There are 1,757 data breaches each minute. By the time you finish reading this article, thousands of data breaches will have occurred. A person, organization, or government directs most. Local governments struggle to keep up with new technologies for better service in exchange for the risk of a cyber attack (Hossain et al., 2024). Private citizens aren’t always sure what to do when their data is leaked and sold on the so-called “dark web.” What motivates people, organizations, or governments to participate in dubious cyber activity? Why do people behave the way that they do? That’s the million-dollar question. Alas, that is the definition of social psychology.
Social psychology, a discipline that employs the scientific method to study human behavior, is instrumental in understanding the motivations behind cyber activities. It delves into topics such as aggression, conformity, compliance, and human factors engineering, shedding light on why people behave in specific ways. For instance, a recent study on Iraq’s digital workplace determinants utilized this approach to define part of their research (Mutambik et al., 2024).
What is Cybersecurity?
Many understand cybersecurity as protecting people, organizations, nations, and society from cyber risks. Many organizations go on to attempt to define the realm of “cybersecurity,” including the International Organization for Standardization (ISO). If one were to do a Google search “define cybersecurity,” there are thousands of results! The truth is that cybersecurity is likely a blend of most of those, depending on its use and application. On the other hand, we have psychological elements that influence the people and machines (AI) that operate in cybersecurity.
What is Social Psychology?
There are dozens of specializations within the field of psychology. A cousin to cognitive psychology is social psychology. Saul Kassin, a pillar of modern social psychological science and textbook author, has defined it as the scientific study of how people think, feel, and behave in a social context (Kassin et al., 2016). It’s the study of why people behave the way they do. Now, if we apply this to a cybersecurity aspect, we can see the literature is full of studies that touch on social psychology combined with cybersecurity issues (see Bognár et al., 2024; Hossain et al., 2024; Kim et al., 2023; Mizrak, 2024; Mutambik et al., 2024; Nazem et al., 2023; Nobles et al., 2023; Pienta et al., 2024; Pirta-Dreimane et al., 2024; Rishkan et al., 2024; Tahani et al., 2023; Young et al., 2023).
The field of social psychology was born in the late 1880s. William McDougall (1908), Edward Ross (1908), and Floyd Allport (1924) published the first three textbooks about social psychology (Kassin, 2016), which shaped modern-day social psychology. The Psychological Society for the Study of Social Issues was formed in 1936. From the 1930s to the 1950s, social psychology went through a period when there was a call for more research into social issues. In World War II, the government used social psychologists to protect soldiers from the enemy’s propaganda, generate public support, and develop assessments to decide which officers had the aptitude for promotion. World War II was also a period where the first formal studies of aggression, conformity, and prejudice were born.
From the mid-1960s through the 1970s, the field experienced a crisis period. Milgram’s experiments on conformity with human subjects drew the ire of several ethicists. This period was also a time of fierce debate. From the 1970s through the millennium, there was a normalization within the field and in how research was conducted.
Today, social psychology is blooming. It studies how and why people interact with those that surround them. The advent of computers, the Internet, and artificial intelligence has spawned new topics to explore. All of those intersect with cybersecurity.
Where Do They Intersect?
You may be surprised to learn how cybersecurity matters and psychology are intertwined. For example, when trying to understand the motive for a Bad Actor (the hacking kind) to launch a cyberattack, what about a hacker who behaves differently around women than men? What about students who feel betrayed when duped by their school in a Phishing exercise, as shown in Pienta et al., 2023? Betrayal is one of the most hurtful and profound human emotions. So, psychology and cybersecurity are separate but dependent on each other. This is why cybersecurity students must understand social psychology. EC-Council University has PSY360, which is Introduction to Social Psychology. In that course, students learn about social psychology from stem to stern and apply that knowledge in their respective fields—one of the most popular discussions is the miracle and mystery of artificial intelligence.
Artificial Intelligence and Psychology
The hottest word on everyone’s lips is “artificial intelligence,” or AI. AI uses psychology in three main ways: therapy and accessibility, research insights, and human-centered design.
Therapy and Accessibility
AI chatbots improve therapy accessibility by providing cost-effective options. They can also assist in interventions, automate administrative tasks, and support training for new clinicians. While some argue this is mental health, not cybersecurity, an AI chatbot definitely falls within the realm of cybersecurity. Good mental health is suitable for people, businesses, and even governments.
Research Insights
In 2023, the American Psychological Association (APA) noted that synthetic intelligence offers unique ways to understand human intelligence, while machine learning allows researchers to extract insights from vast data sets. Finally, the third way AI and psychology interact is human-centered design.
Human-Centered Design
Psychologists contribute by ensuring AI minimizes biases and adopts a human-centered perspective in its development and use. This is critical because social psychology teaches us that all people have biases, even if they are unconscious; some would argue that they are even genetically transferred (Kassin, 2016).
Other Ways Psychology and Cybersecurity Interact Together
Psychology and cybersecurity interact in three main ways, and this intersection is crucial for building adequate defenses. The three areas where these fields cross are human behavior, phishing and social engineering, and insider threats.
Human Behavior
Cognitive biases and addressing psychological weaknesses are critical. Individuals’ actions often contribute to breaches, whether through human error, misuse of privileges, or social engineering.
Phishing and Social Engineering
Understanding social psychology and how the human brain works can help fight social engineering tactics like phishing. Organizations can create a more robust defense against cyber threats by combining technological solutions with psychological insights.
Insider Threats
Human psychological factors play a part in both intentional and unintentional insider threats. Behaviors influencing cybersecurity include mental well-being, trust, and group dynamics. Each of these factors has its own behaviors and thought processes. Understanding how to recognize these behaviors and why they occur helps cybersecurity professionals build a more robust defense against threats.
Final Thoughts
The fields of psychology and cybersecurity intersect at many points. As the 21st century presses on with new technologies, so come new threats. Ever-churning innovation will be needed to create effective defenses. One of the ways to build the strongest defense is to understand social psychology. Only once we understand something can we defeat it. Understanding the human mind and how it works is a mixed blessing because it unveils humankind’s good, bad, and ugly. We know that the past of both fields have been used for nefarious purposes, yet we look brightly forward to today, tomorrow, and forever. As cybersecurity professionals, we look ahead of the curve and intercept threats before they can do damage. To do that, we must understand the mind.
This piece is dedicated to all cybersecurity and psychology professionals whose names will never be known, who work in silence worldwide to improve the world.
About the Author
Christopher Barnhart is a professor of psychology, research, and writing in the Department of Cybersecurity at EC-Council University. He has a B.S. in Business Administration and earned his master’s degree in business administration. His Ph.D. studies were in Industrial and Organizational Psychology. He is the founder, former president, and chairman of Florida Industrial and Organizational Psychology in the United States. He is a member of the American Psychological Association and the Society for Industrial and Organizational Psychology. Chris enjoys teaching both in the U.S. and abroad.