Cognitive Hack - book review



Title: Cognitive Hack -
The New Battleground
in Cybersecurity...
The Human Mind

Author: James Bone

Part of the Internal Audit and IT Audit series
edited by Dan Swanson


Publisher:
CRC Press/Auerbach (2017)

ISBN:
978-1-4987-4981-7

Price:
US$100 (hardback)
US$53 (paperback)


GH rating:
50%


Summary

The author's core thesis is that we are expecting IT users and managers to make rational, risk-averse decisions and take appropriate actions in response to complex threats. The 'cognitive load' is such that people are bound to make mistakes. Therefore we should be simplifying things (e.g. by automating cybersecurity controls), thereby reducing the number of choices and hence taxing decisions we're asking people to make.

I don't entirely accept the implication that business or security management is simply a set of rational decisions, or the premise that cognition is the prime or only concern. In practice, models, analyses, strategies, plans, frameworks, methods and approaches all involve emotional elements, plugging the gaps in information and extrapolating or projecting towards an uncertain (risky!) future. Not only is there a place for 'gut feel', it would be foolish to discount or ignore it completely. 


Pros

The first half of the book provides an extensive survey of media reports and articles, mostly on US cybersecurity breaches (incidents), mostly prompted by press releases and promotions by vendors or speeches quoted from conference presentations and interviews. Despite that, the author acknowledges the limitations of research into cyber incidents, creating a paradox. "Cyber threat data are more art than science," he admits on page 98.

With a few mentions of Artifical Intelligence and Machine Learning, the author was ahead of the field when the book was written in 2014/2015, and to be honest even today the use of AI/ML to automate security responses and decision-making is in its infancy.

The author's coverage of cyber risk governance, one of five pillars of the Cognitive Risk Framework for Cybersecurity introduced in the book, is insightful. For instance:

"Transformational change from an old to a new framework requires leadership from the board and senior management that goes beyond the sponsorship of a few new initiatives. The framework represents a fundamentally new vision for what is possible in risk and security to address cybersecurity or enterprise risk management. Change is challenging for most organizations; however, the transformation required to move to a new level of cognition may be the hardest, but most effective, any firm will ever undertake. This is exactly why the board and senior management must understand the framing of decision making and the psychology of choice."

Particularly if we expand the scope to cover the organisation's overall approach to information risk and security, compliance, safety, privacy, resilience and so forth (more than 'cyber'!), the challenge for management is to initiate, support, embed and exploit a cultural shift. I agree that a single or even a few 'initiatives' are not going to achieve the transformation of a traditional enterprise that treats 'cyber' as a technology issue for the IT department.

 

Cons

An extensive, eclectic assemblage of media reports and articles dominates the book. They are presented in a journalistic style, mostly as quotes with (in my opinion) relatively little commentary, analysis, criticism or insight from the author. The reader is largely left to consider and determine the value of the information without the original context, and iften without citations or references to the source materials. Much of it is marketing or promotional content, clearly biased and of limited value. 

No matter how many there are, dubious statistics remain - well - dubious, of low value, unreliable. 

The author uses several cyber terms (cyberspace, cyberattack, cyber threat, cyber risk, cybersecurity, cyber black market, cybercrime, cyber extortion, cyber paradox and probably others) without once defining 'cyber'. He appears to be referring in general to IT, hackers and criminals exploiting the Internet and the commercial world, as opposed to the high-end risks associated with digital espionage and warfare among nation states (cyberwar).

Likewise, cognitive terms (cognitive risk, security, load, computing ... and indeed the titular cognitive hacks) are unclear. At one point we are told that "Cognitive (decision) science is the scientific grounding for the development of machine learning and artificial intelligence in cybersecurity" - I'm not sure what to make of that. As to 'cognitive informatics security' (another of the five CRFC pillars), well that's anyone's guess. If 'cognitive' is simply about thinking, it seems analogous or functionally and syntactically equivalent to 'rational'.

With many twists and turns, I find it difficult to follow the author's train of thought. Many paragraphs cover distinct topics of dubious relevance without clear logical links between successive sentences - a symptom, perhaps, of a bright but scatterbrained author and weak editing. For example:

"Security has evolved in maturation around physical security, leaving huge gaps at the interface between human–machine interactions. Desktops, laptops, social media, and mobile devices represent the cognitive risk gaps in cybersecurity. Current cybersecurity posture implies that technology is the weak link when in reality the vulnerability lies much deeper in human decision making and the human–machine interaction as the root causes of gaps in security. To narrow the corridor of vulnerability, cognitive risk approaches should be used to limit exposure to attack."

The depth of coverage is inconsistent. Fundamental topics (such as the Bell-La Padula and Biba models) are covered briefly in just a paragraph or so, while others (such as a data theft and extortion case) are laid out blow-by-blow over a couple of pages. Perhaps readers are expected to know the fundamentals already?

Frankly, the author singularly fails to sell me the CRFC in chapter 6, the final chapter. For instance, "The first step in the transition to a CRFC is to develop an organizational cognitive map of strategic risks": eh? Sorry, you've lost me right there. 

 

Value

Marginal. With about 200 pages and 50,000 words, quick readers can dash through in a few hours ... but I'm not convinced it's worth the effort - at least, not for me. Maybe you will be able to extract some value from the CRFC concept, or adapt and make use of the 'cognitive cybersecurity' approach? Good luck! 

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more