An email subject line catches a user’s interest. The user clicks through and gets compromised. This is a classic phishing attack; it remains one of the biggest threats we face. Billions of spam emails are sent every day and email accounts for 94% of malware with a known source.
Why does anyone still click on phishing emails? The same reason anyone clicks on any email. It looks important or interesting, at least for long enough to click. Emails about vacation giveaways are now, giveaways themselves. Phishing has improved in its deception tactics. Early in the pandemic, a whole wave of phishing attacks pretended to be news about COVID.
Different claims compel different audiences. Young adults fell for attacks based on scarcity (“you can save money if you fill this out!”). In contrast, older people fell for attacks based on reciprocity (“we’ve already given you a gift, click here to collect it!”), according to a 2017 study presented at the Conference on Human Factors in Computing Systems (CHI). Phishing is a lot like advertising. Different attacks are tailored to different targets.
However, there is much confusion about determining the most vulnerable populations. The CHI study also found that older women fell for phishing most. Other studies find that young people fall for phishing more, or that men get more mobile device viruses than women. Some academics found more experienced users were less vulnerable, while a Symantec study found that software devs were more vulnerable than the general public.
How do you reconcile such seemingly contradictory findings? You don’t. There’s little reason to think any demographic is universally more vulnerable to phishing. Different hooks will catch different audiences. But there is a proven strategy to address these various phishing attacks.
Reflect Who You Protect
Your cybersecurity team needs to understand your users’ perspectives to protect them. The more diverse your cybersecurity team, the wider the resources they can draw on to detect phishing scams.
Approximately 90% of data breaches are caused by human error. Your cybersecurity team has to anticipate the kinds of mistakes your users will make. Phishing vectors that seem obviously sketchy to one audience can hook another. Consider the different tools and platforms your users use and think about what attacks to take most seriously on each.
Slack phishing might catch young workers who think Slack is safe from outsiders. Older workers might not use that channel at all. Caller ID spoofing is often targeted at older adults, who may trust their phone more than their computer or not know that caller IDs can now be spoofed.
There is some gender difference in scam tactics. A scam that tries to panic the user into thinking they accidentally sent $500 to gun company Springfield Armory is more likely to work on men. A scam that offers free gift cards on Pinterest is more likely to work on women.
But the cure for gender-diverse scams is to have gender-diverse cybersecurity teams. Multiple studies have shown that gender-diverse teams make better business decisions than homogenous teams, as much as 73% of the time.
Yet only 24% of cybersecurity professionals are women, according to a widely cited 2019 report by (ISC) 2. More recent studies hover around there, e.g. 21.9% per Zippia Careers and 25% per Cybersecurity Ventures. But the good news is this number is on the rise from around 11% in 2013, per (ISC)2.
Women in Cybersecurity Today
Women in cybersecurity trend younger and better-educated, but less experienced and lower-paid. Interestingly, women in cybersecurity are disproportionately likely to fill leadership roles like CTO or Vice President of IT, compared to men in cybersecurity. For example, Alissa Abdullah, Chief Information Security Officer at Xerox, Ann Barron-DiCamillo the Head of Cyber Operations at Citibank, or Marnie Wilking, the Global Head of Security, Privacy, and Technology Risk Management for Wayfair. In academia, Jennifer Granick served as the Director of Civil Liberties for the Stanford Law School Center for Internet and Society. The pay gap does persist in managerial roles but is smaller for younger workers than older workers.
Why do fewer women enter the field of cybersecurity? Since cybersecurity jobs often stem from STEM itself, the gender imbalance in STEM fields affects cybersecurity. STEM subject areas start out with rough gender parity in elementary school, but the proportion of women drops precipitously until women make up only 8% of STEM majors graduating from college. Evidence suggests that young girls and teens form preconceptions about professional industries and are heavily influenced by parental and societal influences. Furthermore, a lot of the terminology in cybersecurity sounds militaristic, another field with a large gender disproportion.
There’s the issue of fewer women entering the workforce but then there’s the issue of women staying in the field. The last year has heightened existing strains on women in the workplace. Many women in tech are considering leaving for the same old reasons why half of the young women who start in tech leave. More than 2.3 million women in the U.S. stopped working between February 2020 and February 2021. That tilted the proportion of women in the overall (not cyber-specific) workforce back to 1980s levels.
Women have a lot of pulls on our schedules that few men think about. Familial obligations are just some of many examples. One of the biggest is unpaid care work. Do you know how we just had a pandemic? Where a lot of people needed more care? Over 10% of women were caring for an ailing family member before the pandemic, and 10% took on new caregiving responsibilities as a result of the pandemic.
Like other areas of tech, cybersecurity has a “leaky pipeline” – the proportion of women who enter the industry has increased faster than the proportion who stay. Companies with many early-career cybersecurity professionals should think about how to retain them. Flexible work arrangements are a common ask for women – and inflexibility is a common reason they leave.
Your cybersecurity team should look similar to your userbase and workforce. Give your female employees flexibility, and attract experts who understand the perspectives of the people they’re there to protect.