Cybersecurity and the Social Sciences

Credits: istock.com, JuSun Link

When we hear “Cybersecurity” most of us have a per-conceived notion of what that entails: Cryptography, firewalls, port security, password complexity, employee training, etc. When we hear “Social Sciences” there’s a rather large swathe of disciplines that come to mind. When combining both Cybersecurity and Social Sciences, some new possibilities come to light.

One would be forgiven for thinking cybersecurity is a very new discipline when measured against the rest of humanity’s collective experiences, however some of the foundational disciplines have been around for quite some time: One prime example being that information is very powerful, and concealing that from your enemies gives you an advantage.

“All warfare is based on deception.”

Sun Tzu, The Art of War
View post on imgur.com
My personal copy. The dog got to it as a puppy, so it has some wear.

The Social Aspect

Criminal Justice is an easy tie-in to Cybersecurity that can be argued to be the most easily identifiable as an accompanying discipline, which is why I want to focus on psychology. Psychology is defined as the scientific study of the human mind and its functions, especially those affecting behavior in a given context. Understanding how humans react to stimuli, or why behavior is affected one way or another is a useful tool when preparing suites of software for cybersecurity purposes. We must also not forget the social aspect of cybersecurity, and our counters to them such as man-traps, Identification requirements, and employee training.

Credits: istock.com, Zephyr18 Link

Hardhats and Ladders

A few years back I was working for a local Low-Voltage Installation company. We were doing work on one of the towers in Downtown Norfolk, on an upper floor, installing networking cables, standing up new server racks, and upgrading their infrastructure. We were supposed to check in with the security desk before going up the elevators, because these suites were full of businesses. It occurred to me while doing my work, that I had never been asked for an ID. It was simply assumed, since I was wearing the appropriate attire, that I was allowed to be here.

Were I a bad actor trying to gain access to this facility, it would seemingly have been very easy to do so. The building was rather unsecured for what I could only guess were important businesses. This would have been a method of social hacking using the psychology of the security team at the front desk, and any other employees, against them. Nobody wants to hassle someone who is trying to do their work or cause a fuss, and if someone looks like they belong, then surely they do.