Tech-savvy psychologists a boon for security

Tech-savvy psychologists a boon for security

Summary: These professionals help organizations identify human vulnerabilities in their network systems and finetune security development, but effectiveness depends on their level of technical expertise.


Psychologists with an understanding of IT security is an asset to organizations in terms of helping craft corporate policies and profiling of where possible threats may emerge. However, there is a limit to what they bring to the table and how effective they can be in deterring or fighting against online risks.

Joseph Steinberg, CEO of security firm Green Armor Solutions, had suggested enterprises leverage the expertise of psychologists when it comes to enhancing their cybersecurity posture. This is because many modern online attacks exploit human weaknesses, and these psychologists can help prevent these, he noted.

Psychologists understand how the human mind works and what types of information is easily retained, so they will be able to help design anti-phishing technologies that will be more effective than technologies designed solely by engineers, Steinberg explained.

He also drew the distinction for this group of psychologists, saying they are not ones who help people deal with their personal issues. Rather, they are also tech and security experts who understand the roles, weaknesses and limitations posed by people in relation to cybersecurity. They would help people recognize when a site is legitimate or not, for instance, the executive said.

Steinberg said these professionals can help formulate security policies or aid in the development of IT security technologies, too.

Jonathan Andresen, Asia-Pacific marketing vice president at Blue Coat, agreed with Steinberg's view. He said cybersecurity is ultimately about people, and areas such as criminal profiling, which are things that the psychologists can contribute to.

Taking Blue Coat as an example, Andresen said there are many researchers in its laboratories who have a background in psychology and other humanities and such knowledge aids in their profiling of the Internet's "bad guys".

"Just as it is important to understand the bad guys in real life, it is critical to have insights--such as what their motivations are--to fight cybercrime," he added.

Limitations exist
Another security industry watcher, Guillaume Lovet, pointed out the limitations of such professionals though. The senior manager of Fortinet's FortiGuard Labs Threat Response Team said deploying malware on a corporate network for espionage does not necessarily require social engineering and, with it, human interaction.

It can also be achieved by exploiting vulnerabilities within the targeted network servers, switches and Wi-Fi access points, Lovet pointed out.

So while humans tend to be the weakest link where IT security is concerned and attackers favor social engineering to penetrate the network, the level of deception involved does not usually require the help of specialist professionals such as psychologists, he added.

He cited the Ghostnet case in 2009, when attackers planted Trojans in computers in the Dalai Lama's office to monitor his activities. This was done after office staff received e-mail messages that appear legitimate and originating from actual people rather than malware-generated messages, he noted.

These incidents do not rely on complex and perverse manipulation, but sound profiling of the target. In such cases, there is not much that psychologists can do to help, he said.

"Social engineering does not need to be complex to be effective, no matter how intelligent and aware the victim is. It just needs to be documented," Lovet said.

Topics: Security, IT Employment

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fantastic article!

    Ellyne, you make some great points, and I think that human vulnerabilities in your network systems are a great risk. Also, I would like to add that in my opinion, QA professionals represent a unique opportunity to integrate security into software. Actually, here’s an interesting article on this matter: I really hope you find it useful! Keep up the good work!
  • Thank you

    Hi securityi, thank you, I really appreciate the feedback and the heads up on the article