Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Eric Parizo
Eric Parizo
Connect Directly
E-Mail vvv

Black Hat USA 2020 Shines Spotlight on the Mental Challenges of Cybersecurity

Infosec practitioners face a variety of mental struggles in areas such as awareness training, problem solving, or general mental health. Several sessions at Black Hat USA 2020 highlighted these challenges and how to overcome them.

Cybersecurity success has always depended upon more than technology alone.

It requires techniques, tactics, and procedures, which in turn rely on imagination, problem-solving, and perseverance. Such mental acuities can be trained, and they can be exploited. And sometimes, the day-to-day psychological struggles of the job take their toll.

The mental aspects of cybersecurity often fail to receive the industry attention they deserve, so it was heartening that they were the focus of several fascinating sessions at Black Hat USA 2020.

Improving security awareness training with SafeMind

In a talk on evaluating and augmenting user resilience to social engineering attacks, Ben Gurion University researcher Ron Bitton highlighted how adversaries have ramped up their efforts. He noted that their techniques range well beyond phishing, and their target platforms often include mobile devices and social media networks.

With users facing an increasingly wide variety of cybersecurity threats, Bitton asserted that security awareness training often fails to prepare users to face the breadth of the threat spectrum. While a user may know how to sidestep one type of attack, according to Bitton, it is common for a user to be missing skills to mitigate other types of attacks.

To address the problem, Bitton discussed SafeMind, an emerging methodology and accompanying automated, scalable and objective framework for continuously evaluating the resilience of users to specific types of social engineering attacks.

Bitton asserted that SafeMind improves security awareness training, namely through an ongoing effort to analyze new social engineering case studies, identify the human factor vulnerabilities that were exploited, and teach users more effectively using a broad criteria including more than 30 techniques.

Users aren't always thrilled about security awareness training. Attempting to instruct them on dozens of different techniques can cause them to feel overwhelmed and become disinterested. However, an approach that encourages users to understand and consider risk in all contexts when making cybersecurity-related decisions is perhaps a more realistic approach.

Solving cybersecurity, one puzzle at a time

In his session at Black Hat USA 2020, PwC UK researcher Matt Wixey shared his passion for puzzles and riddles, and how what seem like fun and games can actually train the mind to take on the problems of cybersecurity.

Wixey, who has spent more than two years creating puzzles and riddles designed specifically for cybersecurity professionals, said successful high-level cognition boils down to problem-solving skills, such as understanding the scope of a problem and determining how to reach a solution through searching or calculation.

Information security problem solving is particularly challenging, Wixey noted, because of its knowledge-rich problems, meaning they often require acquisition of knowledge from sources outside of the problem itself.

Wixey advocates the use of a wide variety of puzzles and riddles to train the mind to better solve cybersecurity problems with a variety of techniques and strategies, including how to identify various types of problem schemas, and how to weigh individual biases such as experience bias and confirmation bias.

Effective problem-solves often share a number of common attributes, such as being open minded, thinking "outside the box" or creative approaches, willing to assimilate new information, curiosity, and stubbornness.

Exercising the mind is arguably just as important as exercising the body, and Wixey's gamification of problem-solving skills is a positive approach. Organizations should consider whether offering various types of puzzles and riddles can augment training, especially as a group exercise that can also build camaraderie among a team that must work together effectively to achieve successful outcomes.

A different kind of front-line worker

Despite the many positive and rewarding aspects of a career in cybersecurity, it can also take its toll.

In his Black Hat USA 2020 session, Securosis CEO and analyst Rich Mogull shared how lessons from his 20-plus-year career as a paramedic and emergency first responder have helped him learn how to overcome the mental and emotional challenges cybersecurity professionals face.

Cybersecurity and emergency medicine actually have quite a bit in common, Mogull said, such as highly technical requirements, rigorous training, high-pressure decision making, and the need for ongoing education.

Not surprisingly, Mogull added, workers in both fields face huge problems related to mental health, and specifically burnout. He said that in cybersecurity, like emergency medicine, the job is never done. Over time, facing the same challenges repeatedly makes workers feel like they are pushing a heavy boulder uphill, but can never reach the top.

Mogull said it is common for new cybersecurity practitioners to be highly enthusiastic in the first few years of their careers, excited by the challenge and eager to learn new skills, and a few years later feeling burned out.

For those earlier in their careers, Mogull advised identifying good role models with a positive mindset, and avoiding poor "Han Solo" types who have rigid thinking, a lack of empathy, and a survival mindset due to burnout.

In addition, he also recommended internalizing key processes and procedures by relying on checklists to avoid mistakes, embracing the positive side of challenges through the opportunity to learn continuously, and fighting against biases such as blaming the user who unknowingly clicks on that phishing URL.

Mogull also strongly advocated for the importance of mindfulness and process as the foundation of good mental health. That includes exercise, a good diet, and getting enough sleep; building a peer-support system that can help in tough times; and contributing to a positive workplace culture where fun is OK, vacations are encouraged, and toxic attitudes are addressed and avoided.

Indeed, cybersecurity's mental challenges aren't going away. And in a time when the combination of economic, health, and other societal stressors often seem overwhelming, the cybersecurity industry must continue to emphasize the importance of mental health. Talking about it openly and regularly will reduce the stigmas associated with it, and reinforce the importance of good mental health practices, as well as getting help when needed.

Kudos to Black Hat USA 2020 and its presenters for all of these sessions. They are a good start. Let's keep it going.

Related Content:


Eric Parizo supports Omdia's Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric covers global cybersecurity trends and top-tier vendors in North America. He has been ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...