You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Clicking, Fast and Slow

We're stealing from Behavioral Science to prevent Phishing attacks.

Have you ever clicked on a phishing email?

Ok, so it wasn't you, but certainly that squirrelly guy three desks down from you. He's the one who clicks on this stuff.

Let's be honest, though - tons of smart, capable people stumble for phishing emails. Every. Single. Day. We can blame our brains for it. Phishing emails are designed to exploit our System 1 Thinking - the part of our brain that automatically responds to stimuli without any conscious thought. System 1 Thinking is fast, intuitive, and often emotional. It's the part of our brain that allows us to make the thousands of nearly subconscious, rapid decisions required for daily life. It's also the part of humans exploited most by social engineers and phishers.

On the other hand, System 2 Thinking is slower, more deliberate, and logical. This is the part of our brain we use when we're trying to solve a difficult problem or make a tough decision. System 2 Thinking is what allows us to see through phishing attempts and resist clicking on suspicious links.

Hold on! What is this System 1 and System 2 stuff?

This novel framework for decision making came from the remarkable brains of Daniel Kahneman and Amos Tversky. In fact, Kahneman won a Nobel Prize in Economics for this work. Their research is the foundation for much of what we now understand of behavioral economics. (Since Tversky passed away prior to the award, he is not named in the prize. We deeply appreciate his work.)

Let's explain this decision-making framework a bit more.

System 1 thinking is fast, automatic, and often unconscious. It is based on intuition and emotions, and it is very efficient. System 1 thinking is great for making the many quick decisions required for daily life. We need System 1 in order to live a normal life, but it can also lead to mistakes.

For example, you don't have to consciously think about your route to work. You're certainly making decisions along the way, but these are quick and effortless along the way.

On the other hand, System 2 Thinking is the slower, more deliberative thinking process that is activated when a person is confronted with a difficult problem or decision. This type of thinking is analytical and logical, and it relies on past experiences and accumulated knowledge in order to come to a conclusion. System 2 Thinking is also responsible for monitoring and controlling the impulses and emotions that are generated by System 1 Thinking.

To use our example from above, you engage your System 2 Thinking when you see a traffic jam ahead and decide to re-route. At this point, you slow down and actively consider different options to avoid this traffic and still get to work on time.

So, how does this relate to Phishing attacks?

Your attacker is actively trying to exploit your System 1 Thinking. He (or she) is hoping you won't slow down and think before clicking on that link.

For example, you get an urgent email from PayPal, saying your account is about to be debited if you don't click this link to verify your login and password. It looks real. It seems urgent. And you're about to lose a lot of money. Unless you slow down and think, System 1 takes over. That's when we react exactly how the cybercriminal wants. This is how hacks begin.

What do we do about this?

Now for the good news - INFIMA trains your team on the safe behaviors designed to keep your organization and your people safe. By instilling better behaviors, we can make our System 1 Thinking safer and more readily engage System 2 when needed.

Rooted in Behavioral Science, INFIMA focuses on removing unsafe behaviors in your team and replacing them with consistent, safe practices. Through regular phishing simulations, your employees experience varying tests across multiple emotional states.

And the best part - we make it easy with our fully automated Security Awareness Training platform, built for the MSP community.

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

For those curious, we highly encourage diving into Kahneman's Thinking, Fast and Slow.

Photo by Juan Rumimpunu on Unsplash

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.