Introduction
Security researchers and reverse engineers do a lot more than write code or investigate malware. Their work depends just as much on understanding people as it does on understanding machines. Social science plays a huge role in their day-to-day, whether it’s figuring out how users interact with software, how attackers manipulate people, or how information spreads across networks. This career paper connects what we’ve learned in class, to the work that security researchers and reverse engineers do. It also looks at how their work affects society and marginalized communities, and the ethical decisions they must make.
Human Behavior
Security researchers regularly think about how people behave when using technology. Human-centered cybersecurity, covered in class, focuses on designing tools and systems that work with human behavior instead of against it. For example, a researcher might build a tool that alerts people to risky behavior, but if the alert is too confusing or annoying, users will just ignore it. So, researchers study usability and habits to make sure their tools actually help.
Understanding social engineering is just as important. Adversaries often go after people or employees, not just systems, utilizing social engineering tactics like phishing, pretexting, and fake links. Researchers analyze these techniques to figure out what psychological tricks are being used. That way, they can train others and build defenses that make people less likely to fall for them. It’s not just about knowing the attack but about understanding why it works on humans.
Risk Perception
Risk perception is another major concept. Not everyone sees cybersecurity risks the same way. A company executive might not care about a “low” threat even if it’s technically serious. Meanwhile, a user might panic over something harmless. Security researchers have to explain risks in a way people understand. That means adjusting their language and approach based on who they’re talking to.
Attacker Motives
Knowing why attackers do what they do helps security teams fight back. Some are in it for money, others for politics or revenge. Social science helps researchers spot patterns and predict attacker behavior. Understanding how threats spread, like through social media or email, involves looking at social networks and online behavior, not just code.
Impact on Society
Security work affects everyone, but not everyone gets the same level of protection. Marginalized communities, like seniors and others that don’t have access to technology, often face greater risks and fewer resources. Research shows they’re more likely to be targeted and less likely to be protected. A good amount of cybersecurity research doesn’t include these groups, which is a problem. Security researchers who keep this in mind can make more inclusive tools and training.
Ethics in Reverse Engineering
Reverse engineering comes with big ethical responsibilities. Researchers have to make sure they’re not breaking laws or violating people’s privacy when analyzing malware or software. Even if the goal is good, they need to think about who might be harmed by their actions. That includes deciding when to share findings and how much detail to release. Often, it can be beneficial to hold off on releasing information on a vulnerability until a patch is already built for it. It’s a constant balance between helping the public and not giving attackers more tools.
Conclusion
Security researchers and reverse engineers work in a field that’s just as social as it is technical. From understanding human error and attacker behavior to designing better tools and thinking about ethics, their work connects closely with what we’ve studied in this course. Social science helps them make better decisions, communicate clearly, and create more secure systems that protect everyone—not just the most privileged users. As threats grow and tech evolves, it’ll be even more important for cybersecurity pros to think like both engineers and social scientists.
Works Cited
Haney, J. (2023, September 28). NIST Unveils Newly Named Human-Centered Cybersecurity Program | NIST. NIST. https://www.nist.gov/blogs/cybersecurity-insights/nist-unveils-newly-named-human-centered-cybersecurity-program
Chattopadhyay, A., Carvajal, R., Chaganti, V., & Venkatagiri, S. (2024, August). Where are marginalized communities in cybersecurity research? Poster presented at the 2024 Symposium on Usable Privacy and Security (SOUPS), Philadelphia, PA. USENIX Association. https://www.usenix.org/system/files/soups2024_poster56_abstract-chattopadhyay_final.pdf
Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security, 31(4), 597–611. https://doi.org/10.1016/j.cose.2011.12.010