Cybersecurity success has always depended upon more than technology alone.
It requires techniques, tactics, and procedures, which in turn rely on imagination, problem-solving, and perseverance. Such mental acuities can be trained, and they can be exploited. And sometimes, the day-to-day psychological struggles of the job take their toll.
The mental aspects of cybersecurity often fail to receive the industry attention they deserve, so it was heartening that they were the focus of several fascinating sessions at Black Hat USA 2020.
Improving security awareness training with SafeMind
In a talk on evaluating and augmenting user resilience to social engineering attacks, Ben Gurion University researcher Ron Bitton highlighted how adversaries have ramped up their efforts. He noted that their techniques range well beyond phishing, and their target platforms often include mobile devices and social media networks.
With users facing an increasingly wide variety of cybersecurity threats, Bitton asserted that security awareness training often fails to prepare users to face the breadth of the threat spectrum. While a user may know how to sidestep one type of attack, according to Bitton, it is common for a user to be missing skills to mitigate other types of attacks.
To address the problem, Bitton discussed SafeMind, an emerging methodology and accompanying automated, scalable and objective framework for continuously evaluating the resilience of users to specific types of social engineering attacks.
Bitton asserted that SafeMind improves security awareness training, namely through an ongoing effort to analyze new social engineering case studies, identify the human factor vulnerabilities that were exploited, and teach users more effectively using a broad criteria including more than 30 techniques.
Users aren't always thrilled about security awareness training. Attempting to instruct them on dozens of different techniques can cause them to feel overwhelmed and become disinterested. However, an approach that encourages users to understand and consider risk in all contexts when making cybersecurity-related decisions is perhaps a more realistic approach.
Solving cybersecurity, one puzzle at a time
In his session at Black Hat USA 2020, PwC UK researcher Matt Wixey shared his passion for puzzles and riddles, and how what seem like fun and games can actually train the mind to take on the problems of cybersecurity.
Wixey, who has spent more than two years creating puzzles and riddles designed specifically for cybersecurity professionals, said successful high-level cognition boils down to problem-solving skills, such as understanding the scope of a problem and determining how to reach a solution through searching or calculation.
Information security problem solving is particularly challenging, Wixey noted, because of its knowledge-rich problems, meaning they often require acquisition of knowledge from sources outside of the problem itself.
Wixey advocates the use of a wide variety of puzzles and riddles to train the mind to better solve cybersecurity problems with a variety of techniques and strategies, including how to identify various types of problem schemas, and how to weigh individual biases such as experience bias and confirmation bias.
Effective problem-solves often share a number of common attributes, such as being open minded, thinking "outside the box" or creative approaches, willing to assimilate new information, curiosity, and stubbornness.
Exercising the mind is arguably just as important as exercising the body, and Wixey's gamification of problem-solving skills is a positive approach. Organizations should consider whether offering various types of puzzles and riddles can augment training, especially as a group exercise that can also build camaraderie among a team that must work together effectively to achieve successful outcomes.
A different kind of front-line worker
Despite the many positive and rewarding aspects of a career in cybersecurity, it can also take its toll.
In his Black Hat USA 2020 session, Securosis CEO and analyst Rich Mogull shared how lessons from his 20-plus-year career as a paramedic and emergency first responder have helped him learn how to overcome the mental and emotional challenges cybersecurity professionals face.
Cybersecurity and emergency medicine actually have quite a bit in common, Mogull said, such as highly technical requirements, rigorous training, high-pressure decision making, and the need for ongoing education.
Not surprisingly, Mogull added, workers in both fields face huge problems related to mental health, and specifically burnout. He said that in cybersecurity, like emergency medicine, the job is never done. Over time, facing the same challenges repeatedly makes workers feel like they are pushing a heavy boulder uphill, but can never reach the top.
Mogull said it is common for new cybersecurity practitioners to be highly enthusiastic in the first few years of their careers, excited by the challenge and eager to learn new skills, and a few years later feeling burned out.
For those earlier in their careers, Mogull advised identifying good role models with a positive mindset, and avoiding poor "Han Solo" types who have rigid thinking, a lack of empathy, and a survival mindset due to burnout.
In addition, he also recommended internalizing key processes and procedures by relying on checklists to avoid mistakes, embracing the positive side of challenges through the opportunity to learn continuously, and fighting against biases such as blaming the user who unknowingly clicks on that phishing URL.
Mogull also strongly advocated for the importance of mindfulness and process as the foundation of good mental health. That includes exercise, a good diet, and getting enough sleep; building a peer-support system that can help in tough times; and contributing to a positive workplace culture where fun is OK, vacations are encouraged, and toxic attitudes are addressed and avoided.
Indeed, cybersecurity's mental challenges aren't going away. And in a time when the combination of economic, health, and other societal stressors often seem overwhelming, the cybersecurity industry must continue to emphasize the importance of mental health. Talking about it openly and regularly will reduce the stigmas associated with it, and reinforce the importance of good mental health practices, as well as getting help when needed.
Kudos to Black Hat USA 2020 and its presenters for all of these sessions. They are a good start. Let's keep it going.