Let’s face it, we live in a world where technology reigns. And, in this world, senior leaders face increasingly sophisticated scams targeting both their personal and organisational assets. Understanding the mindset of the “bad players” behind these deceptions
is your first line of defense.
Cybercriminals don’t only target your technology. They know that your weakest line of defense is human nature. With this knowledge, they focus on exploiting certain vulnerabilities that we, as humans, have.
Their efforts can be tied to what security experts call the “3N model,” signifying needs, narratives, and networks.
The 3N Model: A Strategic Framework for Understanding Scams
The 3N model was originally designed to explain the drivers behind radicalisation. Applied to system and data security, though, it can be a useful way to understand how scammers are able to undermine and gain access to corporate assets, thwarting even the
tightest of security efforts.
Here’s how it works:
- Needs. Scammers identify and exploit fundamental human needs—security, understanding, control, status, and validation. For executives, these often take the form of time pressures, fear of missing opportunities,
or concerns about reputation damage.
- Narratives. These are the compelling stories crafted to bypass your critical thinking. Stories are often designed to compel us to act based on appeals to authority, urgency, or exclusivity. For instance, “You’re among a chosen few selected
for this opportunity.”
- Networks. Our networks are made up of the people around us. People we trust. People from whom we’re likely to take directives. Scammers know this, and they use this knowledge to add credibility to their appeals. Why? Because it works. When
a message appears to come from a trusted colleague, board member, friend, or relative, we lower our guard and we’re more likely to follow their direction.
The Executive’s Vulnerability: When System 1 Hijacks Critical Thinking
Leaders are generally very good at analytical thinking. That’s why they’re leaders. But scammers take advantage of “System 1” thinking—a concept popularised
by Daniel Kahneman.
System 1 is simply automatic/reflexive thinking. It is our default mode when faced with information or decisions, especially in the midst of other options and pressures that cause us to take the path of least resistance. We make snap judgments or respond
automatically based on past experiences or commonly held beliefs that we may not even realise we hold.
For example, a CFO receives an urgent voicemail from the CEO asking for an immediate wire transfer to help seal an important acquisition. The CFO is under a deadline pressure to submit a report to the board. Without doubt, the voicemail sounds like the CEO.
Who wouldn’t respond?
Today, deepfake attacks mean that virtually any voice, including your CEO’s, can be accurately spoofed. And
research shows that we’ve hit the point where people can’t accurately discern the difference between real- and AI-generated voices. We need to rethink our defenses for thwarting this new era of
attacks.
Beyond Traditional Security Measures
Technology protections are certainly an important piece of any security effort. But technology measures alone aren’t enough. In fact, your data and systems are more at risk from human vulnerabilities than technical vulnerabilities.
Here are strategies to help address the risk of 3N efforts to exploit these vulnerabilities:
- Create Decision-Friction Points
Friction points serve to put up virtual roadblocks to 3N attack efforts. For instance, implementing a mandatory “pause protocol” for high-risk activities such as wire transfers or emailing confidential information. These pauses are designed to move us into
System 2 thinking, which is more logical and effortful.
- Develop Narrative Awareness
Train everyone from senior executives to the front lines of your organisation to understand and recognise the types of emotionally coercive tactics that cybercriminals employ. When confronted with an urgent request or an effort to wear down their defenses,
users will be more apt to pause and take a moment to consider before acting.
- Require Verification for Sensitive Requests
When staff members receive sensitive requests, whether relating to financial resources, access to customer or employee data, or access to proprietary systems, they should demand verification. That voicemail request from the CEO, for instance, should prompt
a second check through a different channel to verify authenticity.
- Practice Mindful Leadership
Busy executives need mindfulness training more than anyone. Being mindful helps us recognise when we’re operating in System 1 mode. That recognition can help us create the mental space needed to engage in critical thinking. Even a 30-second pause to assess
your emotional state can dramatically improve the quality of decision-making when under pressure.
- Do Your Own Security Threat Modeling
Everyone, including the CEO, should be trained to identify and respond appropriately to 3N-type threats. Carefully consider the types of threats your company faces and the individuals who are most at risk of falling for 3N attacks. Develop scenarios that
can be used to test these defenses—similar to how you’d conduct phishing exercises—and incorporate them into training efforts. Debrief by discussing the scenarios, the responses, lessons learned, and potential process improvements that could deliver a better
result in the future.
Final Thoughts
While your security measures and tech controls may be advanced and sophisticated, the risk of human manipulation still exists. Familiarising yourself with the 3N model and recognising how cybercriminals exploit it can enhance your security initiatives and
reduce the impact of such threats. Your most important security asset isn’t your technology. It’s your people.
