The Place of Mindfulness in Cybersecurity

By Anna Collard, SVP of Content Strategy and Evangelist for KnowBe4.

  • 1 year ago Posted in

Deep breath in. Hold for 3 seconds. And let it all out. Now, identify three things you can hear, two things you can smell and one thing you can taste wherever you might be sitting. Let’s get you back to the present moment; let’s talk about cyber mindfulness.

According to research, 47% of people who have fallen for a phishing attack attribute this to being distracted. It’s not that they weren’t trained or didn’t know any better, but because they were multitasking in an attempt to keep up with the demands of modern life. We might be at home, simultaneously trying to console a screaming child, keep the pasta water from boiling over, while responding to an urgent work email that has just come through. Or, in the office, half-listening during the weekly team meeting and opening an email attachment for a client project with a deadline of “EOD today”.

Whatever the case, there is no shortage of distractions, and we are mistaken in believing that our brains can manage more than one task concurrently. Unfortunately, in the same way that technologies might have software vulnerabilities, our brains too have certain ‘vulnerabilities’ that could put us at risk in this digital world. The multitasking myth is just one of them.

The Multitasking Myth

Have you ever received a text while working, saw your screen light up and felt an urge to check? In this moment, you get a dopamine hit, coaxing you to look at the message. You think, “maybe it’s important”. Studies have shown that information is viewed as a reward by our brains and plays into the same dopamine-producing reward system as it would for food or money. In other words, when we look at a message, when we respond, when we leave a like on a social media post, all of these actions give us a hit of dopamine – our built-in rewards system that makes us feel good. This eventually creates a feedback loop which encourages us to continue to search for more dopamine hits.

Multitasking is one way we can achieve this. We may start a task then seek a new task to keep the flow of feel-good chemicals going. It is an addictive cycle and while it might feel good in the moment, or seem productive at the time, we look back and realise that not much had been accomplished. In reality, our brains are switching from one task to the other, exerting energy each time. We confuse activity with productivity and physically burn up the glucose in our brains, making us tired and in the worst-case scenario, giving rise to anxiety and depression.

What’s more, every time we put ourselves in a situation where a decision needs to be made (i.e whether to respond to the message or not), we are also using up energy. It doesn’t matter how small the decision, the energy used is the same as that of a big one. During the day, we only have a limited capacity for decision-making, the more we waste this on unnecessary choices, the less clarity and self-control we have down the line.

This isn’t the only weakness our brains have, though. Another vulnerability we have is our tendency to fall into what Daniel Kahneman refers to as “System 1 thinking”.

The Downfall of System 1 Thinking

In his book, ‘Thinking Fast and Slow’, Kahneman coins the term ‘System 1 thinking’. He explains that our brains make heuristic assumptions, or mental shortcuts, to make faster

decisions. As mentioned earlier, every decision we make takes up energy, but our brains are designed to be efficient and energy-conserving; this is aided by using mental shortcuts. From an evolutionary perspective, the shortcuts can also come in handy when a quick decision needs to be made in the face of danger. For instance, if you see a car coming and need to get out of its way.

The heuristic assumptions are meant to protect us but sometimes they can lead us to make bad judgements, especially when operating online. Our brain might finish information for us, automatically fixing a mistake it sees when a URL or word is misspelled. Therefore, correcting the red flags that might have revealed that the email, website, document etc. in question, harboured malware.

Now, add to this a mammalian instinct to react to emotional triggers, and we’ve become perfectly susceptible to social engineers.

The Amygdala Trigger

We all have two walnut-sized centres at the back of our brains, called the amygdala, that are triggered when we experience both negative and positive emotions. When we feel fear, stress, excitement etc., the amygdala activates our adrenal glands to secrete cortisol and other stress hormones throughout the body. This sends us into flight or fight mode, hijacking our executive functioning so that we no longer think critically.

Together, these three vulnerabilities in our brains demonstrate why security awareness alone is not enough to prevent even the best among us from falling for a phishing scam. Regardless of awareness or good intentions, one might simply be too frazzled, emotionally triggered or caught in System 1 thinking to do the right thing. Alongside regular security awareness training and building a strong security culture, we need to turn our attention to cultivating mindfulness.

The Place of Mindfulness in Cybersecurity

Mindfulness is about drawing oneself back to the present moment, recognising what one is doing, the environment they are in, and responding to external prompts with intention. Scientific evidence increasingly indicates that mindfulness can help to reduce human error and boost focus. Michigan State University, for example, showed that just twenty minutes of meditation, a powerful mindfulness tool, can increase error recognition.

So, how do we go about practicing this?

It could be as simple as deliberately focusing on one thing at a time: starting a task and following through on it, before moving on to the next thing. Moreover, it is recommended that one takes a minute to reflect on a decision. When you open an email, consider who it came from, what it is asking of you, and listen to your body.

Our bodies often exhibit warning signals before we can consciously understand it ourselves. Our heart rate might go up or we might begin sweating; whatever the reaction, our bodies can give us a heads up when an emotion might have been triggered by a social engineer looking to manipulate us.

The best way to slow down and allow space for reflection is to do some breathwork. The exercise we worked on at the very start is a form of this. Likewise, one could incorporate

energising movements to foster greater concentration. This could be in the form of yoga or even a quick walk down the corridor and back. While working on a task, it also helps listening to binaural beats that can help us tap into a state of deep, or distraction-free, work.

When we have mastered the art of mindfulness, we put ourselves in a better position to defend against cyber threats and produce our best work

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.