Al Fattaah Muhammad Syah Fisabilillah, MBA, QRMA
Aldi Ardilo Alijoyo, MBA, QRMP, CGP




People nowadays are using technology more and more frequently, but only a few of them aware about the risk they faced. When you use the technology for a purpose such as shopping, you might a bit unclear whether you actually put in your personal information into a platform – and into a database. This personal information could come in various forms, e.g., your full name, your birth date, ID card number, Credit Card number, etc. This situation could definitely harm you if you are not aware of the cyber risk. Even when you were shopping at a trustful marketplace with the security of your personal information is guaranteed, there is no one-hundred-percent guarantee that nobody would breach into the its security system – this is called a Hacking activity.

Hacking activities could come in a simple form, by using a malicious attempt to disrupt a normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Also, it could come in a rather complicated form – by creating malicious software that is installed on someone else’s device without their knowledge to gain access to personal information or to damage the device, usually for financial gain.



Generally speaking, someone who does the hacking activities are called a Hacker – then, there are several types of hackers that we should know of, i.e., Black Hat Hacker (Evil Doer), White Hat Hacker (Saviour), and Grey Hat Hacker (Opportunist).

Firstly, the black hat hacker who often called as the bad guy is a type of hackers who always uses their skills for malicious intent to steal someone’s personal information for money, knock a computer system offline, or even destroy them. Moreover, this type of Hacker loves to see their work and name published in the news, or even they often leave traces after their hacking activities.

Secondly, the white hat hacker is one who does the ethical hacking activity. They usually use their skills in order to defend an organization’s or company’s security system. In fact, there are so many of them also paid by the government to secure classified information from their country, or even to dig out classified information from another country – companies very often hire them to be the cyber security or the defender of hacking activities on their infrastructure.

Thirdly, the grey hat hacker is someone that could be called as a security specialist or cybercriminal. These types of hackers only use their skills based on the opportunities they would get – they could be a nice guy and also a bad at the same moment. So, if somebody willing to pay them for a lousy cybercrime, they would do it.



In the post-digitalisation era, many companies had been struggling with an IT infrastructure with a minimum securities level. Nowadays, though many of them learnt the hard lesson, they come up with a strong and cyber resilient infrastructure. Notwithstanding the strength and the defence system, bad hackers would still be looking for a weak spot for them to penetrate the system. The most common weakness on a well-built system is the human itself.

Us, human, are very aware that we are able to literate emotions of others since we are an emotional and social being. Knowing that, bad hackers usually “tricked” the victim by leveraging the emotional touch of a human and our very own judgement biases – usually emphasizes on fear, greed, curiosity, helpfulness, and urgency. It ranges from phishing attacks in which victims are tricked into providing confidential information; vishing attacks where an urgent and official sounding voice mail or phone call convinces victims to act quickly and then ignore some security procedures; or physical tailgating attacks that rely on trust to gain physical access to a certain building or room.

It may look a bit silly to be fooled by that, but the prevalence of victims is plenteous. The real attack might not that obvious as the Prince Nigerian scams. This kind of scams are usually deliberately built as it is to lessen our awareness toward the real scam. Most of people do not really know when they are hacked by social engineering; though they would know that consequences come up.



Joanna Huisman in 2019 once said that people affect security outcomes more than technology, policies or processes. The market for security awareness is driven by the recognition that, without perfect cybersecurity protection systems, people play a critical role in an organisation’s overall security and risk posture. Furthermore, to protect against social engineering attacks require a focus on changing behaviour.

The critical role Huisman pointed out can be defined by inherent strengths and weaknesses of people’s ability to learn and their vulnerability to error, exploitation and manipulation. One small human-error cyber risk, can lead onto the core database of the company. A hacker would only take one small opening to a security system on the company to be then entering ang gaining access to the sensitive and confidential information.

One of the most fundamental things you could do to change people’s behaviour is to change their mindset – and specifically in regards to cyber security, it is crucial to for people in the organisation to recognise the power of ego. Each of us wants to believe that we would never be tricked or scammed by social engineering attack. However, that a human emotion and nature to be subtly deceived and tricked by hackers into acting. Therefore, a cyber security training and awareness program is far more important and urgent instead of solely focusing to make a sophisticated security system.

Cyber security is not only about your company’s IT security system, but it should also be implemented with a people-centric approach.