Nick Nelson, senior lecturer at Massey University’s Centre for Defence and Security Studies, argues that maintaining cybersecurity includes both technological as well as human factors – this means that recruiting and retaining the ‘right’ people can make all the difference.
Cyber incidents have been increasing in frequency, impact and complexity in recent years and although there is considerable variability in the estimated impacts of these, a 2018 report by the RAND Corporation estimates that cyber-crime costs up to USD 6.6 trillion globally per annum. This equates to 32 percent of global GDP.
In addition to the financial costs, cyber incidents can also have profound effects on customer trust, further impacting the bottom line and even sustainability of an organisation. The 2014 Sony hacks, which resulted in a loss of more than USD 200 million, and the 2017 Equifax hack that revealed the personal information of more than 145 million Americans, are just two of numerous recent examples.
Within the security sector, as well as impacting the bottom line and sustainability of an organisation, cyber incidents can also threaten national security. The 2015 cyber-attack on the US Office of Personnel Management compromised the data of more than 18 million federal employees, including those within the intelligence community, and provided a treasure trove of information that will, according to former CIA Director Michael Hayden, threaten national security for decades to come.
In the public sector, hackers have also accessed designs for more than 24 major US weapons systems including the F35 and F22 stealth fighters, advanced communications technologies, the RC 135 spy plane and the Aegis antimissile system. The loss of this data will, similarly, have a profound impact on national security for a long time to come.
There have been spectacular gains in the enhancement of cybersecurity via the development of technically secure protocols. While these go some considerable way to overcoming the threats posed in the cyber environment, all of these technical measures can be undone at the click of a mouse, through some savvy social engineering, or as a consequence of a variety of other human activities by any of the more than four billion people that have access to the internet today.
Indeed, all of the incidents mentioned in the preceding paragraphs occurred, at least in part, as a consequence of human factors. For this reason, it is important to recognise that maintaining cybersecurity includes both technological as well as human factors, with the human aspect as important as the technological.
Recognising that a secure network is the result of a larger system that includes technological and human factors, finding the ‘right’ people to work in the cybersecurity environment must be afforded a high priority. However, in the current environment, finding the ‘right’ people is a key problem, and one which applies to both the public and private sector.
This problem is highlighted by the comments of former NSA Director of Information Assurance, and now NSA ‘talent scout’ Richard George, who stated that when it comes to getting the right talent “it’s a very, very small pool and there are a lot of people hiring from it”.
A report by the Joint Task Force on Cybersecurity Education reinforces George’s comment, stating that current global cybersecurity workforce demand is acute, immediate, and growing. By 2020, it projects that more than 1.5 million cybersecurity related positions will be unable to be filled. Meeting this challenge, however, is not merely one of raw numbers, it’s also about talent.
While the cybersecurity industry has yet to adopt a commonly accepted lexicon through which to describe cybersecurity jobs, the 2012 National Initiative for Cybersecurity Education (NICE) framework goes some way towards achieving this and, in doing so, allows effective talent identification and management to occur.
Enjoying this article? Consider a subscription to the print edition of New Zealand Security Magazine.
Within the NICE framework, types of cyber work are grouped into various categories and specialty areas, each of which has a list of requisite knowledge, skills, abilities and other attributes (KSAO). The NICE framework synthesises these various KSAO to produce a set of unique overarching workload and workforce requirements for cyber-security personnel.
These have been further synthesised to develop a multistage model that provides guidance on the attributes on which organisations should focus their selection and/or training efforts to ensure the effective performance of cyber-security personnel.
This model takes into account a variety of individual differences and places them along a distal-proximal continuum. The distal attributes represent stable, trait-like individual differences that, in turn, influence the development of proximal, malleable characteristics.
Combined, these distal and proximal attributes influence on-the-job behaviour and, thus, job performance. While a comprehensive discussion of each of the components of this model is beyond the scope of this article, a brief overview is provided.
Given the significant complexity and abstract nature of the KSAO required to be an expert in cybersecurity, cognitive ability – that is the ability to reason, plan, and solve problems – is considered vital. Further, the ability to do this in an environment that is dynamic and characterised by emerging and novel information means that fluid intelligence and cognitive flexibility are essential attributes.
From a cognitive perspective, the complex and interrelated structure of a cybersecurity system suggests that those who work in that environment would also benefit from an ability to understand how elements within a system work, how they change over time, and how they impact on other parts of the system. In this sense, systems thinking is an important cognitive attribute for cybersecurity personnel.
Although the cognitive domain plays an important role in cyber security personnel success, so too does personality. Using the well-known ‘Big Five’ personality dimensions, conscientiousness and openness have been shown to be the most relevant to effective cybersecurity performance. Individuals high in conscientiousness are generally well-organised and efficient, with excellent attention to detail which, with a few exceptions, has been shown to be important in effective cyber work.
Given that the cyber environment involves developing knowledge to make understanding of what is often a rapidly changing environment, openness, which includes a variety of components, most importantly to the cyber environment that of intellectual curiosity, has been shown to be invaluable as it has been linked to both a desire to continue to acquire knowledge as well as a creativity to ‘think outside of the box’ when solving problems.
Unsurprisingly, individual motivations, specifically the need for achievement, ie. the drive to achieve goals, and the need for cognition – or the extent to which individuals seek out challenging cognitive activities – have both been found to impact on the success of cybersecurity personnel.
In addition to the stable, trait-like individual differences described above, there are a number of proximal attributes, ie. more malleable skills and knowledge, which provide the critical link between the distal attributes and performance.
The first of these, technical knowledge, specifically expertise in a number of technical areas (variable by position) is important but hardly surprising. Of note, however, is that the acquisition of technical expertise is largely driven by a combination of both distal attributes and contextual factors.
While cognitive ability is important, so too are a variety of higher order problem solving skills, which must be taught. Without these, it would be highly unlikely that an individual could successfully work their way through the complexities of a cybersecurity system and develop actions to overcome problems.
Social skills, particularly those of communication and situational awareness, have also been found to be important predictors of effective cybersecurity performance. While at a superficial level this may come as a surprise, it has been found to be important as a consequence of the fact that a significant amount of cybersecurity work requires social interaction both within and between often interdisciplinary teams.
The distal and proximal attributes discussed in this article are, of course, driven by the performance requirements as well as the tasks necessary for successful performance in a specific position within the cybersecurity environment. They also provide a useful model on which to base selection and training programmes.
Given that the distal attributes are inherent within an individual, and as such are unable to be easily trained, these attributes are most appropriate for use in selection procedures. Similarly, as the proximal attributes are the more malleable knowledge and skills required for effective performance, these are most effectively used for developing training interventions although they do have utility in the selection processes as well.
The current global labour market, where the demand for cybersecurity talent far exceeds the supply, necessitates an emphasis on finding and developing the ‘right’ people, and this model is an important component in achieving that. To further enhance this, consideration also needs to be given to the range of attributes required beyond the individual level given that cybersecurity work is frequently undertaken in a multi-level and multi-team environment.
In addition, given the often heavy cognitive, emotional and social demands of even routine cybersecurity work, as well as the often unconventional individuals that excel in this field, consideration needs to be given to ensuring the ‘right’ people – once they have been found – are retained. This is a particularly challenging task and one that contemporary organisations are still coming to grips with.