Psychologists with an understanding of IT security is an asset to organizations in terms of helping craft corporate policies and profiling of where possible threats may emerge. However, there is a limit to what they bring to the table and how effective they can be in deterring or fighting against online risks.
Joseph Steinberg, CEO of security firm Green Armor Solutions, had suggestedwhen it comes to enhancing their cybersecurity posture. This is because many modern online attacks exploit human weaknesses, and these psychologists can help prevent these, he noted.
Psychologists understand how the human mind works and what types of information is easily retained, so they will be able to help design anti-phishing technologies that will be more effective than technologies designed solely by engineers, Steinberg explained.
He also drew the distinction for this group of psychologists, saying they are not ones who help people deal with their personal issues. Rather, they are also tech and security experts who understand the roles, weaknesses and limitations posed by people in relation to cybersecurity. They would help people recognize when a site is legitimate or not, for instance, the executive said.
Steinberg said these professionals can help formulate security policies or aid in the development of IT security technologies, too.
Jonathan Andresen, Asia-Pacific marketing vice president at Blue Coat, agreed with Steinberg's view. He said cybersecurity is ultimately about people, and areas such as criminal profiling, which are things that the psychologists can contribute to.
Taking Blue Coat as an example, Andresen said there are many researchers in its laboratories who have a background in psychology and other humanities and such knowledge aids in their profiling of the Internet's "bad guys".
"Just as it is important to understand the bad guys in real life, it is critical to have insights--such as what their motivations are--to fight cybercrime," he added.
Another security industry watcher, Guillaume Lovet, pointed out the limitations of such professionals though. The senior manager of Fortinet's FortiGuard Labs Threat Response Team said deploying malware on a corporate network for espionage does not necessarily require social engineering and, with it, human interaction.
It can also be achieved by exploiting vulnerabilities within the targeted network servers, switches and Wi-Fi access points, Lovet pointed out.
So while humans tend to be the weakest link where IT security is concerned andto penetrate the network, the level of deception involved does not usually require the help of specialist professionals such as psychologists, he added.
He cited the Ghostnet case in 2009, when attackers planted Trojans in computers in the Dalai Lama's office to monitor his activities. This was done after office staff received e-mail messages that appear legitimate and originating from actual people rather than malware-generated messages, he noted.
These incidents do not rely on complex and perverse manipulation, but sound profiling of the target. In such cases, there is not much that psychologists can do to help, he said.
"Social engineering does not need to be complex to be effective, no matter how intelligent and aware the victim is. It just needs to be documented," Lovet said.