattack, we always end up talking about the people.

We always end up talking about the impact of the people. We spend a little bit of time on the technology, but we spend a lot of time focused on the human element. And as we move forward through this presentation, I want to have this statement set in your mind that cybersecurity is closer related to psychology than computer science.

It is more of a human issue than it is a technology issue.

And the problem that we have… The problem that…  The cliche that we state is that humans are the weakest link of every digital network. That is the cliche and the cybersecurity community that we live with is that the technology’s not the problem you are the problem. People are the weakest link to every digital network.

And to some point that is true because…  

Let me use the analogy of something we all could relate to like a face-to-face crime…a robbery. If someone wanted to break into your house or your apartment and you opened the door for them you should not blame the lock, because you opened the door for the intruder to come in and take things out.

In this aspect in a digital environment, we are doing the same thing.

The attacker is trying to make you the participant in your own attack. In the second you are a participant in your own attack there is nothing any technology can do to save you from it.

Furthermore, we have created this environment. We are not talking about a tree.  We are not talking about a forest. We are not talking about anything biologically that was created for us or something that has been here longer than us.

We have created this digital environment and to put it simply we just kind of suck working with it as people.

We are struggling through this learning process of how do we interact? How do we communicate within this digital environment?

Because face to face is one thing. Zoom makes it a little bit closer. Using a platform like BombBomb makes us a little bit closer, but it's not the same thing.

And the second you put it into text there's a slew of issues that come about.

We were moved from technology reliant to technology dependent

All right, before we really dive into it…

In 2020 we moved. We made a huge shift from being reliant on technology to being dependent on technology.

We went from relying on technology to get our day-to-day done and to make things more efficient. Now we found ourselves being more dependent that things would stop if the technology stops. So, the reliance in the dependency of this platform now is just absolutely magnified.

None of us are built for this

And to be… To put it simply: none of us, myself included none of us are really built for this version of interaction.

I’m a proud millennial. Don't be too harsh on me, but I’m a proud millennial. This something that I was born into.

Kind of sorta not really… That I that I grew into, but still we find ourselves in this paradigm where I would much prefer to communicate with you face to face, because I’ve seen and I’ve made errors trying to try to construe my messages towards someone digitally. And to put it simply: the platform that we have is not meant to hold the weight of your mind or your heart.

Before we get to the technical stuff, understand this: In this environment more people are now meeting themselves online. I’m sorry they're meeting their significant others online. They're meeting their husbands their wives online.

The first time they meet might be utilizing some app or utilizing some website service and just think if you could fall in love with someone that you've met online you could do anything.

Let's get to the… Let's get to the why.

So I’ve been in cybersecurity for my entire career, besides education. In my education, I teach cybersecurity. So I’ve been in cybersecurity my entire life.

And cyber is a unique field in that we have done absolutely poorly from the beginning, and we continue to do worse, and we get pay raises for…

So if you look back in 2001… If you're talking… If we're looking at the monetary damage caused by cybercrime, and if you look at the numbers all the way to 2020, it's just absolutely mind-blowing how bad the problem is getting!

Any sane person, any logical person will look at this data and say, “Well do something about it, because what you are currently doing does not align with the problem! What you are doing is not helping. Actually, what you are doing is probably hurting your situation, hurting your problem that you're having here.”

But if you look at technology and you think, “Hey we now have firewalls! We have intrusion detection systems! We have intrusion prevention systems! We have antivirus servers. You have antivirus on your computer! We have all these things that we have created and innovated in security!”

What led me down this path is because this problem does not align with the actual reality.

But what is the constant? The constant is us. The constant is people.

So I wanted to dive into it.

Current landscape: Hackers vs. IT Managers

I’ve spoke to a group of hackers and I spoke to a group of IT managers. To be more specific, I spoke to 263 IT managers—IT security professionals based on job title. And I spoke to 250 self-identified hackers.

I did not make them tell me if they're hacking illegally, they're black hat hackers. I did not make them tell me if they're white hat hackers, and they're kind of robin hood. And they're hacking for good. Whatever they wanted to do.

Self-identified hackers

What would happen…

What I was looking for is that I wanted to see if IT managers and the hackers aligned.

What the hackers are doing should align with the IT managers. That would be perfection! So me I’m rooting for IT managers. That’s kind of my job. That's… I’m rooting for us!

91% of cyber attacks start with people instead of technology

And 91% of attacks start with people instead of technology. 91%! It's kind of like that toothpaste commercial. 91% of hackers are targeting us versus targeting the IT managers.

And the IT managers? I can tell you exactly what we wish we had. We wish we had the newest firewall. We wish we had the newest IDS (intrusion detection system), newest IPS (intrusion prevention) systems.

But what is being targeted is actually the people!

Furthermore, after I spoke to the hackers I developed a profile like a criminology 101 profile for hackers.

A basic profile are individuals with low self-control, more risk taking, impulsive, short-sighted, insensitive to others, and seek immediate gratification.

It's kind of the same if you go to a law school. It's kind of the same for your everyday criminal.

And because they're short-sighted and because they want that immediate gratification—and I’m thinking about people—there seems to be some alignment there.

So I looked at notifiable data breaches scheme, and they stated that 67 percent of data breaches are caused by human error and upwards to some reports saying 95 percent of data breaches are caused by human error.

So I go back to the IT managers and I go back to the hackers.

In the hackers, it’s becoming clear there's some misalignment going on because one-third of the hackers—one-third of the respondents—said accessing privileged accounts was the number one easiest and fastest choice to get sensitive data, followed by 27% indicating that accessing email accounts was the easiest path to capturing critical data.

If you add that up, you're looking at about 59% and that's all human related!

This does not align with what we are doing!

Stop clicking on phishing emails!

In email… 97% of all malware comes through email. Just kind of in general, encompassing everyday crime to business-to-business to… I’m sorry criminal-to-business crime. About 97 of malware comes through email.

So my face looked like this this was like year one like my face began to look like this like, “Could you stop clicking scam links? That would be great!”

Then where I am now kind of how I was when I was midway through the study it began to look like this: Like Chris Farley and I’m just like, “Oh my God! The problem is with us. The problem is being found in our email because that is the quickest, easiest way to get access to critical data. Can we please STOP!”

KELLY PALETTA:  You could have… Excuse me for interrupting. You could have reduced our entire security awareness training program down to one sentence there. Don't click! Be careful! But sorry to interrupt it go on…

DR. ERIK HUFFMAN: No, you are you are right. You're right on… Right on the money. Right on the money!

And so why is email the easiest way to access information?  Why is technology different than the face-to-face? That was my next frontier. That is what brings me to today.

Technology provides advantages

Why you (if you were a hacker) want to use technology and why you want to use digital social engineering is because you can be more persistent than humans online. For example, if I wanted to ask everybody at this webinar right now, if I go up to you face-to-face, “What is your social security number?” Every single person would tell me, “No.”

And if I keep asking, that persistence, eventually I’ma have a very, very, very bad day.

And also you get… You have a level of anonymity. You can spoof anything. You can fake anything. You can become whoever you want to become online, and it's going to be extremely hard to find out who's who.

There is something called “attribution.” Attribution is a proof that you did the crime or that person did the crime. A piece of attribution could be a fingerprint. (It) can be some hair follicles. It could be a blood sample…something along the lines of that. Some DNA offers that level of attribution there.

Online everything can be faked. Absolutely everything could be fake, to the point where even cyber forensic psychologists are talking about attribution being impossible.

So you can be anonymous. You can get access to a large amount of data. You can target millions of people in seconds. If you just really wanted to throw something out there, you can just like bcc a million people—a million different email addresses—and send it all out there. They all get it instantaneously.

And you can use the modalities of influence and we are going to stick there for a minute.

But also you can go where humans cannot go. You can go firstname.lastname@whatever.com. That's probably an email address. Firstname@whatever.com. If it's a startup, small company, it's probably just first name, or it could be first name last name no dots or anything, last name first name. You can really guess and reach whomever—reach anyone that you want without actually physically going there.

The doors may be locked but the port is open. The email inbox is open. just because the door is locked does not mean the inbox is locked. The inbox is most likely open.

Insufficient information

And what is happening is that you're being presented with enough information to make a decision but not all of the information to make the correct decision.

For example, if you could see the Nigerian prince asking you for your bank account information so you could send them money you would obviously say, “No.”

Now that's a that's a very generic…

Everyone knows the Nigerian prince email, but it's much more sophisticated than that.

Because if we just keep our bar thinking about, “Hey it's just these scam links…”  

No actually they're a lot more sophisticated than that.

Emotional Persuasion

But because they're presenting that--enough information to make a decision but not all of the information to make the correct decision—they can utilize what are emotional persuasions or one of our principles of influence here.

Because people—unlike your computer—people… we fall for P.R. We fall for propaganda.

And on top of that you look at the email name and you verify the person before you verify the content. That's something that we call “human factor authentication.”

You authenticate the sender before you authenticate the message.

So just because I see my mom, my dad, my brother…  They send me a message… Most likely I’m more likely to agree. OR are more likely to believe that message than if it came from anyone else, if it came from someone else.

And on top of that I shamefully, proudly… Burger King's awesome. And if you think about P.R. propaganda… If you walk outside and you go by Burger King that flame broil smell comes out of every single one. So you smell it. You think about it. You're like, “Man I kind of want a Whopper™ right now! I haven't had one in a long time. It's kind of good.”

We fall for that.

Your computer does not. The firewall does not.

It's a machine. It does not feel.

We feel.

Principles of Influence

And so what's these principles of influence we're talking about?

Reciprocity. I do something for you. You feel more like you feel responsible to do something for me.

In the 1930s there was a BYU professor. This BYU professor sent 500 Christmas cards to 500 people he did not know--just randomly sent them out there—handwritten, “Merry Christmas!”

And for about 10 to 15 years he received Christmas cards back. Like people felt responsible. “Hey, I’ma send a Christmas card back.”

If you want to make a friend feel very uncomfortable take them out to lunch. Then the next day take them out to lunch again. Next day take them out to lunch again… Eventually they're going to stop. They're not going to one because they can't pay you back.

And Commitment and Consistency. You stay with it. Most likely you're going to be able to influence behavior.

Social Proof. Show that you're a real person and you're not a robot.

Liking in my opinion is the most influential principle of influence that we have.

So in my opinion I love Will Smith. I know there's some beef going on some controversy, but Will Smith is one of my favorite actors ever anytime. I see him. I think “Fresh Prince of Bel-Air.” And so if I see Will Smith walking down the street, I most likely I’ll do the Carlton dance, smile, run, walk up to him, say, “Hey man! It’s amazing meeting you! You're doing fantastic work!” and walk out or just walk along my day.

If I see a random person, I’m not doing the same thing.

If you see someone that you like that you like, more likely you there are to influence your behavior. It could be a loved one… It can be a mentor… It can be a your supervisor… It can be someone that you work with… If you like that person, they're going to influence your behavior.

Authority. “Do this or else!”

Scarcity. The reason why on Amazon it says, “Hey! There's one left!” “There's two left!” “Order now!” because there's less there, and it's very scarce. You're more likely to want it and we do that.

The same principles of influence that we have as people… All those rules apply online.

The Limbic System

So we're really going to nerd out. I promise you we're going to nerd out. We're just going to go in the deep end for a little bit, and I promise I’m going to pull this right back out. We're going to be okay.

So this your brain. This your brain on cyber! No this just your brain.

It's this your limbic system. Your limbic system is known for a biological function: just fight or flight. Fight or flight.

Just though that is not really your decision to make.

Your brain's just doing that for you. If someone runs into your room right now screaming all crazy, you're either gonna be tougher than you ever thought, or you're gonna run faster than you ever could imagine.

And your limbic system, this part of your brain, does not really function online.

So you don't really look at a message and just go into fight-or-flight unless you're watching a movie. If you're watching a movie and Jason Voorhees throws an axe at the screen, you dodge out the way. That's your limbic system. Like, “Hey we just gotta… Let's get away before we catch an axe to the face!” or something along the lines of that.

But this part of your part of your brain…a couple pieces do work.

Your hypothalamus… Your hypothalamus works. It's kind of, “a + b = love” “b + c = anger”… things like that.

Those amino acids flow through your body, and you begin to feel those emotions. That's the reason why you see a name of your husband, your wife, your kids, and then you begin to feel emotion…unless the situation is different.

Me? I was not a good student in high school, and especially elementary. So my report card goes out to my parents, and then I see dad on my phone. I see the name. I feel the emotion. I’m like, “Oh gosh! This going to be a very, very long night for me!”

And then your amygdala… Your amygdala is the part of your brain that just can lock and hijack and take over your brain and just fills you with emotion.

Amygdala Hijacking

And there is something called “amygdala hijacking.” Amygdala hijacking occurs when you are so emotional you stop thinking and you start acting.

OK. What does all of that have to do with cyber?

Because when you get an email the first thing you do you read the name. You read the name. You begin to feel something whether you want to or not.

If I if I see my mom's name, I begin to feel something. If I see my dad's name, I begin to feel something. A loved one's name, I begin to feel something. That is a biological function. We all have that. Every last one of us has that.

But if you think about the examples out there, there are plenty of case studies out there of elderly men and elderly women sending their entire life savings and so on, and then committing suicide that is amygdala hijacking.

Those case studies studied over and over again prove that this happens digitally, and I will not I will not sit here and pretend to know that I know exactly how that feels. That is a level of emotion I have not feel and I hope I never do, but that proves these biological functions still exist online. They just function differently because when you see a loved one's name you begin to read in that loved one's voice. You begin to read in their cadence, and if you've ever been in a situation—not through email but through a text message—where you just misconstrue a message because you thought someone was angry at you and they weren't angry at you, and you read it in the wrong tone… Those things exist.

In a realm of business… We'll take it from personal… In a realm of business this the same reason why when you get Mr.  Mrs. CEO's email you begin to panic. Your supervisor's email? You begin to panic.

And those are the methods that are being used against us in these cyberattacks. CEO says, “Layoffs!” There's going to be an email titled “layoffs.”

I recently did a phishing campaign and I titled the email, “Work from home policy adjustment,” and the click rate of that was 74% of the entire company. They read that. They’re like, “Oh my gosh! I need to see this! And I need to click and read this policy!”


[Slide shows Morgan Freeman. “You are now reading this in my voice.”]

Tell me that I’m wrong.

I’m just saying… I’ll let this sit. Tell me that I’m wrong.

KELLY PALETTA:  You're not wrong!

DR. ERIK HUFFMAN: Morgan Freeman has the greatest voice in the history of history.

And this how your brain works: You see the picture. You internalize. You get to you see the person. You know the person, and then you read that, and you're like, “Oh my gosh! I’m actually reading that in Morgan Freeman's voice.” And if you don't know how Morgan Freeman actually sounds then

YouTube and just go down a movie binge this weekend. You are going to have a fantastic time when you do that.

So now we know this how our brain functions in a digital environment. Now we know.

Let's talk about what I do.

How does this happen?

Phases of Deployment

So, I work with different organizations in my company. We work with different organizations and what we do… We specialize in digital social engineering, phishing attacks, phishing campaigns.

We work with or other organizations to see how far in secure facilities we can get into, and this how we do it: We establish a comfort zone because the more comfort you are the more comfortable you are more likely you are to be hackable. If you're on edge and you're not comfortable at all it's very hard for you to be hackable. So, we establish a comfort zone so that person becomes hackable.

Then we control the engagement.

We start our back and forth with the person.

And then we attack.

That attack could be sending a link. That attack could be sending them a virus through email.

How one of these attacks occur…

One of the most successful ones that we have… We work with another organization. I can't say these organizations names due to confidentiality.

We worked with the organization for about two weeks. It was a very, very, very large multinational organization. I was working with a salesperson and we went back and forth for a while.

Then I said, “You know what? This not quite going to work because your competitor is developing something absolutely amazing! You should take a look at this,” and then that ‘you should take a look at this’ was part of that attack.

And then from that we want to confirm the attack.

We want to make sure that this that this happened, but at a high level. At a high level.

We have three tiers.

We have “we're cheating” meaning we know way too much about the organization and we're just absolutely doing everything we can to get in.

Two which is kind of what we what we typically stick with. Well, it's pretty good but if you're if you're keeping your eyes open you might be able to catch it.

To tier three…

Tier three is, “Ain't nobody gonna click on this!” Nobody should click on this.

So how do some of these…

Threat Language

We just copied and pasted these. I copied and pasted these in there. I won't read the whole thing. I’ma just go through the highlights. You can read while I’m talking.

So: “I adjusted the virus on an adult website in which you have visited.”

So, if you're a technical person like, “I adjusted the virus?!” Like what do you mean?! “Adjusted the virus?” it doesn't really mean anything.

But what this does this causes panic.

This was not the exact memo, but this was like the email that I sent in a campaign through an organization.

In the organization I imagine no one would click on this. Nobody should click on this at all.

This may not even make it through the spam filter. And this person clicked.

And so, I go in little hacker mode, and I’m just playing along. I’m like, “Most likely this person's just messing with me.”

OK so… “If you want us to be able to get rid of this, send me three bitcoins,” which at that time was like 110 billion dollars “and it will all go away. You can fill out this form to send the money.”

The person clicked on a link, filled out the form, sent me the form.

At that point: Time out! You know where we're doing research. We're not actually hacking.

And I will never forget the conversation, the conversation that I had with them, because every phishing campaign we do we finish it off with a semi-structured interview. A semi-structured interview being we're to talk. And I want to understand why you clicked this. What about this made you click?

And so, he revealed to me that he was going through marital problems, in that his wife viewed his viewing of adult websites as a form of cheating. And he thought he was caught. And he wanted to do anything to make it go away.

So that amygdala hijacking, that level of vulnerability he was feeling caused him to think, “Hey no matter what, we need to make this go away.”

Things like that, technology does not patch.

There is no human patch for that--what that person's feeling.

So, you have to dig a little bit deeper and through this email it also a little bit of threat language it says, “Moreover my program makes remote desktop supplied with a key logger.”

It's designed just to confuse people. What does a keylogger do? You don't need to know the technical, all you need to know is “keylogger.” Most likely it's just logging my keys! It's seeing what I typed.

And then you begin to you begin to panic.

Go through one or two more.

“One day after you read one day after opening my message…” If you read this, you've been screwed. Even through this is copy and pasted with the typos in it, we just throw some of these things out here. And [that’s] not to say all of these are successes.

This the low hanging fruit. We can show some of the more sophisticated ones in a moment.

Next: “Our spider detected five daily trojans in your mailbox today. If left unchecked…”

So, hey “We're going to hack you. Five other people already hacked you and you may lose your email. You may lose access to email…” This’s low hanging fruit. This is not trying.

So, there's more sophisticated attacks where we caught… All you have to do is right click save as the Amazon logo, attach a fake invoice, a well-written email—most people are going to click.

Amazon is one of the five largest spoofed websites on the planet.

Facebook is up there with it. A fake Facebook logo…? People will click. Not to say, “Hey these are just the emails people are getting,” no, there's a lot more sophisticated. They get a lot more sophisticated than this!

Follow-Up Study

So, we followed up followed up with another study.

I wanted to understand a little bit more about what is going on with our community, with us. Because we (human targets) are the 90%- 95% of attacks. The others that you hear, possibly on the news and things like that, those are the absolutely amazing hackers but this not the everyday crime that we're seeing.

So, we wanted to do a follow-up study. I had about 1100 respondents we did 27 semi-structured interviews out of it.

Research Findings

What we found: younger people were more likely to share passwords than older people.

Let's talk about that comfort zone. That comfort zone that you have, I’m more comfortable online. I’m more comfortable sending my social security number online because that's what I do. I’m more comfortable typing in my bank account information online because that's how I bank. That's how I’ve always banked.

You know if you ask a group of young individuals to balance a checkbook, it's going to be a fun time for you. It's going to be a hilarious time for you.

But this this where we're comfortable.

And one of the sub skills that we had that was significant that just weighed between both younger people and older people were perseverance.

The more perseverance we showed through our attacks, it just leveled everything out. It just really, really leveled everything out. Meaning: if we don't give up then we'll eventually… everything levels out.

Furthermore, those that are self-monitoring, those that hate micromanagement they were more likely to share their information with us.

I hate micromanagement. I’m confident that probably everyone in this webinar hates micromanagement. I’ve yet to meet someone who says hey I love micromanagement.

We collectively hate but this level of self-monitoring… the more self-monitoring you are, the more likely you are to share your password online. 

[That’s] not to say that everyone fits into this, because some of you don't.

Hopefully I don't.

Hopefully Kelly doesn't.

But if you are self-monitoring, you're more likely to share your password.

And surprisingly

And more surprisingly, cybersecurity knowledge does not matter at all!

We did this with cybersecurity professionals, and we did this with everyday people that do not have any cyber background. They share their information as much as anyone else.

Actually, if you want to get down to it the numbers, I got the numbers in front of me… It's 33% for the cyber professionals, 32% for every everyone else. They actually shared the information one percent more, but it's a statistical tie.

Psychology of Cybersecurity in Action

All right and of all employees 29% revealed PII (personally identifiable information). Not just ‘click the link’ but revealed PII.

And this is us, not just sending the messages that I showed you, where we really start trying. When we start faking Amazon. When we start faking LinkedIn. We start faking Google. And if we said, “Hey your fake USPS package has been delayed. Click this link to see where your package is, to track where your package is.” You're like, “Hey I didn't order anything!” You click that link.

These are the types of attacks that were conducted.


Age, race, gender played no factor in a response rate—not through that test. Age, race, gender had no weigh on that.

We can all be hacked.

It boils down to we all could be hacked. Every one of us, not just cyber professionals, not just managers, not just CEOs, CFOs. Every one of us! There's a way to get to every one of us.

Me? If you're a sports fan and you get a fake ESPN message like, “LeBron James traded for Kevin Durant,” you're like, “Oh my gosh! Hold up! What in the world's going on here?” People will click on that, but it may not work for everyone else. It may be something else, but everyone has some way to get through to them.

What’s your number?

So, we're gonna blast through the next part of my research. And I’ma go through this quickly, because it's not quite done yet.

This just a little inside information for what's next.


We tied in digital social engineering attacks with people's enneagram numbers. I wanted to find out based on your enneagram number, “How could you be hacked?”

And we have some interesting findings here. So, if you're one and you're a perfectionist spear phishing is the way to go.

To the helper, you're more likely to hold doors open on a physical social engineering attempt. I was raised by a southern Baptist woman, and she drilled in me: “You hold the door open for people and especially if it's a woman!” If it's a female you hold the door open for that person, so in cyber world it's like “You don't hold that door open.” You let that door close.

It is very hard for me to watch that door close in front of someone rather than hold the door open.

If you're enneagram two, [you’re] more likely to hold the door open.

Three, the achiever, job offers, speaking engagements… things like that. “Hey, we have a job offer for you…” You send that out to the three, more likely they're going to get them. You're going to get them.

An award? More likely you're going to get them.

I get messages that align with the threes often: fake conferences and things like that.

Individualist: spear phishing.

Thinker: needs social validation.

If you're a six, (guardian) they're very security minded they are the hardest to hack. You're gonna have to spoof some things.

Optimist: pictures with language, link with the picture.

Challenger: needs social validations, and nine needs threat language. You gotta make sure you can have enough threat language in there to confuse them, so they can start to click.

Furthermore, we want to go a step deeper.

Myers Briggs

If you're a Myers Briggs kind of person, we're working on it. It's not done yet. I don't have the hardcore data for you yet, because I’m still going through still going through a couple thousand people to where we can actually come up with some good conclusions.

Here’s what it boils down to: with enneagram if you are an e and I want to state…

Let me back up one second. I don't want to state that someone, some personality type, is worse than the others. That is not true.

Everyone can get hacked, dead serious.

But if you are an extrovert, the data is showing heavily that you're more likely to respond to a message.

So, throughout the Myers Briggs kind of the top one is all the e's. Like if you're extrovert, more likely you are to respond because you're more likely to talk to someone that you haven't spoke to before. But we're still going through this data we're still going through this. I wanted to highlight what's coming up next just so you can see where we're taking this.

Big 5 Model for Cyber Victims

There's five. There's a big five personality traits for cyber victims, all enneagram and Myers Briggs stuff aside, if you're an extrovert, if you're agreeable, if you're conscientious, if you're emotionally stable, this kind of where sometimes the talk goes off the rails. I’m not saying emotional stability is a bad thing, it's actually a really good thing, but if you ever spoke to someone who's not emotionally stable and you're like… They're going through a breakup. You just say, “Hey let's go out for pizza.” They're like, “Oh my God! Sheila loved pizza!!!!!!!!!!!!!!!...”

Like oh my God, dude, just work with me here. I just need you to follow along with me and do what I’m asking you to do.

If you're not emotionally stable, you're just not in a hackable mindset. Emotional stability does weigh heavily into individuals that fall victim to cyberattacks. And if you're open to new experiences…

The riskiest personality trait

And we actually got this wrong we had a big five, but now it's the big six because the riskiest personality trait that you that is out there is impulsiveness.

If you're more likely to impulse buy, you're more likely to impulse click. Because I don't have to hack… I don't have to work with you for 30 minutes, 30 days, 40 days… something along the lines of that. If I could fool you for 20 minutes I might have you.

Cybersecurity is a decision-based science

Ultimately, in the end cybersecurity is a decision-based science. It's based on what you do and what you don't do. What are you going to respond to? Are you not going to respond to this?

It's nothing more nothing less. It's entirely a decision-based science, based on your personal preference, your personal experiences.

And occasionally you can do a lot of things right, but you can still be wrong, meaning you can do all the security training; you can do all the right set up of your firewall; you buy all the cool things; and still get hacked. You can do a lot of things right and still get it wrong.

What can you do?

So, what can you do?

Some takeaways: What can you do?

I would encourage you, if plausible, for at least the key stakeholders in your organization conduct a threat appraisal. Meaning: just get to know the person what makes them click.

How do you think they can get hacked? Not just to say, “Hey phishing's bad! Don't click links!” No understand: why would they click that link?

That's where we're missing in our cyber profiles. Why? We don't understand. “Why do you click that link?” Not “Stop clicking links you dummy!” like it's not a ‘stupid user’ problem.

We need to stop saying ‘stupid user.’

We need to understand what makes this person click and what would make them click that link.

And then coping appraisal, being: if something was to happen will they do what aligns with policy or will they panic and freak?

So, if their coping appraisal… Well. if they do not align with policy then you have some other issues there.

One of the problems I have is that when you get hired onto an organization, we conduct a background check. We want to make sure that you're good. We want to make sure that you're the right employee at that right moment in time. Then we never check in again. We never check in again to see what will make that person click.

As we innovate, they innovate.

Lastly to leave us with: What's next and how is this happening?

As we innovated, they have innovated. Hackers have innovated.

Ransomware as a Service

Meaning: ransomware as a service is a thing. So, if you think that the coder and the person sipping Mountain Dew in their mom's basement is the one hacking you you're probably wrong. You're probably wrong.

Because ransomware as a service is a thing.

Here's an example: all you have to do is click a couple check boxes and say how much you want your ransom to be.

Someone will code it for you. You can download it.

Then all you have to do is send it out and see how many people click. And then, you can see, you will get fifty percent of the decryption price.

So, they're splitting… The business model... They're splitting it 50/50 but displaying it 50/50 with 50 people so the person that's coding it on top of this pyramid scheme is making a ton of money.

RaaS Pricing

Secondly, you can buy what's called “a botnet.” No need for you to even know what that is. All you know is you don't have to develop these things. Someone's developed it for the criminal, and all they have to do is just deliver it, and just point it where they need to go and deliver it out there.

And if you look at the bottom, yes, my friends, ladies and gentlemen, that is 24/7 tech support…for the criminal! 24/7 tech support so they can make sure their attack is going as planned and they know how to execute that attack.

Reframing the Enemy

So, we need to reframe the enemy, rather than think it's going to be ultra-technical, because it doesn't have to be a technically minded person.

It can be someone that has worked in cybersecurity and said, “You know what? I’m tired of making seventy thousand dollars a year. I can make seventy thousand dollars a week on the other side!”

We are the Difference

So, this is the landscape that we're in now in the data. All data shows that humans are the ones being attacked, much more so than the technology. They want to use the human to get to the technology and ultimately, we are the difference.

When we say, “It's not a matter of if, but when,” we are lowering the bar. We're saying there is going there's going to be an attack you are going to be hacked it's just going to happen. And when we lower the bar and we say things like that, if something was to happen, what keeps people from saying, “You know what? Well, why are you mad at me? We said we're going to get hacked anyway. It just happened to be me. It's ‘data breach Wednesday,’”?

We are better than that! I want to say we raise that bar there is the Pygmalion effect. The Pygmalion effect is self-fulfilling prophecy.

And for years we have been saying that, and creating our own doom, our self-fulfilling prophecy.

And we have just totally lowered the bar. If you think about your cybersecurity awareness training… Do you think anyone would ever get fired for failing cybersecurity awareness training? Probably not. Because you could probably just retake it again and keep taking it over and over again until you pass it.

This our self-fulfilling prophecy.

Stay Safe

And that's all I have for you all today I’m ready for questions.

Thank you all so much. I appreciate it.

KELLY PALETTA: Thank you, Erik! Hey, if you don't mind me maybe summarizing and adding some of what I got from this… There was one thing that kind of one of the earlier points that you made that I hadn't heard elsewhere was this this idea of “human factor authentication” and the way I hear it--you know I’ve seen your Ted talk (and quite literally there's a TEDx talk). I would encourage people to go out and Google that… but one of the things that you pointed out was that your mom uses the same font that the criminals do. When you see mom's name you associate emotions and feelings. If when you see mom's name in the “from” line on an email and that makes you vulnerable, which leads to kind of this dichotomy in the message, and that is that smart people, educated cybersecurity professionals sometimes fall for these attacks. And I wonder too can you talk a little bit about that about the conditions that might make that happen? Like you mentioned one: where somebody’s going through a divorce or a particularly stressful time in their life. I can think of others—of just a busy day, can be a time that takes away… I wonder if you have anything to share on that if there are you know if your research is uncovered tendencies or when people are most vulnerable

DR. ERIK HUFFMAN: Yes, it's actually on two sides of the paradigm--either where someone's extremely stressed or when someone's very comfortable. If someone's very comfortable they're more likely to be careless

But if someone's stressed… If you think of the current environment that we're now in and people are being laid off. I promise you someone sends an email to your organization and it's titled “layoffs,” you have people's attention.

And so, and it depends on where it comes from and who it comes from that's that human factor authentication. Where you authenticate the messenger before you authenticate the message. And every person does that, even in face-to-face interaction.

The person who's talking to you means just as much if not more than what they are saying.

KELLY PALETTA. Right! And I’m going to give--for those who aren't familiar you might have seen it in the preview video--but I’m going to give a little plug for a product, but it's a completely free product. At EXP Technical, we've developed EXP Academy and that includes a free security awareness training course. It takes about an hour to complete and one thing that you do get for those that are in attendance is that it does give you a framework to evaluate incoming messages. And it's not unique to EXP, it's the S.L.A.M. framework. Which is you validate the Sender the Links. You're very suspicious of Attachments and you look for suspicious components of the Message.  And use that kind of framework to evaluate the message but I think you're right.

This kind of leads to a question that came in here. Security awareness training that's like the baby step on this journey.

A question that came up as you were speaking was there was one that came in that was, “How can we establish a culture in our business that values cybersecurity?”

DR ERIK HUFFMAN: Yeah, that's that is awesome! That's the million-dollar question. So, with in your organization there's a there's a few ways that I that I’ve seen work.

Where if you have a phishing platform… If you conduct phishing campaigns and you reward behavior. You reward good behavior.

I heard organizations holding contests, or even tying like an extra PTO day—things like that. People are looking for rewards for those things.

But ultimately, it’s about communication.

The more siloed off your organization is, the more siloed off, and you don't talk about it…

Where I work, in my organization that we have, we encourage people to share like, “Hey I received this phishing attack today and I denied it. Be on the lookout for it.” Because the more you talk about it, the more likely you are to look for it, the more likely you are to spot it when you see it.

But a lot of times with cyberattacks—especially digital social engineering—people don't even talk about it. And if you think of your organization and you think how often do you not talk about it? If it's just October during “cybersecurity awareness month” it's probably not enough.

Take a random Tuesday random Wednesday and you share. “Hey, I received this link.”

We had someone at our organization spoof our CEO and started sending text messages to employees. So “Hey, I received like…” and it came from Canada! Like “Hey our CEO moved to Canada!!! Check this out!” Screenshot it and we put it in our slack channel and other people started commenting on it.

But it was in everyone's mind then. It was definitely in everyone's mind, and it became conversation for that for that moment.

KELLY PALETTA: Mm-hmm. And then there was a question that came up about threat appraisals. Is there any sort of a framework? Or I guess how do people get started on that path the question was: “How do how do we implement threat appraisals within our organization?”

DR. ERIK HUFFMAN: Fantastic! Thank you. Thank you for asking. So, a threat appraisal is a semi-structured interview focused on… focused around likes, hobbies, goal, like career goals, and particular stress level at that moment in time.

I’ve seen threat appraisals… A lot of organizations that I’ve worked with implement those with HR. Where to have a… Would have an annual, not like a harsh conversation with HR, but even with their manager.

And they just started having a conversation.

And you just take notes about what this person's into. Where this person fits and what ideas does this person have that could be used against them?

A lot—especially with current events going on—a lot of people's emotions are high. So, you can think of, “Hey that's an avenue to attack these persons.”

But it's a semi-structured interview.

I would say block off about an hour just for your key individuals and have a conversation based on career goals, likes, if there's anything stressful particularly going on in that in that person's life, without prying too much or prying too deep into their personal life. And then just start taking notes.

And if you can tie that to what's currently going on there in cyber-land, where people are being hacked, you can really tie those together.

KELLY PALETTA: OK, and we're running out of time for the questions that are coming in, but I had a few from my notes as well. You know one thing—this kind of goes to some of the commentary that I’ve seen you make—maybe it was in the Customer Experience Podcast or in your YouTube comments, but again getting back to this idea that there's a dichotomy. Because one thing you said that stuck with me—and in fact I even updated some of our marketing collateral because of this comment. You've you pointed out that, in sports, teams score points by running the ball directly at the weakest player on the field. But then the other part of it too and so we need to bring the level up of our weakest players… but the other part of the dichotomy that I think is really profound in your message is that it's also the most experienced, most cyber aware people that are still vulnerable because of these human traits. And I’m sorry I’m speaking for you, but do you have anything to add to that or I’m just repeating things that I’ve heard from your previous presentations?

DR ERIK HUFFMAN: No, you're totally fine. It's... You're right. Especially like why would you continue to attack someone's patched firewall over and over again?! That thing probably has very little vulnerabilities. Why would I continue to do that when I can just attack a person?

And I start working with a person and that person not only allows me and that person assists me by providing me credentials to do whatever I need to do.

KELLY PALETTA: So, it's not just the weakest person, but it's the fact that people are weaker than the firewall and the antivirus and all the layers of security that an organization has built?

DR ERIK HUFFMAN: Yeah, if you think of what you have implemented in your organization, you're like, “Man, technology! We are solid! We ain't got nothing to worry about!” they're probably not

KELLY PALETTA: If you’re an EXP client yeah!

DR ERIK HUFFMAN: Yeah, they're probably like you know what I don't need like I’m not going to do that like why would I why would I try to attack EXP Technical in their securities their security technologies? They implement it over and over again. It's going to take me years! Like no I don't have years. I have a couple weeks and so let me contact someone via LinkedIn and act like I’m a customer and then start working with that person in spoof, because if you think of it's like: Well, if you think your organization… Like, “We don't have 10, 20, 30 million dollars.” That's fine. Do you have $10,000? because that's a lot of money too! In $10,000 for a week of work is plenty! Plenty for most criminals.

KELLY PALETTA: Oh, I hear that all the time! (And we're just we're in danger of running over so I’m gonna make this quick.)

But as a sales rep I talk to business leaders and they often say, “We don't have anything valuable. Nobody would want to hack our network.”

And it doesn't matter what your data is worth, it matters what it's worth to you!

What would you pay to get past that disruption? If someone could prevent you from having access to your sensitive data and your computing operations, what would you be willing to pay to get back to that?

 I have two more a comment to read, and then just wrap up with next steps.

So, there was a comment that came in that said, “I love the use of the enneagram for this topic. I feel the enneagram is much more about personal emotional response versus Myers Briggs. Your enneagram threat assessments are right on! I’m going to try to take this approach after I review phish camping results.

So that's great you're having a positive impact!

And then I do want to add before we wrap up here or as we wrap up a few next steps or things that would encourage people:

Well first of all I want to thank you so much for spending the hour with us!

I’ve gained a lot. Hopefully the people in attendance have as well. There's a couple of questions that we didn't have time to get to but hopefully we can perhaps answer those via email and then finally leading to…

A few next steps for people. There will be a follow-up email and that will include a survey. Feel free to comment about the presentation or things that we can include in upcoming surveys. This goes to EXP. It's not a comment on your presentation Dr. Huffman, or not uh recommendations for you per se.

For those that are interested, you can visit EXP Academy for free security awareness training.

Like our page on LinkedIn for more information.

You can connect with me directly: Kelly EXP Technical dot com, if you have questions, or if there's anything more that I can do for you.

And I think with that we're one minute over.

So, I think this a good time to thank everyone for attending.

Thank you so much, Dr. Huffman.

I found it really interesting and entertaining, and it gives me a lot to consider in the conversations that I have with business leaders moving forward. So, thanks again. Any closing comment?

DR ERIK HUFFMAN: Oh, thank you so much for having me. It's an honor and a privilege, thank you.

KELLY PALETTA: All right. Well, we appreciate it! And thanks everyone in attendance and we will see you at the next event.

Related Posts