Building a Better Security Analyst Using Cognitive Psychology

Explore cognitive psychology principles to enhance security analysis skills in this conference talk from BSides Augusta 2015. Delve into the relationship between metacognitive awareness and cognitive performance, examining two key components: knowledge of cognition and investigations as attempts to determine ground truth. Learn about the cognitive challenges inherent in security investigations, including the impact of mindsets on perception and decision-making. Discover strategies for improving investigative processes, such as providing relevant information upfront, formalizing triage functions, and managing attention effectively. Examine the tacit nature of investigative knowledge and the challenges of knowledge transfer between experienced and junior analysts. Understand the role of the visuo-spatial sketchpad in working memory and its connection to intuition in security analysis. Gain insights into overcoming cognitive limitations through metacognition to become a more effective security analyst.

Intro
Thinking about thinking • Research shows a relationship between metacognitive awareness and cognitive performance. • Two Components: - Knowledge of cognition understand
Investigations are an attempt to determine the ground truth of what really happened. - Is there a bad guy? - What did they do? • Investigations introduce cognitive challenges
Mindsets frame how we see the world • Quick to form and resistant to change • The initial picture we
Provide relevant information up front • Realistic time alerting • Formalization of triage function - Put your expertise here -Gather info, make recommendations, pass on - Smaller ongs can we partner analysis
Attention-Focusing on something - Overtor covert - Attention is a limited resource
Experienced analyst are usually less suceptible • Mastery of your environment - Mise en place Controlling attention -Limit extraneous into - Direct focus -Gaze tracking
Investigative knowledge is tact - Senior analysts can't explain their success - Junior analysts can't effectively leam • Knowledge transfer is limited - Watch and learn
A primary component of working memory • Allows for visual manipulation of objects • Studies show that Intuition is directly tied to use of VSSP (via the precuneus)
The biggest hurdle to overcome when Investigating security incidents is our own cognitive limitations • Metacognition can diminish these limitations