CYBER crime costs the UK economy billions of pounds a year, with businesses bearing the brunt. Now, researchers at the University of Huddersfield – backed by funding from the government, have teamed up with Bob’s Business, a leading cyber security training organisation, and are using the science of psychology to develop new ways of thwarting phishing attacks. 

When the project is completed, Bob’s Business will have the capacity to use behavioural analytics to develop and inform bespoke training packages tailored to their clients. The training will cut the risk of employees opening and acting on fake emails that could cost their company thousands of pounds. 

“We are developing the first evidence-based, psychologically-informed cyber security training program in the UK,” said Dr Chris Street, a Senior Lecturer in Psychology at the University of Huddersfield. He has a speciality in trust and lie detection. 

He is the academic supervisor for a Knowledge Transfer Partnership (KTP) – part funded by the official government body Innovate UK – that has been formed in collaboration with the Barnsley-based company Bob’s Business.

We are developing the first evidence-based, psychologically-informed cyber security training program in the UK.” 

Dr Chris Street, KTP academic supervisor

Based at the company during the project is KTP Associate Sathpal Panesar, who has Bachelor’s and Master’s degrees in psychology from the University of Huddersfield. 

“My role is to develop a psychological understanding of when and why computer-users engage with phishing emails, and to test and implement an evidence-based intervention using behavioural analytics to help reduce the risk of cyber security attacks,” he explained. 

One of the services offered by Bob’s Business, ‘Think Before You Click’ ®, is simulated phishing training that brings common cyber threat scenarios to life, helping firms and their staff to identify and reduce the risks. The company has developed a large range of multi-complex templates that closely imitate real-life phishing attacks, which are sent to employees to assess when and why employees click on harmful web hyperlinks in phishing emails. 

The results of these simulations have provided Sathpal with a database of over 70,000 real life case studies that he can use to explore the psychological causes of risky cyber security behaviour. 

Bob’s Business currently has a unique approach to cyber security awareness training and phishing simulations with its engaging training modules which are used to influence user behaviour. The KTP will assist in enhancing this innovative approach through the use of psychology, and building on the combination of education and communication methods. 

My role is to develop a psychological understanding of when and why computer-users engage with phishing emails.”

KTP Associate Sathpal Panesar

“We are creating a behavioural-analytical program that will identify the features of phishing emails that make employees click. Bob’s Business will then be able to recommend targeted training around the findings, tailored to the identified factors that are driving risky behaviour,” he said. 

The two-year KTP is still some time from completion, but Sathpal has made preliminary observations. A key finding is that people are more likely to click on emails that purport to come from an internal rather than external source. 

KTP supervisor Dr Street has developed the Adaptive Lie Detector theory, and the KTP serves as a real-world test of his ideas, which help explain why people tend to believe that messages are typically trustworthy and genuine. 

“We can use Chris’s theories to improve security behaviours, and they will play a part in designing new email templates that Bob’s Business can develop for new clients,” said Sathpal.