Cyber Warrior: Who is Behind the Cyber Shield?

post-thumb

Global digitalization has shifted services for modern society into cyberspace. This advancement has created a high need for cyber specialists who: develop security strategies, handle cyber incidents, ensure compliance with legal frameworks, design architecture solutions, patch critical systems, and do all other cybersecurity related work as defined in various known cybersecurity role frameworks, such as ECSF by ENISA.

We are Hiring!

Various reports announce that 3.5 million positions of cybersecurity jobs will remain unfilled in the near future. The industry and public sector are recruiting personnel with transferable skills helping to fit the cybersecurity related position. But at the same time, there are high numbers of professionals that leave their roles due to the burnout caused by various stress factors, for example:

  • staff shortage
  • long working hours
  • budget constraints.

Paradoxically, at the same time job satisfaction for cybersecurity practitioners is rather high and they are passionate about their mission. Nevertheless, employees feel that staff shortage puts their organisations at moderate or extreme risk of a cyber attack. Thus, it is important to develop strategies and apply suited methods that demonstrate diversity of cybersecurity positions to the general public.

To recruit new people, one could for example:

  • try out new recruitment schemes
  • invest into diversity and inclusion initiatives
  • hire based on the possessed soft skills
  • allow applicants to re-qualify for cybersecurity.

It is, however, easier to make these recommendations for recruitment schemes for people with soft skills than actually creating accessible career paths into cybersecurity.

  • What is the golden recipe to identify the one that does not know about the destiny to be a perfect cyber warrior?
  • Which personality traits could build a shield of resilience against cyber attacks and job-related stressors?

Reality and Close-to-reality Gamification

The general public imagines a cybersecurity specialist as a good person fighting bad persons by applying mainly technical skills. Thus, most cyber defence exercises, for example, Red against Blue team, focus on simulating computer network infrastructure and its defence by hardening the system and analysing threat intelligence information to detect and prevent attacks.

An example of the scoring structure. Scoring categories weights in Locked Shields.
An example of the scoring structure. Scoring category weights in Locked Shields.

In these exercises, scoring balances between hard (availability, defence, etc) and soft (reporting) parts. Of course, success depends on good team leadership, cooperation with other teams, and individual efforts. But the last factor usually still stays unevaluated and unmapped to the soft skill set. Individual capture the flag activities demonstrate individual results, but evaluators can only imply the impact of personal traits from the primary result as such.

Without a doubt the achiever demonstrates knowledge and persistence during the activity. But will persistence and successful problem-solving be demonstrated if adversaries find and exploit human weakness (addiction, impulsive decision-making) to execute the attack? It is a fun activity to hunt intruders and, for example, find the installed beacons in the simulated systems of a gamified event. Yet, under real circumstances, tracing the adversary that is one or more steps ahead can be a real pain and lead into a local catastrophe.

Cyber Psychology

In the cyber kill chain, the human can be a tool or a target. Many incidents occur because of a human mistake - opening phishing links, executing malicious files, forgetting temporarily moved unprotected backups, or configuring a firewall with an accidental mistake in a rule. No doubt the fast life of a modern society impacts digital behaviour, and humans are at the centre in cyberspace!

A human is not a cyborg.

Humans have emotions and natural reactions to the environment, and these can awaken unsafe behaviour patterns even for highly self-controlled people that have good digital habits.

  • Do we pay enough attention to behavioural patterns and personality traits when planning training or educational modules?
  • Can we help specialists recognize personal weaknesses to strengthen them as professionals that have to work under stressful conditions?

Measuring the human or soft skill part is a challenge in an educational or professional training environment. Cybersecurity exercises aim to improve skills or test procedures, and recent research about cyber defence exercises focus on learning aspects. However, most competence, role, professional, and organisation frameworks lack behavioural aspects such as psychological safety.

In exercise feedback, we notice that participants appreciate a cosy atmosphere, timely information, coffee breaks, and a possibility to network. These factors demonstrate the importance of psychological safety that leads to higher engagement, proactive decision-making, and other factors which in turn promote successful team performance, which is largely due to individuals feeling safe.

And… Human Genomics

Human genomics contributes to individual behaviour and personality development even if the environment the person lives in makes a very strong impact. Research demonstrates correlations between some gene variants and behavioural characteristics such as addiction or impulsivity.

The biology of impulsive decision making (DA—dopamine, ACh—acetylcholine, 5HT—serotonin, NE—norepinephrine).
The biology of impulsive decision making (DA—dopamine, ACh—acetylcholine, 5HT—serotonin, NE—norepinephrine).

People develop behaviour characteristics and build habits, but under stressful circumstances we are who we are. Thus, multidisciplinary solutions could help an individual understand and identify personal traits and develop training paths to minimise the negative impact and employ the potential of a given personality trait.

What are the Needs of the Cyber Warrior?

If the individual and organisational resilience also depends on the soft skill set including behavioural characteristics, it looks as if the strategy is clear: define the skill set and use it in training or education.

Yes, sure.

Just the first part is not so easy to achieve. First, we will have to investigate if there are any characteristics common to the professionals to build a model of a cyber warrior.

General ADVANCES architecture for multidisciplinary research.
General ADVANCES architecture for multidisciplinary research.

The ADVANCES project aims to investigate cybersecurity workforce development and personal improvement from the perspective of information technologies, psychology, and human genomics. The research was approved by the Bioethics committee to gather and analyse data, including genetic data. The complex results of the control group and cybersecurity specialists are being analysed.

Let us leave result analysis and discussion for a later post.

This write-up is based on the aims, activities, and results of the international project ADVANCES. Advancing Human Performance in Cybersecurity is funded by a grant of almost €1 million from the Baltic Research Programme under the Financial Mechanism of the European Economic Area (Iceland, Liechtenstein and Norway).

Give Us Feedback or Subscribe to Our Newsletter

If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people. 😉

comments powered by Disqus