There’s a saying “fight fire with fire.” This, in a unique way, applies to cybersecurity. I’m not suggesting you find the person who is attacking your network and retaliate, as that usually leads to more of the same.
What I am thinking of is more in tune with what those brave men and women are doing when they battle wildfires. Sometimes they use backfires to remove the combustible material in front of the fire, causing the wildfire to either go out or weaken to a point where the firefighters can control it. They literally fight fires with fire.
Fighting digital wildfires
Right now, in the world of cybersecurity, there is a wildfire headed our way, and we are the combustible material being used by cybercriminals to get what they want. Here’s a story that might help explain: A data center spent a lot of money putting in secured access. There was no way anyone not authorized could get in. That really did not bother the thieves who noticed employees would leave a door in the back of the building propped open, giving the thieves access to the server floor.
Another and more insidious method cybercriminals are learning to use is psychology–in particular cognitive biases. In simple terms, cybercriminals frame information so it influences their target user’s judgement and decision making. It is not all that different than the old-fashioned con game.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)
What can we do to make sure the back door isn’t propped open? We can use what cognitive scientists and psychologists have learned, to remove the biases–in a sense, fight fire with fire.
It’s not going to be easy though. We have all sorts of biases that have been hardwired into us over the years–biases we may not even be aware of.
How cognitive science pertains to cybersecurity
Cognitive science is complex and involves several disciplines. Thagard, Paul, “Cognitive Science”, The Stanford Encyclopedia of Philosophy (Winter 2020 Edition), Edward N. Zalta (ed.) states, “Cognitive science is the interdisciplinary study of mind and intelligence, embracing psychology, philosophy, linguistics, anthropology, and neuroscience.”
Now, let’s examine the connection between cognitive science and cybersecurity.
Margaret Cunningham, PhD, psychologist and principal research scientist for human behavior at Forcepoint X-Labs, in her article, Beyond buzzwords – what cognitive science means to cybersecurity, looks at the various disciplines and explains what they have to do with securing cyberspace.
“Historically, the relationship between computing and cognition emerged as early as the 1950s during the cognitive revolution when behavioral-based psychological science embraced the mind and its processes,” writes Cunningham. “Today, cognitive science is an expanding interdisciplinary domain that overlaps with nearly every aspect of cybersecurity.”
Put simply, cognitive science is thinking about how humans think. Some questions one might ask are:
What does it take to think or to learn?
Does thinking simply depend on a biological process that each person experiences in isolation?
Is thinking dependent on language, relationships, experiences, or personality?
To answer the above questions, Cunningham stresses, cognitive scientists must merge and balance insights from multiple disciplines. Cunningham also points out effective cybersecurity requires multiple sources and types of information to build an understanding of digital systems and their vulnerabilities. She adds, “When challenged with a task of protecting and understanding a large and increasingly distributed system, a single indicator from a single discipline is not adequate.”
The next step is to define the various disciplines and how each impacts both cognitive science and cybersecurity.
Psychology: The discipline of psychology addresses internal and external human experiences both as individuals and in groups. Tested principles of psychology allow the experts to understand why people are susceptible to threats.
“Cybersecurity’s emerging focus on behavioral analytics and biometrics also depend on psychology, which is heavily rooted in measuring and making sense of human behavior,” writes Cunningham. “Understanding human psychology is critical for forensic investigations, constructing insider threat profiles, and to establish when to generate alerts to help with user education.”
Philosophy: This discipline explores reality and information that humans use to form belief systems about existence, learning, social systems, and ethics. Cunningham adds, “How we perceive the world–and what we believe about the world–profoundly impacts our thought processes, our ability to learn, and our behaviors.”
Interestingly, understanding cybersecurity threats, use of data and surveillance, and even the existence and locations of adversaries can be considered philosophical problems.
Linguistics: The study of language, in particular, cognitive linguistics, gives insight into how language shapes thought and understanding.
Cybersecurity is very dependent upon language. How documentation is classified and supported is completely language based, and user-generated text can identify risk factors or regulatory violations.
Anthropology: This discipline explores how humans handle shared knowledge and interpret environments–both important concepts on how people relate to the world.
An obvious example would be online social interactions. “As recent news cycles suggest, our opinions, behaviors, and understanding of global events are heavily shaped by our interactions with technology,” explains Cunningham. “Cybersecurity professionals, particularly in social media domains, can better understand the behavior of trolls and bots through cultural and cognitive anthropology.”
Neuroscience: Cognitive neuroscience looks at the biology behind thinking and cognition. It helps scientists understand neural circuits and parts of the brain used for decision making.
Every facet of the digital environment, including cybersecurity, has been impacted by neuroscience, and will continue to inspire innovations in artificial knowledge representation and reasoning (AI).
This article offers some insight into what is required to develop tools users can implement to combat cybercriminals’ psychological attacks. In a future column, we’ll look at the tools.