Although 88% of employees believe that they are vigilant about the emails received and that 67% consider it easy to detect fraudulent emails, only 3% of respondents managed to identify all those sent to them during the study conducted by OpinionWay, to assess their skills in cybersecurity. And 11% of the thousand employees questioned from March 16 to 21, 2022 in companies of all sizes did not identify any of these dangerous messages for computer security!
The gap between the level of vigilance displayed and the actual skills illustrates “the lack of understanding and awareness of the issues”, believes Cassie Leroux, at Mailinblack, a Marseilles company with 70 employees created in 2003, which trains companies to cyber risks.
“The overestimation of oneself is flagrant, supports Bruno Teboul, researcher in cognitive sciences and behavioral economics. This study will be a milestone: the subject of cybersecurity is not only technological, managerial or organizational. The diagnosis is also based on understanding the psychological mechanisms. »
Beware of “tunneling”… and curiosity
The results show that faced with the cyber threat, there is no difference in behavior between the sexes, and little according to the activity or the size of the company, even if the employees of SMEs feel more exposed. On the other hand, the gaps are widening between generations. Employees aged 35 and over are more vigilant (more than 90%), have confidence in their abilities (89%). 18-24 year olds have less time to complete their tasks (77%) than their elders (51% of those over 50), say they are more stressed (71%, versus 48%) and are more likely to click on a link without checking (59% of young people against 26% of all generations)!
“You can be a young super graduate, but if you are under high stress, it will lower your level of vigilance,” explains Bruno Teboul. The other vulnerability factor is the “tunneling” of attention, i.e. the fact of focusing on the content of the message, ignoring the other elements (sender, spelling, etc.) which could encourage caution. Added to this is the increased expertise of hackers. “There are cognitive biases known to hackers, such as empathy, curiosity,” he notes, making some employees prime targets.
“Cyber training too often remains a CIO problem (computer systems department) “, notes Cassie Leroux, whose company relies on training adapted to the profile of companies, and their employees, based on these cognitive factors.