Hey, everyone! Here is my blog on approaching Cyber Security from a psychological perspective. I consider this intersection to be the marriage of a non-technical field to a technical field. I hope you enjoy the blog and be sure to check out my Twitter page @hackrmanblog and my site hakrman.wordpress.com for more of my blogs!
-Rocky, @hackrmanblog
It’s no secret that I’m passionate about Cyber Security. So naturally, I do what any other person obsessed would do: listen to podcasts whenever I get the chance. This past Monday, I was walking from my campus to the train station while listening to an interview on Recorded Future with Myke Cole. Little background on Myke Cole: he’s a famous author and has experience working in Government Intelligence. The part of the interview that stuck out to me was when Cole discussed the understanding, goals and motivations of cyber-terrorists. This was the catalyst for my blog.
I did my undergrad study in psychology before I started my Master’s degree in Cyber Security. The psych background has given me some strong analytical and interpersonal skills, and those abilities have come in handy in my cyber security studies. I call this my non-technical approach to a technical field. Now, if I claimed to know how cyber-criminals think, that would be an overestimation of my ability, but I’d say that my psychology background helps me have a better understanding of their motivations.
To be honest, I kind of love to show off my psych skills every now and then, especially at my favorite place, the Hookah Lounge. So, when I talk to someone new, I might bring up how passwords can be easily cracked just by analyzing a person’s interests, or by using information and pictures from a person’s social media. An illustration of this is my friend “Stacey” and her Facebook profile. She has a picture of herself with Chicago Cubs fans. We can assume that her love for the Cubs or something to do with team (IE players, numbers, and important dates in Cubs history) could be a potential password selection. Stacey also likes to watch superhero movies, so maybe her password might correspond to her favorite hero or villain. The process becomes a lot easier with password policies that require special characters to be used due to the fact that passwords become more predictable with these rules. By combining these with her interests, then voila, we can have an idea of what password she uses. She told me I was close and that her password had to deal with a hobby of hers that she did with her Dad when she was younger.
Now this doesn’t make me or anyone the Criss Angel of password cracking but it does provide a good idea of how to improve company password policies. I want to expand this to also encompass cyber-crime, cyber-terrorism, and threat analysis etc. We begin to understand that stopping this from a cyber security perspective becomes a lot easier when we become empathic and aware of the factors that can help us understand a group’s motives and what really drives its members to commit malicious acts. Various factors that can be looked at are social media behavior patterns, socio-economic status, and past criminal background can provide us with clues. However, even with enough data, we are still unsure of when and where cyber-attacks will originate. As Batman says, “It’s never easy dealing with the Joker.” Understanding where, what, and why our Joker attacks their target will greatly change how we protect our assets and infrastructure within the cyber-security landscape. This helps us Cyber Security professionals to stay a few steps ahead of the adversary and sometime even be able to checkmate them before any damage occurs.
Conclusion
The main point is that by using a psychology-based approach to Cyber Security, we can develop a better understanding of behavioral patterns. I used my friend and her Facebook to illustrate that her behavior and interests provided me clues to deduce her password. Taking that a step further and applying it to our Cyber-Adversaries; the concept still holds. To understand why the cyber attack has occurred; we must understand the motives of the attacker. The psychology of the attacker and being empathetic will help us anticipate them and ultimately defend against them. I believe that being mindful of this approach will help us to protect critical infrastructure against our adversaries.
