Reading Time: ~ 4 min.

Have you ever met a person who
thinks they know it all? Or maybe you’ve occasionally been that person in your
own life? No shame and no shade intended – it’s great (and important) to be
confident about your skills. And in cases where you know your stuff, we
encourage you to keep using your knowledge to help enhance the lives and
experiences of the people around you.

But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.

Overconfidence by the Numbers

3 in 5 people (59%) worldwide think they know enough to stay safe online.

You may think 59% doesn’t sound
high enough to earn the label of “false confidence”. But there were two
outliers in our survey who dragged the average down significantly (France and
Japan, with only 44% and 26% confidence, respectively). If you only take the
average of the five other countries surveyed (the US, UK, Australia/New
Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK
respondents had the highest level of confidence out of all seven regions
surveyed with 75%.

8 in 10 people say they take steps to determine if an
email message is malicious.

Yet 3 in 4 open emails and click links from unknown

When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.


According to Dr. Rajivan, it’s important to note that
Japan had the lowest level of confidence about their cybersecurity know-how
(only 26%), but the survey showed they also had the lowest rate of falling
victim to phishing (16%). He pointed out that countries with more individualistic
seem to align with countries who ranked themselves highly on their
ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.

How These Numbers Affect Businesses

Only 14% of workers feel that a company’s cyber
resilience is a responsibility all employees share.

correlations between overconfidence and individualism may also translate into a
mentality that workers are not responsible for their own cybersecurity during
work hours. While 63% of workers surveyed agree that a cyber resilience
strategy that includes both security tools and employee education should be a
top priority for any business, only 14% felt that cyber resilience was a shared
responsibility for all employees.

How to Create a Cyber Aware Culture

The short answer: a strong combination of employee training and tools.

The long answer: when asked what
would help them feel better prepared to avoid phishing and prevent
cyberattacks, workers worldwide agreed that their employers need to invest more
heavily in training and education, in addition to strong cybersecurity tools.
Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity
awareness into their business culture, then they need to invest heavily in
their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Additionally, he tells us, “Human
behavior is shaped by past experiences, consequences and reinforcement. To see
a real change in human behavior related to phishing and online risk-taking habits
in general, people need frequent and varied experiences PLUS appropriate
feedback that incentivizes good behavior.”

Ultimately, the importance of
training can’t be emphasized enough. According to real-world data from
customers using Webroot® Security Awareness Training, which provides both
training courses and easy-to-run, customizable phishing simulations, consistent
training can reduce click rates on phishing scams by up to 86.5%.

It’s clear a little training can go a long way. If you want to increase cyber
resilience, you have to minimize dangerous false confidence. And to do that, you
need to empower your workforce with the tools and training they need to
confidently (and correctly) make strong, secure decisions about what they do
and don’t click online.

Learn more
about Security Awareness Training programs.

The post False Confidence is the Opposite of Cyber Resilience appeared first on Webroot Blog.