Right this very minute, a hacker could be trying to get into your computer. According to a University of Maryland study, such attacks happen every 39 seconds. They can happen at any time and hit anyone.
Victims of cyberattacks can range from individuals and families to corporations and governments, with impacts including financial loss, job loss, data leaks and even service disruptions that can cost lives.
In short, says Dr. Marc Dupuis, there’s a lot to fear when it comes to cybersecurity. Whether fear is useful or ethical as a tool for combatting digital threats is a topic that holds great interest to him.
“It’s safe to say we all want to improve our cybersecurity from a personal, organizational and national security perspective,” said Dupuis, an associate professor in the University of Washington Bothell’s School of STEM. “However, is the use of fear and other negative emotions the most effective and ethical way to accomplish this goal?”
Dupuis will be speaking on the topic: “Cybersecurity: Is Fear Counterproductive?” in an upcoming History Pub talk at McMenamins Anderson School in Bothell, Washington, on March 25 at 7 p.m. Beyond considering the utility of fear, he’ll also be providing advice on how to stay safe in the digital landscape.
The human element
While technologies to protect against cyberattacks are constantly evolving alongside those that enable them, human error remains the greatest threat to cybersecurity. According to the Cybersecurity and Infrastructure Security Agency, more than 90% of successful cyberattacks begin with a phishing email.
This social and human element of cybersecurity is what first attracted Dupuis to the field, he said. “I was always curious how these perfectly smart, intelligent, reasonable people could have this happen to them. What causes people to fall victim to these social engineering tactics?”
Now an expert on the topic, he understands the seeming impossibility of navigating the minefield of the internet — and has even experienced it firsthand.
In a cybersecurity camp held for seventh to 12th graders over the past several years, Dupuis does an exercise where he asks the students to “spear phish” him, sending phishing emails that directly target him.
“I know it’s coming, and I’m an expert,” he said. “And while they are still newly trained, they are still so good that there were some emails I really didn’t know if they were legit or not.
“So, when you think about the average, everyday person with all their work and all these distractions and everything else, and they get an email that appears very reasonable, of course they’re going to click on it here and there.”
Many faces of fear
Apart from the fear induced by the inherent risk of cyberattacks, fear is also a tool weaponized by hackers to instill a sense of urgency and a need to click on an email, despite uncertainty about its source. To the untrained eye, email subject lines that threaten negative consequences for an unpaid parking ticket or a bank notification alerting you to a possible fraud attempt can be hard to ignore.
Fear and other negative emotions are also often used by organizations to garner compliance from their workers to prevent cyberattacks, threatening possible punishments and even job loss for failure to comply.
It remains a topic of debate whether this tactic is worthwhile, Dupuis said. “A lot of times we intuitively think that scaring people is going to be effective, and there’s some research out there to support that. But more recently, and in subsequent studies, we’re actually finding that the opposite may be true.”
In analyzing other fear-based programs — such as Scared Straight, a program aimed at keeping juveniles out of prison, and similar programs targeting teen pregnancy — he found that early studies indicated some short-term success.
When the more long-term impacts of these programs were studied, however, researchers found that the participants actually had an increased likelihood of becoming incarcerated or experiencing teen pregnancy.
Fear at bay
One of the biggest downsides to fear as a prevention measure, Dupuis noted, is that it can stifle a tool that truly can make a difference: open communication.
“Fear doesn’t really create an environment where people feel comfortable coming forward if they have made a mistake or if they’re uncertain about something,” he said. “Instead, it creates animosity and can create a power dynamic that isn’t really healthy. It doesn’t work long term, and it doesn’t make people want to work to support the organization.”
The same is true for families, he added. When parents foster a supportive environment where their children feel comfortable approaching them with problems, they’re able to better prevent and overcome those issues.
“Communicating openly is one of the most powerful things you can do,” he said. “Whether it’s a family setting or an organization, the more you create a culture and an environment in which people feel comfortable coming to you with questions, the better off you’ll be.
“Cyberattacks can happen to any of us, no matter how sophisticated our malware protection or our cybersecurity training is,” he said. “So I think it’s important that we have more grace with people and be reasonable about what the everyday person can do in these scenarios.”
“The more you create a culture and an environment in which people feel comfortable coming to you with questions, the better off you’ll be.”
Dr. Marc Dupuis, associate professor, School of STEM
Armed with knowledge
Of course, knowledge is also paramount to personal and organizational cybersecurity, Dupuis said.
If people don’t know what they’re looking for, they won’t know how to prevent it. As opposed to just providing instructions on what not to do, he noted that providing actionable steps people can do is even more effective.
“Often the biggest predictor of behavior is self-efficacy,” he said. “If someone believes they can take action, they’re much more likely to do it. It’s about being proactive, not waiting in fear for something bad to happen but also not waiting until something bad happens to try and protect yourself.”
Here are Dupuis’ top four tips to incorporate at home:
- Backup your important and sentimental files — ideally in multiple locations.
- Keep your anti-malware software up to date.
- Use a password manager.
- Use a virtual private network, especially when using public WiFi networks.
For more information and to get tickets to Dupuis’ talk, visit the McMenamins website. For additional tips and training and other resources, visit CISA.
