I am thrilled to be keynoting this year’s BSidesLV this week in Las Vegas with a talk on what I believe is the future of defense in cybersecurity: a better design of social and economic systems that incorporates modeling for the human factor and a renewed focus on human outcomes.
Big data, behavioral analytics, machine learning, AI – these are all technologies that we’ve been grappling with and leveraging in information security for the past few decades. Now we get to fuse all of this data science with the more human-focused *social* sciences: psychology, sociology, user-experience research and – my favorite – economics.
What is this new discipline… this combination of risk science, system theory and social system dynamics? Come to my talk (Tuesday, July 25 at 10:00 AM in the Tuscany’s Florentine Ballroom) to hear a bit more about these influences, new ideas in this space, and the toolkits we need to build as we approach architecting and operating ever more elaborate social and economic systems and the people in them.
Today, we need defenses that accommodate both scale and complexity: this means using data and automation with all the smarts we can muster (human-grown or AI-based). At the same time, our strategies must include the economic angle: how to balance the needs of users with the capabilities of incentivized bad actors. This means considering not just the technology in place but also the real preferences and incentives driving behavior.
In this talk, we’ll explore what tools we can adopt from other learning systems, critical concepts like decision science, feedback loops, and ground truth, as well as where they intersect with helpful concepts from economics like costs, framing, asymmetries, payoffs and risk.
Adding the human factor to the cybersecurity mix makes things more complicated, for sure, but it also makes things interesting. And it means more opportunities for more types of people with a broader variety of skills to help us help make the world – and the cyber – work better.
Even as complexity looms ever larger over cybersecurity, what’s inspiring to me about this industry is that I’m still just as excited to look ahead to the decades ahead as I was when I started my career decades ago (way back when I still had to explain browsers and the web to my friends). As far as we’ve come, there is still so far we can go: we are still at the forefront of technology, we are still helping shape the fabric of society and civil liberties, and we are still standing up and stepping-in to protect customers, neighbors and citizens of the world.
As a new practitioner, I started this journey at what felt like a great time of chaos. The internet boom. E-commerce and credit cards online. Websites popping up like daisies. Network monitoring choking on the volume of packets.
What I was good at then: sifting through data, through traffic, finding patterns. Understanding how technology was changing, spotting risks, and redesigning systems halfway-built. Clarifying what needed to be done. Making things better.
As a professional and manager, I started a new journey at what felt like a great time of chaos. The internet boom take two. Everything was faster; everything was real-time. Waves of spam and phish floating up on every beach. Millions of users, networks of bots. So much telemetry, we installed walls of dashboards.
What I was good at then: modeling with data, understanding behaviors, finding patterns. Understanding how the business was changing, spotting risks, and redesigning infrastructure halfway-forgotten. Clarifying what needed to be done. Making things better.
Now, as a leader and advisor, I’m still journeying at what feels like a great time of chaos. We don’t just browse the web; we have nets of apps and Internets of Things. Everything is faster, faster than real-time thanks to predictive technology. Even the underground has a network of supply chains. So much data, we have dashboards of dashboards on an internet of dashboards.
Interconnected technology has spilled out of the net, back into the real world and onto our streets.
What I need to be good at now: Forecasting with data, understanding what drives behaviors, designing better patterns. Understanding how the world is changing, spotting the risks in interdependencies, and pre-designing tomorrow’s infrastructure. Clarifying what needs to be done. Making things better.
It’s still interesting! To live in interesting times is both a blessing and a curse, of course. But if I knew at the beginning of my career what I know now, I still couldn’t have predicted the path I took; I still wouldn’t have expected what valuable learnings I’d gain from the mistakes I made along the way, and I still wouldn’t have believed how much fun I’d still be having.
And I wouldn’t change a thing. I’d take every side path. Every career detour. Every weird project. Every interesting class. Every risk. And hope then, as I hope now, that we in the industry and we in our careers keep aiming for the stars, and falling and failing forward.
As ever, we stand on the precipice between the predictable past and the chaos of change. The future is as ambiguous as ever, but it’s also so bright that we have to wear shades. Of course we’d do that anyway. Hackers, you know.
About the Author: Allison Miller has been working in the intersection of cybersecurity, human behavior, and predictive analytics for almost two decades. A proven innovator in the security industry, she has pioneered the use of data-driven detection technologies within security, anti-fraud/anti-abuse, and payments/commerce systems around the world. In addition, Allison is active in the security community as an advisor and leader, and continues to conduct and share research on topics in risk, cybersecurity, and economics — both locally in the SF Bay and internationally. You can find her online.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.