Humans, by nature, are complex creatures resistant to change and education.
Dr. Abbie Maroño explains that the struggle lies not only in our cognitive limitations but also in our emotional makeup. Overcoming these barriers requires motivation, passion, and consistency—qualities that are not always easy to foster.
In a fascinating dive into the intricacies of human behavior and social engineering, Dr. Abbie Maroño shares her journey into psychology, sparked by a youthful curiosity and an early commitment to research. Her path from academia to applying her expertise in the private sector demonstrates her strong commitment to understanding human dynamics, particularly its intersection with cybersecurity.
In the context of social engineering, this article highlights the powerful influence of group dynamics and the principle of social proof.
The interview’s highlights
Educating humans is challenging. Success in educating humans hinges on motivation due to our natural resistance to change and limitations in memory and cognitive capacity.
Embracing shame for personal growth. Dr. Maroño’s work suggests that acknowledging and understanding shame can catalyze deep personal development, challenging the notion that shame should be entirely dismissed.
Group dynamics’s role in social engineering. Cybercriminals exploit social proof and our propensity to follow the crowd. Awareness and resistance are key to safeguarding against these tactics.
Real-world cybersecurity training is crucial. Dr. Maroño advocates for simulation-based training over traditional methods, particularly in sectors like healthcare, to make learning more relevant and effective.
The power of self-relevance in learning. Effective education requires making cybersecurity personally relevant, using real-world simulations to improve engagement and practical application.
"Trust but verify" enhances cybersecurity. Emotional intelligence and critical thinking are vital in defending against manipulation, emphasizing a balanced approach to trust.
Key insight #1: motivation and engagement are crucial for effective learning.
NordLayer: Abbie, you’ve been studying human behavior for a while now. What’s your conclusion? Are humans easy to train and educate by nature?
Dr. Abbie Maroño: No, human beings are not easy to educate. The memory system is very prone to errors, and we have a limited cognitive capacity. No doubt, we have the ability to be educated, but it really depends on a ton of different factors.
Educating someone against their will, especially in areas like security practices, is ineffective. For learning to be effective and for information to transition into long-term memory, the learner must be engaged and attentive.
Without motivation, information will likely enter one ear and exit the other. This is supported by research indicating that mere exposure to information is insufficient for learning—attention to the material is essential.
However, learning becomes much more attainable if there is motivation, passion, and dedication. The concept of 'cramming' before an exam illustrates this well. It's a widespread belief that we can quickly absorb information, but the reality is that both the brain's short-term and long-term memory functions require time and consistency to learn truly.
Key insight #2: Group motivation and social proof influence individual decision-making in social engineering contexts.
NordLayer: Speaking of motivation—personal or collective motives—can bring better learning experiences and results?
Dr. Abbie Maroño: While individual self-interest can drive motivation, the presence of group motivations can significantly amplify it.
Being part of a team with shared goals fosters a sense of responsibility and accountability, much like the dynamic observed in programs like Weight Watchers. Despite criticisms of Weight Watchers for its food quality and the psychological implications of its "sins" concept, the program's success is attributed to the strong social support and collective mindset it promotes.
This group cohesion encourages individuals to stay committed to their goals, as the sense of being observed and held accountable by peers increases their motivation to maintain progress.
NordLayer: How do peers (a group) influence an individual's decision-making in the event of social engineering?
Dr. Abbie Maroño: Social proof influences our decisions by making us more likely to trust or choose something endorsed by others. This tactic is frequently utilized by social engineers, who manipulate appearances to blend in or create false endorsements, leveraging our tendency to trust familiar figures or the majority.
For instance, mentioning a known colleague like Sally from accounting in a story can foster trust by association. This principle is also why celebrity endorsements and the phenomenon of joining a queue at a busy restaurant work effectively.
Key insight #3: embracing and understanding shame is essential for genuine personal growth instead of eradicating it for the narrative of mental health and empowerment.
NordLayer: As a published author, your latest book explores personal improvement through shame. Can you tell us more about the premise of this approach?
Dr. Abbie Maroño: My first book will officially be released in July, though I've already been sharing it with select individuals and doing book signings. My second book is set to come out in December.
I started writing this self-help book, "Work in Progress," because I noticed a significant need for a deeper understanding of our emotions. Many self-help books and popular media, though well-intentioned, lack a scientific approach and often suggest that we must rid ourselves of shame to achieve good mental health and empowerment.
However, this doesn't align with the complex nature of the human brain or how we actually process emotions. Our brain, which is a significant energy consumer despite its small size, doesn't generate emotions without reason. Emotions are signals, meant not always to be acted upon but to inform us. Dismissing shame overlooks a crucial aspect of our emotional well-being and self-awareness.
My aim was to create a book that's honest, raw, and relatable, challenging the overly optimistic narrative that "everything will be fine" with a more grounded, realistic approach to personal development.
Key insight #4: cybercriminals manipulate nonverbal cues to scrutinize first impressions.
NordLayer: In your Forbes article, you said that certain social skills can help people elicit the information they want. What are these skills, and how do cybercriminals use them?
Dr. Abbie Maroño: Cybercriminals exploit nonverbal communication to manipulate perceptions, leveraging our instinctual habit of making rapid judgments about people's personalities based on their appearance and behavior, a process known as "thin slicing."
This evolutionary trait, which helped our ancestors quickly assess threats, today leads us to assign traits like friendliness or competence based on superficial cues like smiles or confident demeanor, often without any supporting evidence.
Cybercriminals use this knowledge to their advantage, presenting themselves as authoritative and trustworthy to bypass our defenses.
Our reluctance to revise first impressions makes us vulnerable to such manipulation, as we seek to validate our initial judgments rather than question them. Thus, understanding and being aware of these cognitive biases can help us better defend against the tactics of social engineers.
Key insight #5: emotional awareness is critical in resisting manipulation by social engineers and making more informed decisions.
NordLayer: Can you share what personality traits and psychological defenses should be nurtured to resist social engineering attempts?
Dr. Abbie Maroño: General emotional awareness in cybersecurity, explaining how social engineers exploit emotions to manipulate their targets, is important.
Recognizing when emotions like fear or anger influence decisions is crucial, as these emotions can cloud judgment and lead to quick, unthoughtful actions.
For example, taking a moment to breathe and assess one's feelings before reacting to a potentially malicious email can allow the brain's logical centers, like the prefrontal cortex, to engage and evaluate the situation more critically. This approach is vital because, despite the sophistication of attacks, the final decision to engage (e.g., clicking a link) rests with the human user.
Beyond technical measures, fostering a security mindset that includes emotional regulation and awareness is key. This not only helps individuals resist manipulation but also adapts to evolving threats, emphasizing the role of human judgment in cybersecurity defenses.
Key insight #6: effective cybersecurity training requires real-world simulations and engagement.
NordLayer: Let’s explore dynamic and sensitive environments like healthcare where cybersecurity awareness is crucial, but there’s no time to train and educate specialists. What human behavior traits and social engineering tactics could be exploited to achieve positive learning results?
Dr. Abbie Maroño: Learning is most effective when information directly relates to the individual.
Traditional security training, like online videos, often fails to engage healthcare professionals because it lacks this personal relevance and fails to bridge the gap between theoretical knowledge and practical application.
This approach not only identifies vulnerabilities but also personalizes the learning process, making it more impactful. By engaging employees in scenarios like simulated phishing (vishing and smishing) attacks, they learn to recognize and react to threats more effectively.
Positive behaviors are reinforced, while areas for improvement are identified and addressed. It is important to invest in comprehensive security training to protect sensitive information proactively, warning that the costs of inadequate training far outweigh the investment in robust, interactive learning experiences.
Key insight #7: "trust but verify" ensures safety in cybersecurity by combining trust with critical verification of requests.
NordLayer: What benefits should be amplified, and what behaviorist tactics should be used to help people become more aware of cyber threats? What should be included in the cybersecurity training, in your opinion?
Dr. Abbie Maroño: Tactics like "trust but verify" emphasize the balance between maintaining trustful relationships and being cautious.
This method allows for cooperative relationships to flourish while safeguarding against manipulation. Verification becomes a critical step in this process, ensuring that one does not blindly fulfill requests without appropriate scrutiny.
Such an approach relies heavily on emotional responses and critical thinking to discern the legitimacy of requests, advocating for a balanced stance of trust with a readiness to verify, avoiding the pitfalls of unwarranted suspicion.
Thank you.
Dr. Abbie Maroño’s passion for understanding human behavior ignited at 17, leading her from early research endeavors in university to a fulfilling career in academia and, ultimately, into the private sector.
Dr. Maroño’s work reveals the intricate dance between human psychology and cybersecurity, highlighting the need for an empathetic, informed approach to educating and protecting against cyber threats. Her emphasis on emotional awareness, group influences, and innovative training methods offers a fresh perspective on building resilient cybersecurity defenses rooted in understanding human nature.
How NordLayer can help
NordLayer can significantly enhance an organization's cybersecurity posture by fostering a culture of "trust but verify" within the workplace.
NordLayer empowers employees with the tools and knowledge necessary to scrutinize and validate requests, thus minimizing the risk of social engineering attacks. Its advanced security solutions, designed to address the nuanced challenges discussed, such as the need for emotional awareness and critical thinking, provide a robust framework for organizations to protect their sensitive data.
