Cybersecurity - Human Factors in security Flashcards
Human Factors in Security and Privacy
This means how people’s behavior affects security. Even with strong security systems, humans can make mistakes that hackers exploit.
📌 Example: Someone clicks on a phishing email and gives away their password, even if the system itself is secure.
Privacy Paradox
People say they care about privacy, but they still use privacy-invasive tools like social media and weak passwords.
📌 Example: Someone shares everything on Facebook but also complains about online privacy.
Social Engineering
Tricking people into giving away confidential information by using manipulation instead of hacking computers.
📌 Example: A hacker pretends to be IT support and asks for an employee’s password over the phone.
Phishing
Sending fake emails or messages to trick people into giving away passwords or clicking harmful links.
📌 Example: An email saying “Your PayPal account is locked. Click here to fix it”, but the link leads to a fake website that steals login details.
Spear Phishing
A targeted phishing attack aimed at a specific person or company.
📌 Example: A hacker sends a fake email to an HR employee, pretending to be their boss, asking for employee tax records.
CEO Fraud (Business Email Compromise)
Hackers impersonate a company’s CEO to trick employees into sending money or confidential data.
📌 Example: An employee gets an email saying “Wire $10,000 to this account ASAP”, but it’s actually from a hacker.
USB Drop Attack
Hackers leave infected USB drives in public places, hoping someone will plug them in.
📌 Example: An employee finds a USB labeled “Employee Salaries”, plugs it in, and unknowingly installs malware.
Multi-Tasking in Security
Humans are bad at doing multiple tasks at once, which makes them more likely to fall for security threats.
📌 Example: A busy employee quickly clicks “Allow” on a pop-up without checking if it’s malware.
Nudges in Security
A gentle push to help people make the right security choices, like warnings or reminders.
📌 Example: Websites make strong password suggestions when creating an account.
Dark Patterns
Tricks in website design that manipulate users into making bad privacy decisions.
📌 Example: A website makes the “Accept all cookies” button big and easy to find, but the “Reject cookies” button is small and hidden.
Biases in Security
Cognitive biases make people misjudge risks, leading to bad security decisions.
📌 Example: A user thinks “I won’t get hacked because I’m not important”, so they reuse the same weak password everywhere.
Confirmation Bias
People only believe information that supports their existing opinions.
📌 Example: A person believes “My MacBook can’t get viruses”, so they ignore security warnings.
Action Bias
People feel the need to take action, even when doing nothing is better.
📌 Example: Someone gets a fake security alert and installs unnecessary software, which turns out to be malware.
Social Proof
People copy others’ behavior, assuming it’s correct.
📌 Example: If everyone logs into a fake Zoom link, an employee might also log in without checking if it’s legitimate.
Overconfidence Bias
People overestimate their security skills and take fewer precautions.
📌 Example: An IT expert thinks “I’m too smart to get hacked”, but still falls for a phishing scam
Dunning-Kruger Effect
People with low knowledge about security think they know more than they do.
📌 Example: Someone says “I don’t need antivirus software”, even though they download unsafe files all the time.
Authority Manipulation in Security
Hackers pretend to be authority figures to make people comply.
📌 Example: A scammer pretends to be the police and demands payment for an unpaid fine.
Layered Security (Swiss Cheese Model)
Using multiple security layers so if one fails, others still protect you.
📌 Example: A bank uses passwords, 2FA, and fraud detection systems to protect accounts.
Security Fatigue
People get tired of constant security warnings, leading them to ignore real threats.
📌 Example: A person sees too many “Your password is weak” warnings, so they start ignoring them completely.
Usable Security and Privacy
Security systems should be easy to use, or people won’t follow them.
📌 Example: If password managers are complicated, employees won’t use them, making security worse.
Nielsen’s Usability Heuristics
Rules for making systems easy and safe to use, like clear error messages and simple security settings.
📌 Example: A website warns users when they enter a weak password.
Email Signature & Encryption Problems
Even experts struggle to use encrypted email properly.
📌 Example: A study found that many users accidentally shared private encryption keys.
Attack 1 – Invalid Signature
A fake email signature makes users think a message is safe.
📌 Example: A hacker copies a real company’s signature in a phishing email to look more trustworthy.
Attack 2 – UI Spoofing
Hackers fake security elements (like padlock icons) to trick users.
📌 Example: A fake banking website adds a padlock image to make users think it’s secure.