How to improve human performance in cyber security domain?
Authors: Stefan Sütterlin, Østfold University College/TalTech, Ricardo Lugo, Inland Norway University of Applied Sciences and Benjamin J. Knox, Norwegian Cyber Defence, Cyber Warfare Center/Norwegian University of Science and Technology
Cyberattacks are considered a major corporate and national threat. After the events of 2007, Estonia has very particular experience with the establishment and further development of cyber defence capabilities, consequently its cyberinfrastructure is one characterized by ambition and resilience in the indefinite race for technological dominance over one’s adversaries. While technological progress continues to produce more sophisticated threats that need to be matched by equally rapid developments in technical cyber defence capabilities, the humans in charge of defensive cyberspace operations face ever faster changing demands on their own cognitive skills to successfully master their own, and adversarial technological capabilities.
One fundamental element in developing and maintaining good governance of cyberpower in a cyber defence context is the education of future cyber operators. Cyber operators are computer science specialists at the frontline of cyber defence and embedded in a variety of civilian, military, private or public entities to ensure the integrity of sensitive networks. Amongst other tasks, cyber operators collect and process data from computer networks in order to exploit, locate, or track targets of interest. These experts navigate in networks, perform tactical forensic analyses, and are able to execute on-net operations with the purpose of securing their cyber terrain.
It is a widespread, but nevertheless fundamental misunderstanding, to consider cyber operators as being computer nerds solely requiring technical skills and knowledge that allows them to perform in for example malware analysis, penetration tests, or discovering irregularities in data traffic. Research on the “human factor” in cyber defence acknowledges that technology does not exist in isolation, but that interpretations, conclusions and decisions are made by individuals or groups of humans. As such, recent research conducted by TalTech’s Centre for Digital Forensics and Cyber Security and other research groups such as PACE-CybORG investigate psychological tools that are involved in setting the conditions for successful defensive cyberspace operations.
Amongst numerous ways psychological effects influence the outcome of cyber defence related decisions, the information exchange about recognized cyber threats is a particularly relevant one and prone to errors and inefficiencies. In areas such as aviation, acute medical care, and traditional warfare, the devastating effects of miscommunications are well documented and acknowledged. The Australian Ministry of Transportation revealed in an analysis that 70% of fatal aviation incidents resultat from human failure. While the understanding of the relevance of human failure, and more general, the human factor, as a predictor of performance is widely acknowledged in these safety- and security-critical sectors, our knowledge about the human factor in cyber defence is still rather limited. This may be due to the fact that “human factor” appears as a rather abstract term, despite its very concrete manifestations.
As an example, a lack of procedural compliance (users of technology not adhering to existing security protocols) can entail very serious security-related consequences and can be the result of guidelines and procedures that are formulated in a difficult to understand, highly technical and complex way. Other examples of situations promoting human failure are organizational cultures of hierarchy with low tolerance to criticism that can lead to younger or lower ranking experts withholding critical knowledge and observations; or interdisciplinary teams that were set up without prior knowledge of each others domain and resulting communicative difficulties when it comes to explaining a complex situation under time pressure. To identify these human-related sources of errors requires a systematic investigation of the circumstances that make people performing well or fail, and the development of teaching and training methods and material to reduce these risks.
Psychological research on human factors in cyber defence, however, has just begun. Frequent anecdotal evidence shows how young and highly qualified cyber operators with excellent technical skills are challenged by the need for communicating a significantly technical situation through the hierarchical chain for further decision-making by non-technical personnel. Particular technical characteristics that indicate an existing or potential cyber threat to computer network (often displayed and presented as a “recognized cyber picture”) are typically situations of high ambiguity. The lack of reliable information, vast amounts of available and potentially irrelevant or conflicting data, combined with a lack of immediately accessible knowledge or criteria for understanding how to distinguish one from the other, evokes individual differences in perceptions, subjective interpretations, and a partially intuitive sensemaking that gets passed upwards along the command chain in the organizational hierarchy.
At the receiving end, decision-makers, with less technically specific qualifications, have the responsibility for the strategic implications of the decisions made. As a result, both the perception and subsequent experience-based interpretation of a given technical status and the cyber operator’s communication skills with a third person, have a profound impact on the situational awareness of strategic decision-makers. It is not the technical situational status per se, but the result of its perception, interpretation, and communication by the cyber operator that shapes the decision-makers’ experienced reality. The decision-maker on the receiving end depends upon their understanding of the, most likely, a simplified explanation communicated by the cyber operator. Simplification always requires selection, weighting, and interpretation.
A successful communication between a cyber operator and a technically less specialized decision-maker therefore requires skills on both ends. To provide meaningful information in a concise, precise, and unambiguous way, requires cyber operators of a lower rank to be aware of the commander’s needs, skills, and momentary ability to process this information and conclude on it. The decision-maker needs to clearly instruct the operator about their own needs and requirements and communicate with clarity and humility when something is not understood. Both communication partners need some basic knowledge about each others’ “domain” and an awareness about different terms, languages and definitions, routines and generally cognitive styles. These skills are not self-evident, and practising these communication skills in situations framed by high uncertainty, high risk, time pressure, and complexity pose considerable cognitive and social demands. As such, the requirement for training becomes self-evident.
The described challenges are pronounced within teams along the axis of hierarchy, between individuals and teams of different disciplines and levels of affinity towards technology, between institutions within the same societal sector (e.g., Defence intelligence services and police intelligence agencies; between private entities, and between sectors (e.g. private economy and military cyber defence). The research network of PACE-CybORG has developed educational training methods in order to maximize training effects for improved communication of a recognized cyber picture, and unbiased situational awareness as a prerequisite of successful decision making. The outcome is the improved praxis of conducting defensive cyberspace operations. PACE-CybORG stands for “Performance and Cognitive Engineering - Cyber Operations Research Group” and describes an international research network including cyber defence educators, performance psychologists and cognitive scientists associated with academic, research and defence institutions. The aim is to improve human performance in defence cyberspace operations by analyzing the predictors of cyber operators’ performance and recommend teaching and training models, admission criteria and performance monitoring tools. The group is also linked to TalTech's Centre for Digital Forensics and Cyber Security.
In recent years existing knowledge on security-relevant psychological skills related to performance under pressure in complex environments, team functioning, educational methods, design of exercises and other applications have been transferred to, and continues to play an increasingly important role in developing approaches to cyber defence education, and cybersecurity in a wider sense.
The article was published in Edasi.org.