Social cybersecurity is an emerging branch of cybersecurity that deals with the understanding of human behavior. Studies in social cybersecurity cut across different and seemingly unrelated fields such as (communication) technology, machine learning, psychology, sociology, and forensics, among others.
More so, to differentiate it from traditional cybersecurity, the Military Review of the US Army explains thus: "Traditional cybersecurity involves humans using technology to 'hack' technology. The target is information systems. Social cybersecurity involves humans using technology to 'hack' other humans. The targets are humans and the society that binds them."
In his paper, Sauvik Das, of the Georgia Institute of Technology, asserts that "social influences strongly affect cybersecurity behaviors, and it is possible to encourage better cybersecurity behaviors by designing security systems that are more social."
Social cybersecurity looks to investigate how people handle attacks and threats and also influence them to make better security decisions through social proof techniques. For instance, research has proven over time that people are more receptive to new and better security systems if they know that more people (especially those they know) already use them.
Most efforts in social cybersecurity are yet restricted to universities and colleges' research centres, as researchers continue to determine how best to manipulate the psychology of humans to make them and their devices more secure.
The Social Proof Principle
In recent years, there has been a massive increase in the rate of cybersecurity attacks; there has likewise been a corresponding improvement in security infrastructure, systems, and features. It is so much so that the big problem of cybersecurity today is not a lack of technology to mitigate threats; rather, it is the challenge of getting people to embrace these innovations.
Robert Cialdini, in his book, Influence: Science and Practice highlights six principles of influence in cybersecurity, one of which is the social proof theory. The social proof principle says, “people tend to have more trust in things that are endorsed by people that they trust.” For instance, an online shopper is more likely to go for a product with more positive reviews.
Bringing this to cybersecurity, by making it appear as though the best cybersecurity practices were the norm, tech companies can help achieve a more secure internet for everyone.
Many people still adopt poor security strategies, sometimes because of plain ignorance, but also because they do not care. For instance, it is ridiculous that no less than six million accounts have their password as either ‘12345’, ‘123456’, or ‘12345678’.
One way social proof can drive positive cybersecurity behaviors is by highlighting the right that others are doing. For instance, letting a person know that a certain number of their friends use a certain security feature (for instance, multi-factor authentication), can encourage a person to adopt that feature. But efforts to achieve this sometimes hit the wall.
The Challenge of Optimism Bias
This has to do with the fact that human beings are more optimistic than what reality presents. In cybersecurity, most people still adopt poor security strategies (such as weak passwords, using the same password for multiple accounts) because they do not consider themselves potential victims.
Even small businesses take the same approach, believing that only the big companies, like FAMGA, and others, are susceptible to attacks. In fact, according to Accenture, only 14 percent of small businesses have strong defenses against cyber attacks, yet SMEs are the targets of 43% of all cyber attacks.
The worst thing is that all the news about the unprecedented increase in cyber attacks does not seem to produce any positive effect. Many people understand that cyber threats are real and deadly to a company; they just refuse to believe that their kind of company can be affected.
This is still somewhat tied to the social principle. Sometimes, people consider others who upgrade their security systems as being unnecessarily paranoid, which is certainly not so. There is paranoia; there is having a strong sense of security. In this age, information has become the most valuable resource, so much so that many big cyber-attacks are not to directly rob the victim of money, but firstly to extract useful data that can be manipulated later.
Cybersecurity in the Workplace
In most businesses, employees pose the greatest threat to cybersecurity, sometimes intentionally, and more often, inadvertently. Enterprises can remedy this by not only providing adequate security systems and infrastructure but also by giving their employees regular training on the best and the latest security practices. Performing regular audits on the activities of employees help as well to keep threats at bay.
This is not limited to onshore workers but extends to remote workers as well. For instance, according to Ashkan Rajaee, the CEO of a software company, TopDevz, in an interview said: "many companies look for an offshore developer to significantly save on costs." But as an employer of labor, you should factor in your enterprise's security when considering offshore labor.
Conclusion
Bruce Schneier has long explained that security comprises people, process and technology, and not just the last. Therefore, any system that is not built around people is destined to fail. These social cybersecurity techniques have to be adopted in ways that do not make the security systems of other people vulnerable to attack. Or would they backfire? Perhaps the exposure