Cybersecurity Consultant and the Social Science Principles 

Student: Tristan Karl 

Instructor: Diwakar Yalpi 

Class: CYSE 201S 

I’ve often thought of pursuing a career in cybersecurity and one of the professions that interested me the most was the cybersecurity analyst and consultant. Essentially, this role involves working with industry leaders as a security analyst to determine any weak points in their system or where processes can be improved. This profession seems very interesting and a great chance to expand network contacts. One of the most important aspects of this job is understanding behavioral science, or social science. This is so incredibly important for this profession for the following reasons: (try to relate these to things from the modules) 

  • Human Behavior Understanding and Experimental Research 
  • Risk Perception and Communication and Empirical Data/Parsimony 
  • Cybersecurity Training 
  • Social Engineering Defense 
  • Human Centered Security Design and parsimony 
  • Behavioral Analytics 
  • Psychological theories and determinism 

To get started, human behavior understanding is the understanding of how people are going to interact with technology in various settings and determine if there are any risky behaviors with the users by studying factors such as social dynamics, biases, and their decision-making processes. Experimental research into human behavior understanding can be used to form an idea of how social groups tend to form similar habits resulting in either healthy or poor cybersecurity habits. Consultants can use this information to determine if users are adequately following security protocols, whether users are likely to become susceptible to phishing/social engineering attempts and even if there is potential for insider threats. 

Risk perception and communication utilizes the social science principles of empirical data and parsimony to get information as to how individuals and groups are going to perceive and respond to cybersecurity incidents. Less technical errors made by the team when investigating and responding to cybersecurity incidents can lead to data being maintained safe vice being stolen and corrupted or abused. By understanding this, consultants can devise efficient means of communicating cybersecurity violations and develop training to better comply with the security policies and regulations.   

The development and employment of security awareness training relies on social science principles to determine the most effective means of relaying information and the barriers to behavior change. By understanding how human motivations and social dynamics effect cybersecurity habits, consultants can create a more impactful training to minimize cyber risk. Which, one of the best ways to minimize the amount of cyber risk an organization is exposed to is by ensuring that the users are fully trained on cybersecurity policies and how cybercriminals use various methods to achieve their dastardly goals. 

There are many forms of social engineering attack tactics. A few of them are phishing attempts, spear phishing, pretexting, baiting, or impersonation. These attacks are not attacks on equipment or technology, but people. This requires an adept understanding of human psychology and the ways criminals exploit “weaknesses” in human psychology. In order to effectively defend against all of these forms of cybersecurity attacks, a consultant must ensure an organization has or assist in developing for them a thorough and robust training program to raise the security awareness of all the users and encourage safe and healthy cybersecurity habits. This sort of defense is known as social engineering defense. Consultants can also advise organizations to develop a Multifactor Authentication (MFA) program to help ensure cyber intrusions are prevented even if confidential login information is obtained by unauthorized parties. 

The key to a good cybersecurity system is to ensure that it is easy to use and minimize the amount of friction between risk mitigation and work productivity. By stepping into the metaphorical shoes of users, cybersecurity analysts and consultants can develop security systems which mesh seamlessly into everyday work. If the solution to a problem is complicated, it is less likely to be utilized which increases the cyber risk an organization is exposed to. This is utilizing the principle of parsimony. By taking a look at and understanding human factors, cybersecurity consultants can create a user-centered cybersecurity system and associated protocols. One way to increase effectiveness and usability is to solicit feedback using surveys from the users and incorporating said feedback into the system design. This is a form or research that we discussed from module 3. 

Determining and establishing a norm for each individual user, the network as a whole, and even device and application behavior on a network allows consultants to find cyber-threats in real time. To do this, consultants must use behavioral analytical techniques and technology. Some techniques and technology which can be used include machine learning, AI, and threat hunting. By utilizing machine learning and AI, an organizations’ cybersecurity system can analyze large volumes of data and identify patterns, monitor suspicious network traffic indicative of data exfiltration, and allow for the improvement of the cybersecurity system to increase the effectiveness and minimize false positives. 

A thorough understanding of psychology will be a consultant’s best friend when it comes to profiling of potential hackers/cyber attackers. By understanding the psychological, cognitive, behavioral, and other motive theories, a consultant can get a better picture as to who and why one would attempt to commit a cyber-attack against that organization. It is also important to understand how this cybersecurity event could relate to something from a previous cyber-attack or foreshadowing of a future cyber-attack using the principle of determinism. In one of the previous modules, we discussed how both large and small organizations are susceptible to cyber-attacks however, the motives were different. Smaller businesses were prone to beginner criminals trying to make a name for themselves, establish some respect, while larger businesses were more susceptible to criminals acting out for a cause. 

In conclusion, for all of the reasons listed, a cybersecurity consultant must rely heavily on a thorough understanding and level of knowledge of the social science principles to adequately serve clientele. The social science principles will further adapt as technology progresses further and further, so it is a cybersecurity consultant’s job to constantly be up to date with technology and the way the general population uses it, as well as keeping up with recent events to help flesh out the profiling of those that would commit cybersecurity crimes. 

Sources