Featured Posts
Understanding Misinformation and Disinformation
Similar words but different meanings;
Misinformation refers to false information shared without specific harmful intent – like sharing posts without checking sources or passing on information as fact when you are not fully informed.
Disinformation differs in that it is false information deliberately spread to deceive and cause harm.
While you may have heard these used interchangeably, the intent behind disinformation is much more sinister, and the implications in cyber security are significant.
Exploiting the human factor
It may not seem that disinformation is a serious threat to cyber security – as traditional cyber attacks are done digitally and commonly attack network vulnerabilities – however misinformation and disinformation can exploit the human factor; cognitive biases and fallacy leveraging fake information. These tactics can manipulate perceptions and create false narratives, leading to real-world consequences. For instance, disinformation campaigns can trigger public unrest or manipulate stock prices, demonstrating their potential for significant damage, whereas misinformation can lead to an undereducation (or perceived education) on subjects that are important.
The Intersection with cyber security
How does one use misinformation and disinformation in an attack? In the cyber security landscape, they're often tools used in phishing and social engineering attacks.
Disinformation can overwhelm the public with a barrage of false data, reminiscent of a Distributed Denial of Service (DDoS) attack but aimed at people. This (dis)information can spread exponentially in near real time thanks to social media and influencers participation. When used in conjunction with the government and other authoritative offices, rumours and outright falsehoods can shape public opinion, making this issue a shared battle with cyber threats. The disinformation can then be used as fact in angler phishing – a type of phishing that targets social media users, or as rapport building in phishing emails.
Misinformation can also harm and shape opinions using the anchoring/heuristic bias, meaning that wrong information shared to people with that bias, they will compare all further data to that original source, and anything in opposition is discarded, like an echo chamber.
Strategies for mitigation
Lessons from journalism can be applied to cyber security when combating misinformation and disinformation. When breaking a story to the world, generally there is a best practice of fact or story verification used by the news agency to vet the information being distributed. Not every system is perfect, just as the human factor in social engineering can never be completely solved, however a process for verification must be in place.
Techniques such as S.I.F.T (Stop, Investigate, Find, Trace) —where multiple layers of controls are applied to fact check and trace the claims of the information—can be manage and combat these information threats. If your process does reveal that the information isn't what it seems - it's a good idea to report it to the site administrators, and do not interact with the content at all (Such as liking or sharing).
As cyber threats evolve to include de-centralised attacks such as those spreading disinformation, so must our educational strategies to counter them. Combatting cognitive bias, understanding the psychological reasons we believe distributed information, and learning how to spot 'fake news' are the first steps.
For a demo of our new Misinformation and Disinformation course, or a peek at our platform and phishing simulations, contact us today.