6. The Skill of Cybersecurity: Adversarial Thinking “[Detectives] consider only their own ideas of ingenuity; and, in searching for anything hidden, [think only about how] they would have hidden it…but when the cunning of the individual felon is diverse in character from their own, the felon foils them.” - The Purloined Letter by Edgar Allan Poe Cybersecurity is made up of really only two things: computers and adversaries.1 Take away the adversaries, and we have a world with computers, and those computers need programmed, installed, and maintained. Problems will occur due to programming mistakes (i.e., bugs) and hardware failures. Floods, fires, and storms will happen. Users will accidentally delete important files. Power outages will occur. This world will require plenty of IT support, and backups and other safeguards will be necessary. However, this world would not need cybersecurity. On the other hand, take away computers, and we have a world with adversaries in it. (This was the actual world until the latter part of the 20th century!) Attackers will steal, kill, and destroy. They will take advantage of others, violate their rights, and harm them. This world will need security guards, police forces, militaries, and a criminal justice system with laws and regulations. However, this world would not need cybersecurity. Only in a world with both computers and adversaries do we need cybersecurity (see Figure 6.1). This is the world we live in. IT support is still needed in our world and can be efficiently managed based on probabilities. How often does equipment fail on average? 1 This chapter draws on material from two of the author’s journal articles: S. Hamman, K. Hopkinson, R. Markham, A. Chaplik, and G. Metzler, “Teaching game theory to improve strategic reasoning in cybersecurity students,” IEEE Transactions on Education, vol. 60, no. 3, pp. 205-211, 2017. S. Hamman and K. Hopkinson, “Teaching adversarial thinking for cybersecurity,” Journal of The Colloquium for Information System Security Education, vol. 4, no. 1, pp. 93-110, 2016. Chapter 6
RkJQdWJsaXNoZXIy MTM4ODY=