There are two parts of every great performance: the outer game and the inner game. Most books on coaching focus on the outer game. The outer game is what happens on the field. What sport are you playing? What plays are happening? What techniques are you using to hold or hit the ball? How do you drill to prepare for each match? But to make all of this happen, there is an inner game that happens inside the minds of the players on the field, no matter the sport. Coach Tim Gallwey in his book, The Inner Game of Tennis, writes that the inner Game is like a conversation between two people having an argument inside your head. One person is steering the body and the other person is backseat driving. A player has to be able to overcome the distractions of the backseat driver and trust their inner selves ability to achieve truly great performance. His description is what many athletes and coaches refer to as “being in the zoneâ€.
Just like in sports, there is an outer and inner game to cybersecurity. Just like in coaching, almost all of the books on cybersecurity out there focus on the outer game and the inner game. To help better define the inner game of cybersecurity, there needs to be a framework to help individuals understand their own behaviors and help protect themselves online.
I started my career as a network engineer, so I was introduced to the OSI 7 layer model around 20 years ago. As a conceptual model, this made understanding how computers communicate with one another possible. Imagine trying to understand how a port or protocol works without knowing that that step is necessary before a packet is written to the wire?
The NIST framework is great start when it comes to security, but it is centered around the question of how we prepare for a breach. This is an incredibly important question for companies to ask themselves, hopefully before they’ve been breached. This framework, however, isn’t a good model for security awareness because it focuses on the outer game. You can break the NIST framework down into what happens before, during, and after an incident. Those activities are all really important for organizations to get right. But for security awareness on a personal level, there needs to be centered around an individual.
A better model is Lockheed Martin’s Cyber Kill Chain. The kill chain is a military concept that goes back decades and refers to a defender’s ability to disrupt an attack at all of its various stages. The stages of the Kill chain are reconnaissance, Weaponization, delivery, exploit, installation, command and control, and actions.
The kill chain excludes two important considerations from its stages which are important to consider as a part of the analysis, however. The first is an attackers capabilities. There are multiple categories of hackers: nation states, organized crime, and political activists are examples that all come with both their own abilities as well as motivations for carrying out malicious activities. Some attackers motives are financial in nature, either direct through being paid to start or stop an attack or indirect, by selling exfiltrated data to others. Other motives could also include sending a political message, stealing or exposing secret information, or just showing off to prove a hacker’s abilities. The model assumes that they have the competence or capacity to carry out any attack, but in reality, developing those abilities takes time and investment, developing hacking abilities internally or recruiting them externally. Which brings us to the next missing part of the chain: economics. The black market is a relevant aspect of the kill chain both because it provides the ability to enhance an attacker’s capabilities, but it also provides an avenue for them to make money from their ill-gotten gains. Consider how closely that law enforcement works with pawnshops to help retrieve stolen goods and you’ll see how disrupting a black market might decrease attacks.
We’ve been trying to teach people about cybersecurity without an OSI model for understanding how each of their inner behaviors work and interact. I’ve written before about finding the security habits that control people’s responses to hacking, but just like the 7 layers of the OSI stack, these habits all build on rely on one another in a very specific way. These habits I’ve proposed are literacy, skepticism, vigilance, secrecy, hygiene, diligence, federation, mirroring, and deception.
This framework is appealing because together these behaviors work together very much like a shield. Some medieval shields have were made with layers of oxhide, wood with iron reinforcements, over bronze. Modern bullet proof vests have layers of Kevlar over plastic, ceramic, and sometimes steel plates. Even tanks have layers of armor designed to deflect different types of projectiles.
Each of the nine cybersecurity habits builds upon the last, forming a layer of the shield that you use to protect yourself, your organization, or your community. To be able to protect yourself, you need to be security literate; you need to understand your environment and know how to protect yourself online. The Internet is always evolving, so to stay literate you have to continually relearn your environment. Staying literate requires skepticism because you shouldn’t always believe what you read. Skepticism requires vigilance because you have to be able to recognize when something is suspicious. Vigilance requires secrecy because you have to know what to protect and how to protect it. Secrecy requires hygiene because protecting things means following a regular pattern of protective behaviors. Hygiene requires diligence because you need to have a plan to coordinate all those protective behaviors. Diligence requires federation because you won’t be able to protect yourself alone. Federation requires mirroring because once you start working with other people you need to understand what and how you share information with them. Mirroring requires deception since there will be limits on how much you trust an outsider and you need to know how to conceal private information.
When a company experiences a breach due to a failure of the “human elementâ€, it’s because one or more of these habits was weak or missing and their shield failed to protect them. For example, an employee knew they clicked on a phishing link (vigilance, skepticism), but didn’t report it (federation, diligence) and didn’t change their password afterwards (hygiene).
It’s not just important to have a shield, but it’s important to have the right shield at the right time. There are thousands of different kinds of shields throughout history. The common factor among all of them were that they were all designed to prevent against a specific threat. Unlike Captain America’s fictional shield made of “vibrainium†which was the perfect shield for any occasion, in the real world shields were adapted for a specific purpose. A shield carried by a knight on horseback is different from the one carried by a gladiator in an arena. So too must our cybershields be adapted for the environments we find ourselves in. A work shield might be different from a personal shield. Our shield for calls on a landline at our office might be different from our shield for smartphones. Our cybershields should be flexible and adaptable.
