The case for applying psychology in cybersecurity training

Continuous training is important to advancing a cybersecurity career and keeping up with emerging technologies and attacker techniques. Regardless of how much experience they have in the industry, many cybersecurity practitioners pursue certifications designed to demonstrate such knowledge.

But underpinning all the technical expertise is a more fundamental skill that is difficult to certify: cognitive readiness. The term refers to a state of mental preparedness that enables effective response to changing situations. This critical cybersecurity soft skill incorporates problem-solving, decision-making and situational awareness.

"Traditional cybersecurity training courses don't necessarily work with soft skills or psychological skill development," said Rebecca McKeown, an independent chartered psychologist and advisor to Immersive Labs.

In her 15 years of research, McKeown has studied how workforce training is conducted at the U.K. Ministry of Defense and in other verticals, including the aviation and nuclear industries. Now researching psychology in cybersecurity, she observed how incident response could be improved by teaching teams how to think versus what to do.

Here, McKeown explains how applying psychology in cybersecurity helps organizations build more agile, confident and effective incident response teams.

Editor's note: This transcript has been edited for length and clarity.

What is cognitive readiness, and why is it important in cybersecurity?

Rebecca McKeown

Rebecca McKeown: Learning starts with a load of knowledge and involves constantly adding new skills, information and experience to that foundation. When new things are learned, they are matched up with the existing knowledge bank to revise the mental model. This is an unconscious process. As the learning process happens, proficiency improves. Patterns of thinking develop and become automatic, which can be fabulous in terms of efficiency.

However, in a crisis situation, this can introduce bias and constrain thinking. To bypass bias, you need to think differently. This requires you to consciously learn about yourself and how you understand things so you can recognize when automatic thinking patterns kick in. This is cognitive readiness.

Why should organizations focus on cognitive readiness instead of on what steps to take in hypothetical situation A or situation B?

McKeown: Because situation A and situation B might occur several times but also situation X, Y and Z. The nature of cybersecurity is so fast-paced and changing constantly, so it's not always possible to train for every scenario. With cognitive readiness, you're able to learn to adapt in any scenario. This makes you much more agile and effective at dealing with challenges as they occur during incident response.

What are the limitations of traditional tabletop exercises in building incident response teams?

McKeown: Multidisciplinary tabletop exercises are useful. However, research into how people acquire skills -- and how they lose them, known as skill fade -- tells us that procedural and decision-making skills degrade quickly. In an ideal world, you need to be practicing these skills at least once every two months to prevent skill fade. Running a tabletop exercise this often is a massive undertaking, not to mention costly. For these reasons, tabletop exercises can be ineffective in the long term.

It's also important to build an organizational culture of constant learning and development. It's about creating psychological safe spaces.

How can organizations incorporate your research on psychology in cybersecurity into their training?

McKeown: The biggest problem for me is how people view learning and development and training -- that you take a course, pass with the certification and return to work. It is important to embed learning and development into everyday processes where it is constantly worked on because repetition is what helps develop cognitive readiness.

One way for the research to be incorporated into security programs is through reflection, or metacognition, which the U.K. military does frequently in after-action reviews. For example, during the review phase of incident response, reflect by answering the following questions: What happened? What were we supposed to do? What did we do? What did we not do well? How can we learn from it and improve next time?

It's also important to build an organizational culture of constant learning and development. It's about creating psychological safe spaces. In order to learn, you have to be able to make mistakes and discuss them. This cannot happen if people feel there will be negative consequences at work for doing so.

There's a high turnover rate among cybersecurity leaders, and many report experiencing burnout. Is there a relationship between mental health and cognitive readiness?

McKeown: I think it's about frustrations. CISOs and security leaders have to deal with a lot. For example, they may need to communicate with groups of people who do not understand the importance of security. Or they may be denied funding for extra staff because someone in charge doesn't see it as a priority. The right cybersecurity soft skills and training can enable people to overcome corporate biases and make them more adaptable. Pairing that with the psychological safe space can help reduce stress and burnout, as well as overall mental well-being.

Has the industry's historic focus on technical skills and certification resulted in a systemic lack of soft skills in cybersecurity teams?

McKeown: Yes, to a certain extent. I don't want to say that the training done is completely wrong because it's not. It's just the first step. Start with the awareness training, and continue to competency training. This covers attribution reasoning, which is about examining why we do the things we do.

Social learning is another important soft skill in cybersecurity. This focuses on what impact an incident had and how other people are dealing with it. There are the security people who understand the technical side, people on the board who see the strategic goals and people on the business side involved as well. Security leaders need to understand the differences between those groups and how to communicate across them in order to be more effective.

Is there a way to test for or certify cognitive readiness? Is it necessary to evaluate?

McKeown: There's this view that, if you can't measure something, then it's not worth anything. When it comes to developing psychological skills, this view can be very limiting. People find it difficult to understand that there's not always an obvious link between learning and behavior change.

As a psychologist, one of the biggest challenges is when people ask, 'How can you prove it to me?' There aren't any figures. You can't compare your cognitive readiness with others'. Everybody has different thinking patterns and different attitudes. With so much variety, producing a method to measure cognitive readiness is difficult.

Do you anticipate an increased appetite for your research now that ransomware attacks and supply chain attacks have drawn further attention to incident response?

McKeown: Potentially. In general, cybersecurity is very technology-focused. There is a significant amount of research on cognitive skills, but it is not mainstream in cybersecurity yet. My hope is that the human factors might become more popular because you can't solve everything with technology. Human beings are part of the process. Understanding the way we think -- and the way attackers think -- can only help.

What has interested you the most while researching the psychology of cybersecurity training?

McKeown: I'm excited by the potential for psychology to support learning and development in cybersecurity. We need to help people understand why people are just as important as the technology. Let's move away from learning on a training course. Making learning a part of daily, weekly or monthly routines is where the excitement comes in for me.