Applying Behavioral Science to the Challenges of CybersecurityOctober 2012
"Technology always in some way involves human beings," says Deanna Caputo. "So you can't tackle a technological challenge without taking into account human nature. And the experts in human nature are behavioral scientists."
Deanna Caputo is a behavioral scientist in MITRE's Social, Behavioral, and Linguistic Sciences Department. Behavioral scientists study individual and societal human behavior. Her specialty at MITRE is using behavioral science to improve cybersecurity. When asked how behavioral science applies to such a technical field as cybersecurity, she likes to quote computer security specialist Bruce Schneier: "Only amateurs attack machines; professionals target people."
Take, for example, the hacking technique known as "phishing." In a phishing attack, a hostile entity trying to gain access to a secure system targets the users of the system rather than the automated defenses of the system. The entity sends emails, faked to appear to come from a trusted source such as a bank or service provider, to the users. An unsuspecting person who clicks on a link in the email can inadvertently provide the entity access to the system.
In defending against attacks that target system users, behavioral scientists can help cybersecurity experts on two fronts. First, they can help security experts improve system defenses by educating them on how human nature may make users vulnerable to such attacks. Second, they can use their expertise in human nature to help design educational campaigns alerting users to cyber-attacks.
Caputo recently conducted a study on "spear phishing," phishing attacks that involve meticulously researching and targeting a single system user. (Experts call the technique "whaling" when it targets a highly ranked user like a CEO.) "Spear phishing is harder," she says. "But a more targeted attack is often more successful."
Her study was a research effort and educational campaign rolled into one, funded by the Institute for Information Infrastructure Protection. Caputo sought to gain information on spear phishing attacks by launching three of her own, targeted at 1400 employees at a Washington D.C.-based corporation. Caputo designed the emails so that they directed employees who responded to the phishing emails to an online training program on recognizing and responding to phishing attacks. The goal was to determine if on-going employee training could reduce spear phishing click rates and increase employee reporting.
The Perfect Fit
Caputo currently conducts research on detecting and deterring insider threats and security breaches employees instigate from within an organization. "We help organizations recognize the factorssuch as employee disgruntlement or perceptions of unfair treatmentthat increase the likelihood they will have insider threat issues. Obviously not every disgruntled employee poses an insider threat. But organizations can put programs in place that provide another path for employees to express their frustrations."
Caputo hasn't faced many frustrations on her career path, but she has come to a few forks. She graduated with a doctorate in social and personality psychology from Cornell University. Her dissertation examined the psychological biases involved in eyewitness accounts and police line-up identifications.
This led to a job as a jury consultant. "I tried that world out for a year," she says. "But it's a chaotic lifestyle with crazy hours."
Looking for a new direction, she attended a behavioral science conference where she met a recruiter from the intelligence community. "An intelligence agency hired me to profile potentially hostile foreign leaders, researching their belief systems and their information environments."
But after a few years, it was time to move on again. "Completing a profile could take six months. I'm too much of an extrovert to sit quietly at a computer compiling data for that long." Caputo went looking for a position where she could collaborate with a team, gather data, and then put it to use. MITRE proved a perfect fit.
While she was at a job fair investigating a new direction for her career, she stopped by MITRE's booth. She was as surprised to discover a systems engineering company employed behavioral scientists.
There she learned MITRE is a leader in applying behavioral science to engineering solutions. Intrigued by the opportunities to both pursue behavioral science research and apply it to pressing national concerns, Caputo came aboard.
Leading the Leaders
"By bringing together the fields of behavioral science and cybersecurity, MITRE offers me so many opportunities," says Caputo. "For one sponsor I had the opportunity to organize and lead a working group of behavioral scientists from across the intelligence community. We wrote a concept of operations for how behavioral scientists can integrate with insider threat detection programs." In the last couple of years, she has had the opportunity to support six other intelligence community sponsors conducting human factors and cybersecurity tasks and research.
MITRE recently hosted an insider threat conference Caputo helped organize for a sponsor. "There are many scientists doing fascinating things in the field. We brought them together to share best practices, new research, and training opportunities. It was a phenomenal opportunity to lead the leaders, and I was proud to be a part of it."
—by Christopher Lockheardt