Integrating Perception and Cognition into Cyber Practices

hello welcome everyone i have a few brief announcements to make before we start the talk we'd like urge everyone to stop by the sponsors area which can be found in the expo channel of this platform if you visit a sponsor page they will have resources and people available to chat about job opportunities and also there's an open invite to the happy hour with the b-sides nova ticket at punchbowl in arlington tonight between six and nine pm it's the address is 4238 wilson boulevard suite 1180 and i'm excited to announce that the next talk integrating the psychological concepts of perception and cognition into cyber practices by nikki robinson you can use the chat window to the right

of the screen to ask any questions throughout the talk and we'll take the last three to five minutes for a question and answer session where i'll read a few of the questions so now i'd like to hand it over to mickey thanks great thank you so much uh thank you everybody for coming i wanted to start and just say a huge thank you to besides nova for having me back again and as mentioned i'm going to be talking about perception and cognition specifically as they relate to cyber security so hello i'm nikki i am currently a security architect with ibm i'm also an adjunct professor at capital technology university so i teach everything from incident

response to quantitative methods all that good stuff i hold a doctorate of science in cyber security i'm also working on a phd in human factors which is kind of how i got into the subject anyway uh that should be done uh december this year and i have some industry starts and stuff but uh the really uh the important note here is just that i started doing this human factors research which i'm going to get into a little bit but i started getting into this human factors research and as a security practitioner i started seeing some of the connections started connecting some of those dots between psychology and human factors which is traditionally based in ux and design

and so i started putting some of those dots together and that's what really sort of got my kind of got my interest in in doing this research and doing this presentation so quick disclaimer all thoughts feelings views expressed in this presentation are my own uh they do not reflect anybody else and with that i am also not a licensed therapist or psychologist i'm not classically trained in psychology i have a background in i.t and security i actually almost went into psychology but ended up going into id instead and so i've always had this this real interest in psychology and now that i'm kind of a security practitioner trying to blend those two together so what we're going to kind of cover

here so i'm specifically going to be covering cognition and perception as they relate to blue teamers so specifically kind of our network defenders and so i kind of want to talk a little bit about that before i get into cognition and perception and then we're also going to discuss cognitive limitations and then uh i'm not going to leave you empty-handed we're going to then we're going to talk about uh well what can i do about it what can i maybe take away back to my organization or what can i do with this information all right so if you've been in security for a while you're probably well aware of of you know the differences between blue

teams and purple teams and red teams but i wanted to kind of lay the groundwork here for how i'm gonna relate cognition and perception to what we do as you know on the network defense side so blue teamers we're talking about our network defenders we're talking about anybody who you know you might do incident response you might be a stock analyst you might do threat hunting uh you probably are doing some sort of continuous monitoring whether that's log analysis and correlation or you're looking at vulnerability scans you might be you know looking at vulnerability reports and turning some of this information over to maybe it operations maybe you're working with management both on the it side and the security

side maybe you're working with engineers and developers uh so that sort of leads me to this as network defenders we have so much information that we're constantly taking in right so everything from new vulnerabilities to new types of threats new exploitations how people are actually exploiting the software uh different it projects so as new technology is coming in maybe you're helping with some of the security assessments or analysis maybe from the security tooling side maybe you're managing those security tools there's a lot that blue teamers can do and possibly do especially if you have a smaller team you might be filling a number of these different roles within your security team so that's why i kind of wanted to

to talk a little bit about everything that blue teamers do so you're doing all of these things while you're probably managing alerts so you might be managing sock alerts uh you might be looking at you know if someone's scanning your network you might be reviewing all this information so you're constantly taking in all this information all while working with lots of different teams as i mentioned you might be working with it operations engineers developers management executive management you may have your own chain of management that's working with it management so there's all this got layered complexity where you need to have this technical comprehension this technical understanding of tools and software but you also have

to have you know what's sort of called soft skills but emotional intelligence you have to be able to communicate effectively you probably need to understand how to write reports so there's a lot that goes into being a blue teamer you know besides just understanding the you know kind of technical components of the job so when i started to break all this down and i started looking at all of this complexity and all of these you know things are constantly changing we're constantly learning i started to think about well how does how do the these psychological components kind of affect us you know as network defenders so i'm going to start out by talking about cognition and again i'm not a

trained psychologist uh but i love research and so i've done a lot of research on these topics and this is sort of what i've taken away from what i've what i've been seeing as far as research goes cognition specifically we're talking about conscious reasoning so i love the chess example because i'm a chess player i've been playing chess since i was i think six or seven and it's a really great way to help describe what cognition means so how do i determine what the best move is so if i'm moving my pawn if i move my pawn forward am i moving it into a danger zone am i moving it into a place where it could potentially be

taken if i move it into that place where it could potentially be taken would that actually give me an advantage maybe it would give me an opening to take their queen for example so this is all of that decision making process that we do and for chess specifically you're not just thinking you know i've got to think several moves ahead maybe you need to think 10 or 15 moves ahead but you also have to consider how your opponent is going to move so if i move here what will my opponent do if i move to this spot will they be able to take my piece so it's all of this really complex decision making that you

have to kind of do uh so that that's sort of a nice way of understanding what cognition really means so cognition uh we're also talking about sensory input and we're gonna get a little bit into that as we get into perception as well uh but we're talking about managing physical actions as well as empathy so it's an it's a really layered complex kind of concept in psychology which is why i wanted to kind of break it down so underneath that decision making we have fast thinking and slow thinking so fast thinking you can kind of think of as intuition and especially from the cyber security side when i think about you know intuition as someone who's a

network defender as a sock analyst i need to use my intuition to understand the alerts that i'm seeing so for example if i'm seeing a bunch of alerts come in at one time maybe maybe from the same ip i'm seeing a bunch of alerts and they're just scanning a bunch of our servers they're just trying to see what's out there uh you know i can kind of look at that and especially if i've been in the environment for a while and i can kind of see yeah you know this is kind of expected behavior you know all right i i might ignore that for now unless i see something that kind of sticks out to me

but if i start to look through these alerts and i start to see something that's an anomaly something that looks you know kind of strange to me uh that would also be intuition based where i'm saying wait a second this one looks a little funny to me are they trying to drop something is this a precursor to potentially dropping malware or you know trying to gain control of my system so that's kind of your fast thinking your intuition how you would use that kind of as a network defender a slow thinking is something i i think we probably do more if we are so if we're responding to an incident we need to use some of that

intuition but we also need to use this methodical approach we need to consider how someone got into our system and then maybe how far they got into the system so how many systems did they compromise did they compromise user accounts uh how far did they get into the network uh did they elevate privileges did they drop malware or ransomware so that's where you start to get into that kind of that slow thinking that real decision making where you're like using your kind of your expertise your knowledge everything that you know to kind of help you with this methodical process so that's more of that slow thinking where you're kind of taking in all of your experiences to help you make those

decisions so we're talking about kind of blending learning and memory so we're learning new things as we're using our memory and maybe things that have happened to us before situations we've been in that may affect how we think about a situation uh so those all kind of play into that to take that down a step further we get into metacognition so metacognition's really interesting to me you know you hear people saying like oh that's meta or you know we're talking about metadata things like that i mean it's sort of like that it's thinking about thinking so using metadata is kind of what we can do to help bring critical awareness bring that critical component to

uh thinking about ourselves so how do we think about our own thinking which is like really layered but that's kind of where we get into becoming a better decision maker so if we took that incident that we responded to and we want to kind of break that down and go into that thinking well how did i handle this could i have handled it better etc etc that's where you get into metacognition so to break this down we talked about a couple other things but to break this down into specifically cyber security human factors as i mentioned was kind of that ux design so how are we creating tools for our users so specifically here how

are we creating these security tools are we creating them in a way that makes sense for our network defenders are the you know the malware analysis tools the vulnerability scanning and reporting tools are we using them really effectively are we using them in a way that makes sense uh to our tour network defenders so if i'm using a tool let's say i'm getting a you know a vulnerability report and it's something that i need to send to it operations for action well i can't send them a 300 page report because as a security analyst i might understand well yes you might want to sort this way or look at it this way or create a pivot table or however you

might look at that report but from the itaperation side they might not have that that depth of understanding from the security side and so it's how can i as a security analyst or a network defender how can i kind of think about how it operations might use this report to maybe make a better report so it's kind of that taking that step back and thinking about how you know the user or someone who's going to consume this document how they might use it and then how could i better create this maybe making it smaller maybe creating a pivot table for them so that they don't have to do it something like that and then taking it from the security

analyst perspective when i'm using these security tools am i able to use them effectively do i have time to configure them properly it's one of those things that i know i've seen in my past where you know you you get access to these big beefy tools and we're only using like 20 of them as far as like how how much we could configure and use because we just don't have time we're busy you know we're looking at uh alerts we're uh writing repo we're handling projects we're bringing in new software we're doing security assessments um maybe we're doing web application pen testing as well you know depending on the size of your security team so

are the security tools that we're using really effective for us are they are they really kind of getting the job done and then prioritizing risk management so this is something where i think cognition and that metacognition i think really comes into play so risk management it's kind of the same way we talk about you know maturing your vulnerability management program you can mature your risk management program or your risk management activities and so are we prioritizing risk properly are we considering the business are the right teams involved when we prioritize risk are we considering all of our assets you know how are we really doing this and i think that's what's really important when you take that step back

and say am i thinking about this properly am i considering this all of the problems and all the things i need to consider for a risk management program and so i think understanding the concept of metacognition can really help improve risk management and how we think about risk management across our environments employee turnover so this is a big one uh this one is could possibly lead to malicious insiders um who you know maybe they're getting birds out because they have to take in all this information and they're still not able to maybe do their job effectively because they're so burnt out and they're so tired and they've been working 12-hour days for years and you know they're getting burnt out and

maybe they turn into you know what becomes a malicious outsider but a malicious insider so it's something that it just to something i started considering when i was looking into cognition it was like oh if we start to really understand how our network defenders are handling all of this information all this input and all this output maybe we can start to create a better environment for them maybe we can start to understand the challenges a little bit better and maybe prioritize some other things to help make their jobs easier so perception so there i wanted to bring this up just because you know i'm not a psychologist but there's some debate on whether cognition and perception are the same thing

i just wanted to bring that up because there is some research out there that's a little bit conflicting but the research i found perception it's really based on our sensory information how we organize and interpret it so for example if i go to the beach and i pick up a rock on the beach and it's smooth it's a smooth rock that is my touch set sentient that is my touch sensory uh telling my brain that yes this rock is smooth yes that is what i am feeling on my hand so it's all of those sensory things like touch uh sight hearing taste smell all of those things that is all kind of ties into perception

and that can lead us to memories of similar situations that might influence us especially in our decision making so it's sort of that it's sort of that step down into how we actually perceive situations what are what our perception means based on the situation again to kind of take a step down under perception there's bottom-up processing and there's a top-down processing so bottom-up processing that's what's really happening in the moment that is you know right now i am seeing something i'm reacting to it i'm having feelings right at this moment uh so that could be you know if i'm a sock analyst uh you know when i'm regularly looking at alerts i'm constantly digesting information

all the time and that's that bottom-up processing i am in the moment looking at things and handling them as i see them that top-down processing is more about uh experience and relying on experience so that top-down perception versus bottom-up processing so to give kind of an example uh bottom-up processing it's like if you stub your toe well that's your toe is hitting that door and it is sending a signal to your brain that says oh my gosh that hurt my toe hurts uh whereas top-down perception there was a really nice example where you know handwriting if you're reading someone's handwriting and maybe it's a little bit sloppy or it's kind of difficult to read if you have a full sentence from someone

it's a lot easier to digest than if you just had one word it might be harder to perceive what that word is whereas if you have a lot more context that maybe you could make a better decision about what that person is trying to tell you so that's kind of the difference between bottom-up processing and top-down processing and that again that's that kind of that step down into perception and what that means so i think this is a really when i started looking at more into this this i really uh perception in cyber security i think there's a lot of work that needs to be done here and i think it's worth being aware of

that you know our past experiences influence our decision making so for example uh take take into account that report that we've given to it operations we've said you know you've got to fix these you know 20 30 40 vulnerabilities whatever it might be on this system well maybe the itr person says you know what like i'm not doing this because maybe uh you know i don't have time in my maintenance window or you know i've pushed patches before and they've broken my system and you know i'm just i'm not doing it so you know instead of taking that as like a frustrating experience it's almost like well how did they perceive that interaction have they had really bad

experiences in the past with maybe someone who was in security or maybe being told they had to apply patches and it negatively affected their systems you know maybe it took their whole system down when they applied patches that happens all the time uh maybe they had maybe they got written up because that system went down even necessarily their fault they were just trying to apply these patches so it is possible that you know our past experiences and our interactions either with people or you know technology could really influence how we handle a situation another great example i that i think probably a lot of us can relate to is java like let's say i'm a developer

and i'm told i have to upgrade java because it's end of life or you know it's going end of life gotta upgrade it and you know me as a developer i'm like no i'm not doing that that might take down my application maybe i'm going to have problems if i do that maybe it's going to affect my customer i'm not going to do that and so you start to get into this maybe they have this perception because something like this happened in the past that their application broke or they weren't able to use their tools that they were used to using so this perception can really play into how people make decisions both from the

security side and from the it side you know and taking it from the security analyst perspective uh maybe they had that kind of that same really bad experience with it where they came back and said no we're not doing this we're not doing this we're not doing this and so security has to cut you know the security person has to kind of change their way they do things and they're just like no you know what we're enforcing this now you have to do this and so that's when you start to get that sort of you start to have maybe some friction or maybe the teams aren't working as well because of this perception that you know

maybe security is trying to push something on them and it's not being helpful or whatever the case may be but that perception really plays into you know this inefficiency and in how we're potentially getting things done uh and then attention that's another thing that plays into perception is how long can we pay attention there's a lot of studies out there on how long we can pay attention and if we're getting you know let's say we're getting interrupted a lot you know our attention span anyway might be short and then if we're getting interrupted constantly for alerts or for an email or for a meeting or for this or that you know how effective are we really being are we able to really

digest this information so if i'm looking at log analysis that's just like another example here it might be really tough for me to really sit down and digest this information i'm seeing in these logs to potentially see these alerts you know maybe something malicious was coming through but it kept getting interrupted you know by emails or by alerts and everything and so uh you know it's kind of that okay i need to i need to take time to understand kind of what's going on here and how perception might kind of affect uh what's going on with my log analysis um and then the the last point i wanted to make on this slide was just how do we hire and train uh

cyber security professionals so how are we actually how do we perceive that person that's coming in uh for this job you know are we you know if they don't have a certification are we is our perception changed should it be you know things like that so it's just something to kind of be aware of that you know maybe our perception affects us when we're hiring or when we're uh maybe training people too okay so one more uh kind of big note before i get into kind of our our lessons learned here so uh cognitive limitations this is again this is a really important concept because just what i mentioned at the beginning our blue teamers our network defenders

and a lot of people in security in general we're taking in so much information all the time and there's attacks every day there's alerts there's vulnerabilities there's threats there's apts there's all this information that we have to digest and put into our security programs not to mention federal regulations and laws and guidelines and all these so cognitive limitations are really the limits on our memory and attention and specifically here i'm talking about technology you know how it affects us in technology and cyber security uh but we are we're limited in in the amount that we can uh visually and perceptually understand and handle um and this is just our you know what we've got going on at work right

not to mention all the personal stuff and everything else that's going on in your life but this is just your job and all the things that you have to kind of consider in cyber security so i bring up cognitive limitations because i think it's an important concept to understand and something that can really play into what we do in cyber security and maybe just taking that empathy and that understanding of hey people are processing all this information all the time we can't i know i can't know everything uh so it's sort of just that kind of that awareness of this concept and how it might actually be playing into uh your cyber security program all right so what can i do about it uh

i've got this information now i understand what cognition and perception and cognitive limitations are what can i do uh so i'm a big fan and a big proponent of including cyber security education as part of each field so like part of everything there should be some component of cyber security education right whether you're in hr or finance or you're going in to be an executive you're getting an mba there should be some cyber security training in there somewhere right and then awareness just knowing that that psychology plays a part into our cyber security programs and i'm just specifically talking about blue teams here uh there are plenty of implications across other teams in cyber security too

um i just wanted to kind of hone in on that here uh consider hiring someone with a background in psychology there's there's a lot of great benefits to that too um and then understanding how perceptive and cognitive limitations might might affect your own teams uh maybe it affects you know people that you work with you know i t teams are have this onslaught of new information new technology all the time too maybe it's something that you know being aware of we can try to help um increase that collaboration and communication between teams and then think about how human factors and designs can play into us that is also super important uh and it's again it's just that awareness

i didn't until i started researching but now i see the benefits of the understanding human factors and design so just that awareness and go out and do some research um of course if you're interested and so i think we left about five four minutes for for questions um here's my linkedin information uh please please reach out to me if you have questions i'm happy to talk about any of this uh i i think it's super interesting and uh and again i'd be happy to take any questions um and hopefully my moderator can help me out if there are any questions yeah absolutely thank you nikki that was great we have four questions um our first

one's from ken connell he asks whether you think it's a good idea for companies to use personality assessments like myers-briggs and to inform the hiring process okay yeah that's a tough one because myers-briggs i think it there are there's another uh test out there too uh similar to the myers-briggs so i don't know because there are plenty of people that when they take tests uh to test like that that they may not be either may not be as honest and maybe not trying to not be honest but they may not be as honest uh maybe because the questions are a little intimidating those are really big tests for people to take so i think it would

be a little tough to base that um base hiring someone on those tests uh but that's just kind of my first my first uh intuition on that one okay great next question is what are some good ways to practice fast slow thinking in a cyber context oh that's a great question i love that so yes uh scenarios go through tabletop exercises that is absolutely the best way to test those things and you can do tabletop exercises into right you could do it in that quick that fast thinking mode where you're trying to see if someone's intuition can maybe find if they're seeing a bunch of alerts really quickly if you can kind of spot the anomalous one that would be a really

great fast thinking one and then the slow thinking just doing those uh doing those tabletop exercises in an incident response scenario so that people can really understand that method methodological prose approach uh to handling an incident like that and that helps them kind of figure out like oh we could try this or try that or i should talk to this person or so i think that might help there next one is do you have any ideas on how to make security awareness universally available outside of organizations and local communities uh yes i mean there there are a lot of there's a lot of free training out there um i'm i'm kind of a big believer in

like it's kind of like if you don't know you don't know which is why i love doing talks like this to try to help bring awareness so i think it's really just trying to go out there and dive into anything that's open source okay and finally we may have time for this one or get booted but are there any resources you'd recommend for anyone who'd like to learn more about this topic uh yes i i mean anything from uh apa the american psychological association uh there's a ton of great universities that have free research too hopefully um so i would say yes just go out there do some do some research google scholar is your friend

all right and that's it for the question so thank you nikki that was excellent appreciate it great thank you