Social science research and social science principals are incredibly important for any career in cybersecurity. Professionals require these to help them navigate the intricacies of their daily routines. Tasked with choosing a cybersecurity career to prove this, I chose the role of a Vulnerability Analyst/Pen Tester. I learned in Mod 1 that this career is one of the top cybersecurity careers in VA, which is one of the reasons I feel this career would be perfect to speak to in regards to its connection with social science principles and research.
In mod 2 we discussed both empiricism and ethical neutrality and both of these are pivotal in the daily lives of a Vulnerability Analyst/Pen Tester. Vulnerability Analyst/Pen Testers use empiricism to dig into real data and evidence to analyze systems to find weaknesses. They basically build their assessments using concrete information and data from past incidents. Vulnerability Analyst/Pen Testers also must show ethical Neutrality regularly to show that their assessments are unbiased and fair. Supported by the Hacker Manifesto, it touches on the ethics of a hacker and the subcultural rules of what they do and why they do it. This aligns well with the Vulnerability Analyst/Pen Testers career as they utilize these values to ethically hack into companies systems to identify security risks.
Vulnerability Analysts/Pen Testers also need to actively recognize the more human aspects of cybersecurity incidents. In later chapters we reviewed a study showing 90% of all security incidents are not technological errors, but human errors. Due to this Vulnerability Analyst/Pen Testers need to apply principles from victimology to understand and address the behaviors that contribute to these vulnerabilities. On this same token, Vulnerability Analyst/Pen Testers also utilize different psychological theories applicable to cyber offending, including psychodynamic theories, cognitive theories, behavioral theories, and personality theories to better understand how and where humans might behave in instances that could result in a gap of security and how nefarious people might exploit that.
Vulnerability Analysts/Pen Testers need to keep an eye out for all types of security gaps. One of the most common risks are phishing attempts at an organization. In Mod 10 we talked about phishing techniques and social engineering, and both of these two directly influence the day-to-day activities of Vulnerability Analysts/Pen Testers. You see, understanding the psychology aspects behind phishing attempts is essential for creating an effective and robust security framework. People who work in these careers use these insights from psychology to anticipate and react to human errors. This only further backs up concern of impact that human factors have in security incidents.
As you can see there are a tremendous amount of ways that security gaps are created, it’s important to discuss how they are tested. There are many ways Vulnerability Analysts/Pen Testers test the effectiveness of cybersecurity measures, using quasi-experimental methods are not uncommon in these evaluations. In Mod 6 we learned about The Risk Triangle, Vulnerability Analyst/Pen Testers use this as a guideline for their assessments of an organization’s three main pillars of cybersecurity, to more holistically understand their overall approach to risk management.
On to the impact of paradigms! In Module 8 I learned about the three main sociological paradigms: Structural Functionalism, Conflict Theory, and Symbolic Interactionism. From my research, It’s apparent that Vulnerability Analysts/Pen Testers engage with these paradigms to understand the social structures that impact cybersecurity. With Structural Functionalism, Vulnerability Analysts/Pen Testers look at how things function in each of its parts (people, hardware, and software) and they use this to help them navigate how each part functions together and impacts security to identify potential weak spots. With Conflict Theory, Vulnerability Analysts/Pen Testers assess potential conflicts between users to better understand which might lead to security issues. And with Symbolic Interactionism, Vulnerability Analysts/Pen Testers are constantly paying attention to how people interact with security measures. They might look at how users create passwords and manage them. Through understanding the symbolic meaning of actions Vulnerability Analysts/Pen Testers can anticipate potential vulnerabilities.
Additionally, there’s something to be said on cybersecurity culture as discussed in Mod 9. As discussed above, a strong ethical background is a cornerstone value for Vulnerability Analysts/Pen Testers. Every day, they have to deal with the ethical side of their job while finding weaknesses in systems. This means regularly using ideas from sociology and psychology to understand how cybersecurity rules affect the culture of an organization. All in all, that means they are making sure that the security enhancements they identify fit in with what’s normal in society while simultaneously following the law.
We talked a great deal about the NIST framework and later the NIST Risk Management Guide for IT Services and as well as the overall economic impacts of cybersecurity, a crucial aspect for Vulnerability Analysts/Pen Testers. Since their careers revolve around risk mitigation, they actively contribute to minimizing economic risks associated with potential cyber threats. This aligns with economic theories discussed in class. Take the Classical Economic Theory for example, it suggests that if everyone does what they are best at the economy will work well. So Vulnerability Analysts/Pen Testers regularly focus on letting each part of a system or organization do what it’s best at to improve overall cybersecurity. Additionally we could loop in the connection to the Keynesian Economic Theory as well which basically supports that the government needs to step in to keep the economy stable. Vulnerability Analysts/Pen Testers might support interventions or regulations when it comes to cybersecurity, especially if they see potential risks that organizations might not handle well on their own. Take for instance a Vulnerability Analysts/Pen Tester sees an organization is not SOC 1 or SOC 2 compliant, they might push for these regulations for an organization after identify the security gaps.
We learned that there are many reasons for cybercrime, breaches of cyber and criminal law, and the motives for hacking in Mod 12 and I think these are all on target for the daily life of Vulnerability Analysts/Pen Testers. Their role isn’t just about running technical assessments its also about understanding the intentions fueling potential hackers. Examples like recreation, fame, revenge, and money, Vulnerability Analysts/Pen Testers merge their technical knowledge with a thorough understanding of criminal behavior.
To sum it up, because Vulnerability Analyst/Pen Tester careers merge the already thin line of tech knowledge and social science, which goes to say you cannot have one without the other. Their daily career revolves around defending information systems, through the ethical, economic, and human caused security concerns. This only proves how crucial social science research and principles are in cybersecurity.
Leave a Reply