ABSTRACT
Cybersecurity is driven by human behaviour, and humans are complex. Cyber-attacks that utilise social engineering demonstrate how challenging it can be to prevent targets from being psychologically manipulated into actions that breach socio-technical systems. More broadly, there is a need for greater psychological understanding of the behaviours and cognitions of all of those who have a stake in cybersecurity – not just those who are the victims of cybercrime, but also the attackers and the professionals who seek to protect systems. As part of this, there is a need to move away from the view of humans as being the weak link in cybersecurity. This is a counterproductive attitude that reinforces the view that humans are flawed because they are unable to safely use systems that have not been designed to accommodate human behavioural and cognitive characteristics in the first place. We recommend the use of behaviour change and preventions strategies that work with human nature, not against it, to empower the targets of cybercrime and to promote resilience. Further, we recommend that work is done to engage with people who have an interest in computing systems, hacking, and social engineering to steer them towards legitimate careers in this area.
