You are previewing premium content. Hiring hackers: A Rebuttal (part 1)
The long view of security strategies for your network.
Reader (and Norwich University MSIA graduate) Paul O'Neil disagrees with my suggestions in the recent two-part article "Hiring Hackers" published in this column. He has written a thoughtful and constructive rebuttal which has made me think critically about my position even though I disagree with him; I hope his two-part analysis will stimulate further discussion. Everything that follows is O'Neil's work with minor edits.
* * *
Computer security researchers have published articles such as Chapter 12 of the Bosworth, Kabay & Whyne's Computer Security Handbook, Fifth Edition ("The Psychology of Computer Criminals" by Dr. Q. Campbell and David M. Kennedy) and Chapter 13 ("The Dangerous Information Technology Insider: Psychological Characteristics and Career Patterns" by Dr. Jerrold M. Post). These researchers correctly describe the nature of specific personality disorders, but their utility is doubtful in the context of computer criminals and computer crime.
It is still unclear how the science of psychology should be applied to the field of information security, especially when that science is incorrectly applied.
M. E. Kabay suggests in his second article on "Hiring Hackers" that it would be useful to compose a questionnaire to use during the hiring process to filter for potentially dangerous hackers. He suggests, "It is useful to test these questions on a couple of willing volunteers of known probity and long, loyal service among your technically-gifted employees to establish a baseline of responses from honest people and also for practice in asking the questions."
"A couple of volunteers" to establish a baseline? That's an awful baseline as the basis for inferring a Narcissistic Personality Disorder (NPD) in a potential new hire! And in general, pushing IA practitioners to apply psychological concepts to information security is risky: IA practitioners normally have neither the training nor the academic foundation in the field of psychology that would justify putting superficially-grasped concepts into practice. Applied psychology typically requires years of training to master.
I find it incredible to find NPD used in discussing possible personality disorders in criminal hackers (a term which warrants extensive discussion and definition in itself); NPD affects less than 1% of the general population. And to satisfy a clinical diagnosis of NPD, the Diagnostic and Statistical Manual of the American Psychiatric Association requires at least five of the known criteria. In contrast, the computer researchers enumerate and repeat only two or three of the characteristics and ignore any differential diagnosis for other possible characterization.
Are the researchers implying that organizations should profile applicants to identify persons with narcissistic tendencies or other personality traits that could indicate a vulnerability to a stress? Post states in Chapter 13 of the CSH5, "The fact that individuals have many or even all of these personality traits does not mean that they will commit computer crimes. Rather they are particularly vulnerable."
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.
-
Network World, Inc
The Connected Enterprise