Does cybersecurity need anthropology?

Welcome to the new 76 cyber warriors who joined us last week. 🥳 Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.

Keep up with our weekly newsletters on LinkedIn, Subscribe here.

This week we’re focused on…📣

The massive importance of diverse skill sets in cybersecurity.

Why? 🤔

Because we interviewed Chris Wysopal (Founder and CTO at Veracode), and he said:

“Cybersecurity is a wide tent. It needs people who are breakers, like me, but it also needs builders and investigators. It needs these disparate groups of people with different mindsets and skill sets to come together to solve the problem of building a secure digital world.”

Breakers, builders, investigators – and more 🔎

It’s such an important point. Gradually, the cybersecurity security industry is opening up conversations around gender diversity and racial diversity in its workforce – and we also need to talk about skills diversity.

Technical skills (whether you’re a breaker or a builder) are only one part of the picture. Because cybersecurity isn’t just a technical field – it’s a social, legal, and political one too.

But when such a diverse range of skills are needed to strengthen cybersecurity across organisations, countries, and around the world, how can we possibly hope to fill in all the gaps?

Maybe anthropology has the answer 🧐

Back in 2015, anthropologists Susan Squires and Molly Shade wrote a paper asking whether ethnography (the research-based books that anthropologists write) can help cybersecurity experts understand people better – and as a result, make security work better.

The paper, published in the peer-reviewed journal of the American Anthropological Society, found that communication is increasingly breaking down between user communities and information security departments – “because of mismatched understandings of the other.”

“Each of the groups studied maintain myths and misconceptions and cyber-security,” the authors went on, “that must be addressed and dispelled within their respective communities to secure the link between people and their technology.”

But this paper was only looking at the relationship between security professionals and technology users.

If, as Wysopal said, cybersecurity as a whole needs to encompass a much wider range of ideas and skills from different disciplines, then the potential for misunderstanding becomes even bigger.

Why does that mean cybersecurity needs anthropologists? 💭

As anthropologist Margaret Mead said,

“Anthropology demands the open-mindedness with which one must look and listen, record in astonishment, and wonder at which one would not have been able to guess.”

And to bring together the experiences and viewpoints of a wide range of people, cybersecurity needs that kind of open-mindedness.

Security needs a method to generate understanding, to translate the different professional languages and viewpoints that can create a more holistic view of security, and to develop ways for diverse skills to be integrated into security principles and operations.

It’s already happening 💬

At Warwick University in the UK, researchers at the Centre for Interdisciplinary Methodologies have been working on a project that uses anthropological techniques including interviews, ethnographic fieldwork, and participatory workshops to look closely at the social processes that are involved in negotiating knowledge and trust in information security.

They’re asking questions like:

• How do security practitioners imagine the trust that’s implicit in their cybersecurity evaluations?
• How could they make trust explicit?
• How can the researchers’ Trust Mapping methodology help people visualise their perspective on the trustworthiness of technology?

Several peer-reviewed papers have already been produced through this project (with new papers currently under review).

One of those papers, Characterising Assurance: Scepticism and Mistrust in Cyber Security, published in the Journal of Cultural Economy in 2022, draws attention to “the limitations of the palette of characters” in cybersecurity discourse.

When the field of cybersecurity underestimates the diversity of characters that it needs in order to have a bigger positive, the industry gets overwhelmed with concerns about skills shortages. But if we could open up the tent of cybersecurity to more skill sets, more fields of expertise, and more human experiences – then skills gaps might be filled with new knowledge.

In 1998, Chris Wysopal testified in front of the US Congress ⚖️

His testimony brought attention to the vulnerability of the internet. So we asked him this question:

If right now, in 2023, you could put together an ideal audience (including all the people and organisations, from anywhere in the world, that you think could be most influential in shaping the future of cybersecurity), who would be in that audience?

And he said:

“I would like to bring together a diverse community of thinkers, even an interdisciplinary community. I love it when I talk to software engineers or lawyers, who have a deep understanding of their craft, yet want to help solve our collective cybersecurity problem. So I would want to bring people from multiple walks of life and experiences together and work on the challenges we all face in the cybersecurity realm.”

As a community, let’s keep working towards that.

Read our full interview with Chris Wysopal.

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 16 August 2023.

Catch you next week,
Steve Durning
Exhibition Director

P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action?