Mental models in information security
I have previously cited arguments why information security is in a state of cognitive crisis , and the situation is getting worse. Despite the abundance of freely available information, we do not cope well with the identification and training of practical skills in the field of information security, in all the variety of available specialties. Most of the new specialists are mostly self-taught, and the universities are not able to release specialists who are ready for work.
The situation is not unique to our profession. Similar problems have previously encountered medicine, law, accounting and other areas. Using their example, one can identify several signs that determine a cognitive crisis:
Demand for specialists far exceeds supply . For experienced professionals there is a huge amount of vacancies. Since many organizations need experience, they are not able to properly invest in the training of their employees. The shortage greatly inflates the salaries of practitioners with current skills, and hyperspecialization occurs.
Most of the information is unreliable and unverifiable . There are few reputable sources of knowledge about essential components and procedures. Practitioners rely heavily on personal experience and observation, which is not verified and is not objectively confirmed. This makes it difficult to reliably learn new information and even more difficult to develop best practices and measure success.
')
Major industry problems remain that cannot be solved systemically . The industry is not able to organize or effectively deal with the biggest problems that it faces. In medicine, these are epidemics and crises, in accounting, large-scale uncontrolled theft through reporting fraud. And in the computer networks, the worms of the 2000s are still rampant: there are hundreds of thousands of hosts on the Internet with vulnerable SMB ports, and there are no signs that the epidemic of cryptographers is going down. Many of the main problems that we faced twenty years ago are still present or worse.
As other areas emerged from the cognitive crisis more formalized and effective, information security has hope. We can learn from them and make our own cognitive revolution . Three things should happen:
At the center of all three pillars of the cognitive revolution is the concept of a mental model.
A mental model is just a way to look at the world. We are surrounded by complex systems, so to simplify the brain creates models.
You use mental models all the time. Here are some examples:
Distribution and bell curve . In normally distributed data, most points are grouped around the middle. Thus, most people have average intelligence, and only a few are extremely low or high.
Operant conditioning . In many cases, the reflex does not arise because of a prior stimulus, but because of the consequences. If the mouse gets food whenever it presses a lever, it is more likely to click on it. If you are sick every time you eat a pineapple, you are unlikely to continue to eat them often.
Scientific method . A scientific discovery usually follows a standard process: ask a question, form a hypothesis, conduct an experiment to test this hypothesis and report the results. We use this not only in our research, but also to test the research of others by assessing the correspondence between key issues, hypotheses, experimental procedures and conclusions.
Each of these models simplifies something complex in such a way that it can be useful for both practitioners and teachers. This thinking is focused on problem interpretation and decision making. On the other hand, models are tools. The more tools you have, the better prepared you are to solve many problems.
Mental models are special tools of a specific profession. Over the past hundred years, medicine has gone through its cognitive revolution, creating advanced mental models. Even with 60,000 possible diagnoses and 4,000 procedures, physicians effectively apply these simple models:
13 organ systems . There are many components in the body, but they can be considered as separate, mostly autonomous systems. Specialists usually focus on in-depth study of one of these systems. This makes learning more manageable.
Four life indicators . The entropy of the human body is huge. There are four main vital signs for detecting significant changes: temperature, respiratory rate, blood pressure and pulse. Health workers at all levels are able to continuously collect this information as a permanent means of preliminary diagnostic assessment.
Ten-point scale of pain . Pain is an important diagnostic dimension because it indicates the effectiveness of a treatment or therapy. But pain is difficult to measure objectively. At the same time, a simple graphic scale of pain helps doctors communicate effectively with patients and notice a change in pain relative to the baseline.
In the computer industry, there are also mental models on which we rely heavily, although we usually do not call them mental models. For example,
Deep Defense (defense in depth, DID). An approach to security architecture, where additional categories (investigation, defense, response, etc.) are layered to ensure a comprehensive, comprehensive position.
OSI model . Hierarchical classification of network communication functions used to develop and analyze communication protocols and their interaction. OS and application developers use the OSI model to develop functionality and set boundaries. Administrators and analysts use it to troubleshoot and investigate network problems and incidents.
The investigation process . Investigating security threats usually follows this process: detect suspicious data at the entrance, ask questions, form a hypothesis, start searching for answers — and repeat the procedure until it comes to a conclusion. Security analysts use this process to build an event chronicle and decide what evidence to analyze.
You constantly use all sorts of mental models, but they do not exist in a vacuum. Each of us perceives the world through the prism of our own unique perception, created under the influence of life experience. Although the prism is constantly changing, these models do not apply one after another. Instead, perception consists of the layering of many models .
Sometimes it is auxiliary foreign models. For example, the Occam's Razor model suggests that the simplest explanation is usually correct. A physician can use this principle together with mental models for deductive reasoning and mental state assessment. For example, rapid weight loss may not be due to pancreatic cancer or hundreds of other diseases, but simply because a person is not eating enough, possibly due to depression. It sounds simple, but to make such a conclusion requires great thought and awareness.
In other cases, we take into account competing mental models that contradict each other: for example, religion and state citizenship. Christianity dictates "do not kill," but a democratic state invites citizens to go to war in order to preserve their freedoms. These conflicts give rise to internal divisions, during which often compromises are made.
When confronted with a new suitable mental model, we include it in our personal kit. Everything we think about, each of our actions passes through a filter of these mental models that push on actions or contradict each other.
Information security practitioners are desperately craving new models, which further underlines the cognitive crisis. In fact, we often take good models and abuse them or expand them beyond their practical goals.
The MITRE ATT & CK Attack Knowledge Base is a list of common methods for describing network attacks. This is a great model that is useful in many ways, and, to be honest, at some point something was necessary.
But since there are so few models, some organizations began to abandon other security principles and successful initiatives, limiting themselves to checking the MITER ATT & CK list. In the same way, I saw how new security organizations focus all their detection and prevention strategies only on the basis of ATT & CK without first formulating the threat model, without understanding the valuable assets and assessing the risks. This is the path to nowhere. This is not MITRE's fault: the developers of this framework actively try to explain themselves when they should, and when ATT & CK should not be used, emphasizing the limitations of the framework.
The problem is that we lack models, so we immediately use and abuse any reasonable model as soon as it appears. Ultimately, you need good models. Requires a reliable set of tools. But not everywhere can use a hammer, and we do not need fourteen circular saws.
I have already mentioned several models that help simplify education and practice in IT, but there are still not enough useful and generally accepted models. What determines a good model?
A good model is simple . Models help to deal with the complexity of the problems. If they themselves are more complicated than problems, then the benefits are reduced. Short wording is important. A 20-page description of the purpose and application of the model is useful, but simple graphics that convey the essence greatly simplify perception and use. A model can be presented in the form of a diagram, a table or even a simple list.
A good model is helpful . The model should be wide enough to apply it to enough people and situations, but specific enough to use it for a practical understanding of specific scenarios. Imagine it as a road junction. Departure is clearly visible, it is easy to drive to it at low speed. Once inside, the track should provide maximum acceleration so that you move at a comfortable pace. Excellent models provide people with a path from existing knowledge to complex concepts.
A good model is not perfect . Most models are generalizations created by inductive reasoning. There are always borderline situations, and these exceptions are important because they provide a mechanism for refuting the model. The key to understanding a theory or system is knowing when it is not working. Since the models are imperfect, they cannot be applied to any situation. The model must have clear criteria for use so that it is not applied in inappropriate situations.
Most models are created by inductive reasoning . Inductive reasoning is the process of forming generalizations based on life experience, observations or collected data. If you come across several malicious obfuscated PowerShell scripts, then you can summarize that obfuscation is a sign of a malicious script. This is not a model, but a heuristic (a rule of thumb), potentially useful in research. It combines with several others and forms a model for research, evidence, or something else.
The power of inductive reasoning depends on the number and variety of observations on which the conclusions are based . Once I worked together with an analyst who saw a couple of times how intruders in their infrastructure use the Nginx web server. At the same time, he never saw Nginx used for legitimate purposes, so he made an inductive conclusion that this web server is usually used by intruders. Of course, Nginx is used by everyone, and this inductive heuristic is not based on an appropriate sample, which led to poor conclusions and lost time.
When creating a model, the level of evidence is even higher. The model should be based on a huge number of observations in a wide range of measurements.
I believe that most models start with the right question. For example, is a hot dog a sandwich?
This is the wrong question. But he allows to come to the right question. Regardless of your opinion, even a brief discussion ultimately leads you to the correct question: “What is the definition of a sandwich?”
This is the right question. In response, you list the sandwich properties and the relationships between these properties.
A sandwich has several layers, the outer layer is usually carbohydrate-based, etc.
You refine these properties, highlighting clear examples of sandwiches and non-sandwiches, taking into account the discussion of borderline situations.
Italian Hero is like a sandwich. Pizza - obviously not. What is the difference? How to apply it to a hot dog?
Discussions should be rich and varied to get a unique perspective. They reveal a host of borderline situations and cultural differences that you haven’t thought of.
What about tacos? This is a version of a sandwich in a particular culture. How to apply it in the model?
Discussion creates value. The right questions and the answers to them are a lot of work to come up with a utility model.
By the way, the cube rule is one way to determine if a hot dog is a sandwich. Just do not swear, it's just as an option.
Mental models allow you to make better decisions and learn faster. These are tools that simplify complexity and are crucial in any profession. In order for information security to overcome a cognitive crisis, we must become more adept at developing, using, and teaching good models. If you want to learn more about specific models of information security, some of them are listed below.
The situation is not unique to our profession. Similar problems have previously encountered medicine, law, accounting and other areas. Using their example, one can identify several signs that determine a cognitive crisis:
Demand for specialists far exceeds supply . For experienced professionals there is a huge amount of vacancies. Since many organizations need experience, they are not able to properly invest in the training of their employees. The shortage greatly inflates the salaries of practitioners with current skills, and hyperspecialization occurs.
Most of the information is unreliable and unverifiable . There are few reputable sources of knowledge about essential components and procedures. Practitioners rely heavily on personal experience and observation, which is not verified and is not objectively confirmed. This makes it difficult to reliably learn new information and even more difficult to develop best practices and measure success.
')
Major industry problems remain that cannot be solved systemically . The industry is not able to organize or effectively deal with the biggest problems that it faces. In medicine, these are epidemics and crises, in accounting, large-scale uncontrolled theft through reporting fraud. And in the computer networks, the worms of the 2000s are still rampant: there are hundreds of thousands of hosts on the Internet with vulnerable SMB ports, and there are no signs that the epidemic of cryptographers is going down. Many of the main problems that we faced twenty years ago are still present or worse.
As other areas emerged from the cognitive crisis more formalized and effective, information security has hope. We can learn from them and make our own cognitive revolution . Three things should happen:- We must thoroughly understand the processes on the basis of which conclusions are drawn.
- Experts should develop robust, repeatable training methods and techniques.
- Teachers should build and promote practical thinking.
At the center of all three pillars of the cognitive revolution is the concept of a mental model.
Mental models
A mental model is just a way to look at the world. We are surrounded by complex systems, so to simplify the brain creates models.
You use mental models all the time. Here are some examples:
Distribution and bell curve . In normally distributed data, most points are grouped around the middle. Thus, most people have average intelligence, and only a few are extremely low or high. Operant conditioning . In many cases, the reflex does not arise because of a prior stimulus, but because of the consequences. If the mouse gets food whenever it presses a lever, it is more likely to click on it. If you are sick every time you eat a pineapple, you are unlikely to continue to eat them often. Scientific method . A scientific discovery usually follows a standard process: ask a question, form a hypothesis, conduct an experiment to test this hypothesis and report the results. We use this not only in our research, but also to test the research of others by assessing the correspondence between key issues, hypotheses, experimental procedures and conclusions.Each of these models simplifies something complex in such a way that it can be useful for both practitioners and teachers. This thinking is focused on problem interpretation and decision making. On the other hand, models are tools. The more tools you have, the better prepared you are to solve many problems.
Applied models
Mental models are special tools of a specific profession. Over the past hundred years, medicine has gone through its cognitive revolution, creating advanced mental models. Even with 60,000 possible diagnoses and 4,000 procedures, physicians effectively apply these simple models:
13 organ systems . There are many components in the body, but they can be considered as separate, mostly autonomous systems. Specialists usually focus on in-depth study of one of these systems. This makes learning more manageable. Four life indicators . The entropy of the human body is huge. There are four main vital signs for detecting significant changes: temperature, respiratory rate, blood pressure and pulse. Health workers at all levels are able to continuously collect this information as a permanent means of preliminary diagnostic assessment. Ten-point scale of pain . Pain is an important diagnostic dimension because it indicates the effectiveness of a treatment or therapy. But pain is difficult to measure objectively. At the same time, a simple graphic scale of pain helps doctors communicate effectively with patients and notice a change in pain relative to the baseline.In the computer industry, there are also mental models on which we rely heavily, although we usually do not call them mental models. For example,
Deep Defense (defense in depth, DID). An approach to security architecture, where additional categories (investigation, defense, response, etc.) are layered to ensure a comprehensive, comprehensive position. OSI model . Hierarchical classification of network communication functions used to develop and analyze communication protocols and their interaction. OS and application developers use the OSI model to develop functionality and set boundaries. Administrators and analysts use it to troubleshoot and investigate network problems and incidents. The investigation process . Investigating security threats usually follows this process: detect suspicious data at the entrance, ask questions, form a hypothesis, start searching for answers — and repeat the procedure until it comes to a conclusion. Security analysts use this process to build an event chronicle and decide what evidence to analyze.You constantly use all sorts of mental models, but they do not exist in a vacuum. Each of us perceives the world through the prism of our own unique perception, created under the influence of life experience. Although the prism is constantly changing, these models do not apply one after another. Instead, perception consists of the layering of many models .
Sometimes it is auxiliary foreign models. For example, the Occam's Razor model suggests that the simplest explanation is usually correct. A physician can use this principle together with mental models for deductive reasoning and mental state assessment. For example, rapid weight loss may not be due to pancreatic cancer or hundreds of other diseases, but simply because a person is not eating enough, possibly due to depression. It sounds simple, but to make such a conclusion requires great thought and awareness.
In other cases, we take into account competing mental models that contradict each other: for example, religion and state citizenship. Christianity dictates "do not kill," but a democratic state invites citizens to go to war in order to preserve their freedoms. These conflicts give rise to internal divisions, during which often compromises are made.
When confronted with a new suitable mental model, we include it in our personal kit. Everything we think about, each of our actions passes through a filter of these mental models that push on actions or contradict each other.
Models of despair
Information security practitioners are desperately craving new models, which further underlines the cognitive crisis. In fact, we often take good models and abuse them or expand them beyond their practical goals.
The MITRE ATT & CK Attack Knowledge Base is a list of common methods for describing network attacks. This is a great model that is useful in many ways, and, to be honest, at some point something was necessary.
But since there are so few models, some organizations began to abandon other security principles and successful initiatives, limiting themselves to checking the MITER ATT & CK list. In the same way, I saw how new security organizations focus all their detection and prevention strategies only on the basis of ATT & CK without first formulating the threat model, without understanding the valuable assets and assessing the risks. This is the path to nowhere. This is not MITRE's fault: the developers of this framework actively try to explain themselves when they should, and when ATT & CK should not be used, emphasizing the limitations of the framework.
The problem is that we lack models, so we immediately use and abuse any reasonable model as soon as it appears. Ultimately, you need good models. Requires a reliable set of tools. But not everywhere can use a hammer, and we do not need fourteen circular saws.
What determines a good model?
I have already mentioned several models that help simplify education and practice in IT, but there are still not enough useful and generally accepted models. What determines a good model?
A good model is simple . Models help to deal with the complexity of the problems. If they themselves are more complicated than problems, then the benefits are reduced. Short wording is important. A 20-page description of the purpose and application of the model is useful, but simple graphics that convey the essence greatly simplify perception and use. A model can be presented in the form of a diagram, a table or even a simple list.
A good model is helpful . The model should be wide enough to apply it to enough people and situations, but specific enough to use it for a practical understanding of specific scenarios. Imagine it as a road junction. Departure is clearly visible, it is easy to drive to it at low speed. Once inside, the track should provide maximum acceleration so that you move at a comfortable pace. Excellent models provide people with a path from existing knowledge to complex concepts.
A good model is not perfect . Most models are generalizations created by inductive reasoning. There are always borderline situations, and these exceptions are important because they provide a mechanism for refuting the model. The key to understanding a theory or system is knowing when it is not working. Since the models are imperfect, they cannot be applied to any situation. The model must have clear criteria for use so that it is not applied in inappropriate situations.
Creating models
Most models are created by inductive reasoning . Inductive reasoning is the process of forming generalizations based on life experience, observations or collected data. If you come across several malicious obfuscated PowerShell scripts, then you can summarize that obfuscation is a sign of a malicious script. This is not a model, but a heuristic (a rule of thumb), potentially useful in research. It combines with several others and forms a model for research, evidence, or something else.
The power of inductive reasoning depends on the number and variety of observations on which the conclusions are based . Once I worked together with an analyst who saw a couple of times how intruders in their infrastructure use the Nginx web server. At the same time, he never saw Nginx used for legitimate purposes, so he made an inductive conclusion that this web server is usually used by intruders. Of course, Nginx is used by everyone, and this inductive heuristic is not based on an appropriate sample, which led to poor conclusions and lost time.
When creating a model, the level of evidence is even higher. The model should be based on a huge number of observations in a wide range of measurements.
I believe that most models start with the right question. For example, is a hot dog a sandwich?
This is the wrong question. But he allows to come to the right question. Regardless of your opinion, even a brief discussion ultimately leads you to the correct question: “What is the definition of a sandwich?”This is the right question. In response, you list the sandwich properties and the relationships between these properties.
A sandwich has several layers, the outer layer is usually carbohydrate-based, etc.
You refine these properties, highlighting clear examples of sandwiches and non-sandwiches, taking into account the discussion of borderline situations.
Italian Hero is like a sandwich. Pizza - obviously not. What is the difference? How to apply it to a hot dog?
Discussions should be rich and varied to get a unique perspective. They reveal a host of borderline situations and cultural differences that you haven’t thought of.
What about tacos? This is a version of a sandwich in a particular culture. How to apply it in the model?
Discussion creates value. The right questions and the answers to them are a lot of work to come up with a utility model.
By the way, the cube rule is one way to determine if a hot dog is a sandwich. Just do not swear, it's just as an option.
Conclusion
Mental models allow you to make better decisions and learn faster. These are tools that simplify complexity and are crucial in any profession. In order for information security to overcome a cognitive crisis, we must become more adept at developing, using, and teaching good models. If you want to learn more about specific models of information security, some of them are listed below.
Links
- Simon, H. A. (1957). “Models of man; social and rational.
- Paige, S. (2018). “Thinking in models: what you need to know in order for the information to work for you”, Basic Books, NY
- Bell curve
- Operant conditioning
- Scientific method
- OSI model
- Organ systems
- Vital signs
- Ten-point scale of pain
Various information security models
- Investigation process
- Diamond intrusion analysis
- MITER ATT & CK
- Defense in Depth
- Pyramid of Pain (Pyramid of Pain)
- Cyber ​​Kill Chain
- Intention to evidence (Evidence Intention)
- PICERL Incident Response Process
Source: https://habr.com/ru/post/454596/
All Articles