Paper presented to: Federal Information Systems Educator's Association (FISSEA) Conference, February 15-16, 1995. Gaithersburg, MD.
Psychological Aspects of Sensitive Training Course Development
Dr. Bruce C. Gabrielson
Kaman Sciences Corporation
2560 Huntington Ave
Alexandria, VA 22303-1410
in association with:
Naval Research Laboratory
4555 Overlook Avenue, SW
Washington D.C. 20375-5320
Introduction
The tool will be neither simple to use, nor will it be highly protected by internal program safeguards. Using the tool will require a higher than average level of network related expertise, plus those with access to the tool must be absolutely trusted to protect against its unauthorized release. A part of the needed user technical expertise involves learning a technology that in some orientations could become dangerous.
With network and system attacks continuing to rise, system administrators have grown increasingly weary of their continuous security problems. They simply cannot keep up with all the new approaches their adversaries continue to develop. In addition, numerous legal, political, technical, and ethical difficulties exist for computer security personnel trying to catch a system attacker. The result of all the various control issues is a new thinking on ways to protect network resources. This new direction utilizes an approach termed proactive network testing.
Reactive computer security is often an application set up to monitor traffic and connections, keep audit trails, and generally help `react' to cracking attempts. The goal of reactive security is to give the system administrator enough auditing or real-time information to clean up after a system attack, or prevent the attack altogether. Examples of reactive security services include network sniffers, C2 audit trails, and network daemon [4] connection loggers.
Proactive security deals with the conditions and environment the computer system is operating in. A proactive approach to local system security would check the default setup of system files, possibly try to crack encrypted user passwords, check the setup of user accounts, etc. It also could involve an evaluation of remote system security. To check remote systems, the proactive software attacks the computer system from the outside (as a system cracker would) in order to discover if the system is free of known security holes.
In our case, the application to be developed is simply a tool. It has few internal program safeguards, but also needs a certain level of expertise to be used properly. Faced with pressure to develop and release such a tool as soon as possible, certain issues need to be resolved relative to both training and psychology of the individual users.
A major problem exists with the availability of individuals with the pre-existing declarative knowledge necessary to use the tool. Individuals are available within targeted organizations, but their skill level and background can vary greatly. In addition, there is no acceptable way to pre-screen those individuals who would be provided for the initial student population.
Another problem relates to the sensitivity and interpersonal skills of those available. A proactive tester would get little cooperation from the system administrator if a test was performed without prior notification, and the tester simply provided a list of fixes to correct identified vulnerabilities. Or even worse, the tester notified the system administrator with: "We tested your network and found the following holes. And by the way, we also gained root and had access to all your personal files when we broke in."
The ideal situation for a tester would be to contact the network administrator first with something like: "Your site security group is planning to test your network next week for vulnerabilities. Our goal is to help you strengthen your current profile. Let us know if you would like to be involved during testing." Dealing with people under the conditions described is a skill that must be incorporated into the training process.
The test tool is to be an advanced applications program intended for use with networks using TCP/IP protocol. Declarative and procedural training at both the awareness and Learning level (or higher) as shown in Table I is indicated. We need to understand the body of knowledge the user requires to apply the program successfully, and also how to decrease the turn-around time that might be needed to train users with various experience levels.
Table I - Suggested Specific Knowledge Breakdown
If the tester is already familiar with 'hacker' techniques and how to set up firewalls, then the test results and vulnerability reduction efforts would be most effective.
There also needs to be a human factors/technical skills training tradeoff to establish the level of conditioning necessary for each student before allowing then to test actual systems. We wouldn't want to train and unleash an army of hackers, and we also wouldn't want to have the tool so simple to use and easy to understand that anyone with a copy could immediately go into the hacking business. In contrast, we want to make a tool so simple to operate that a large number of 'pre-conditioned' testers would be interested in using it. The ultimate dilemma of any applications developer.
The question involves who can be trusted to maintain strict distribution control while working on the job or after leaving for another job, and also who will resist the temptation to 'look' once access was gained? What is needed is the psychology profile of those individuals selected as students who have potential for releasing the program. Since this is not possible, the next best approach is to incorporate affective conditioning of attitudes and values into the training program.
Having established that a pre-screening process for student selection is impossible, the alternative investigated is to provide conditioning using the non-direct technique of describing the potential 'enemy' in terms of personality and motivations. Motivation conditioning is discussed further in the section on Sensitivity/Human Relations Training. Positioning this unit of instruction at the beginning of the course, followed immediately by a discussion of the legal issues involved with testing helps to 'set the stage' for the following technical material. In addition, using a delivery model that would allow this format could potentially be used for further conditioning efforts. Such a model will also be discussed later in this paper.
"Stereotypically, hackers are an unusual bunch. They have been characterized as highly intelligent, egotistical, logical, quiet, withdrawn, inventive, creative, humorous, elitist, quirky, arrogant, talented, messy, control oriented, etc, etc ... with an image like that, it's no wonder - Hackers often feel like outsiders, or in an organization among themselves. People of a hacker nature are most often 'cliquey' in that they socialize together in groups, and get along well with one another. Some have also described the hacker as 'incompletely socialized'."
"..., the hacker has been classified as typically being 'afflicted' with psychological tendencies toward compulsive and obsessive behavior. This personality type can often fall deep into single-minded episodes of heightened awareness, and narrow focus, wherein the individual may dwell for days at a time without any knowledge what-so-ever of the goings-on around him or her. This deep 'trance like' state is often called a 'hacker high', 'trance', 'zone', or other highly descriptive words by hackers."
Commercial organizations, while falling under various state laws, have similar information authorization and protection requirements as does Government, especially if they wish to stay in business very long. Trade secrets and market edge information are essential if a business is to remain competitive. However, each individual organization is different, and the legal basis or penalties for unauthorized activity may vary greatly. Training to cover the commercial environment would by necessity be both generalized and organization/site specific.
Another protection driver related to unauthorized access and information cost control is data protection. Down time to get an organization's network back on-line, or to simply recover data after a virus attack can run to millions of dollars. Costs can also be high if certain types of data is manipulated to show other than actual information. For training, some coverage of the personal legal responsibility for organizational financial loss is most desirable.
Providing the legal information background for the student to evaluate his own test activities is one means of accomplishing affective conditioning. Another way of accomplishing this objective is through role-playing (also discussed in the next section). Provide the student with a situation and ask him or her to select one of several possible solutions, each with their respective legal basis and potential consequences. Tailor the possible answers initially such that the correct answer is obviously the one with a "safe for me" outcome. After several such role-playing situations, the student will have a good understanding of what he or she can and can't do, and will also help place the burden of responsibility directly on the students shoulders should a potential legal issue develop later during an actual test. Making the student an active part of the responsibility process has long been used by other classified security type training programs to meet their affective conditioning goals.
Role-playing was designed specifically to help students study their social values and reflect on them (values, behavior, empathy, interpersonal problems). In role-playing, situations and roles are selected to provide a learning experience for the participants. Participants "act-out" designated roles which are believed to offer useful (and good) learning experiences. Case study also involves learning from an analysis of roles, but the role is defined in text by means of a problem situation presented from the point of view of one of the individuals involved. While role-playing provides an emotional experience through face-to- face contact, case study is normally more concerned with thinking a problem through by using cognitive skills to analyze problems and related communication issues.
Using case study type techniques, affective learning can be influenced by presenting problems relevant to what is perceived as good/bad situations[11]. Therefore, one potentially effective means of influencing behavior in this course might be to accurately place the student in the good guy/bad guy role (like role-playing) and then provide direction towards the desired results. In other words, put the student in the shoes of the system administrator that is being tested, the site director who is responsible for the network, etc. and then ask which type of non-aggressive approaches to initial contact and result reporting would be most sensitive to their needs.
Understanding another person's perspective (how does he view his problem) is not an easy task. The student must be placed in the situation where the internal frame of reference is the person being helped. In this way not only can the tester be conditioned to have some sensitivity in dealing with people (we're here to help), but other responsibilities such as question answering skills, dealing with a site administrative structure, and methods of prior notification to those being tested can also be addressed.
Learning psychology describes a student's declarative to procedural knowledge transfer in the Transfer of Training Principal. The principle states that training in a similar Task A will help learning in Task B. There must be similar aspects in each task. However, the task must not consist of rote memorization. Generalization, which can occur in operant conditioning as well as classical conditioning, is an integral part of the transfer. We move the similarities from Task A to Task B by a process of transfer. The generalization occurs because the student sees similarities between the declarative knowledge and the procedures to be followed during testing (network administration/network security). This theory is useful for application to both the primary course material and the work- through example to be presented.
Sensitivity, laws, and hacker conditioning requires a complex learning arrangement called clustering (or categorizing). Clustering is a form of discrimination in that we detect differences between two or more things or actions by understanding their unique characteristics. Basically, clustering means organizing the background by either/or descriptions like "good/bad" to describe activities like hacking verses testing. Examples of good and bad ways of approaching a system administrator and a discussion of laws and penalties will help condition a student when using this learning mechanism. As with generalization, for this learning to be effective, the information requires a unifying theme. In this case, the theme will be that tests are needed to protect ourselves and here is how and why we do it.
Since the sensitivity/laws and hacker units are to be presented as self study units, another learning theory can also be applied for reinforcement. Consolidation theory states that the storage system needs time to consolidate after learning. Therefore, a period of rest after a period of learning is helpful for enhanced learning. Keeping self paced modules to a reasonable length allows maximization of learning when using the consolidation theory of learning mechanism.
According to Dejoy [12], self-directed learning refers to the self-motivated and self-managed planning process adults use to "learn, change, and improve" themselves. For the process to be effective, the student must maintain 'some' degree of control over the learning goals, the materials they must use, and the kind of evaluation they are subjected to. Of interest to us is that self-directed learning attempts to solve some of the problems identified with traditional learning techniques, those of providing an individualized match between student information needs and learning content, and the development of intrinsic student motivation to meet their learning goals. Table II from Dejoy [13] identifies several recommendations for implementing a self directed learning program.
Table II
Notice that the selected learning techniques for the training tend to mesh with the above assumptions and which can be used to tailor individual training blocks. Certainly assumption 1 and 4 fit with self study units and with the immediate needs of the individual to learn how to use a new test tool. Assumption 3 somewhat fits with the increasing responsibilities the tester will be given by the organization once the information is learned, plus the tool orientation (hacking) is an exciting and exotic enough technology to effect an individual's social roll. Assumption 2 can be addressed by selecting a delivery model that both allows training flexibility and stresses the individuals accumulated experience.
In this model, the objectives of each unit are first stated, and then existing student skills are pre-assessed. By doing so, a determination is made if the student already has the requisite background to begin the unit of study, or to establish if the student has already mastered the unit's training objective. Following the unit of study, a post-assessment is also provided.
The pre-assessment/post-assessment scenario also allows learning reinforcement to take place by using the recitation theory and programmed learning. The recitation theory is repeating to yourself what you have just learned. In our case, the immediate final test following a block of instruction helps to reinforce the learned unit. Programmed learning is presentation of material in an organized sequence that follows an overall program (model). It is essentially self-instructional. An example would be sentence/paragraph structure with fill in the blanks as you proceed through the training unit. However, by structuring the pre-assessment and post-assessment test with fill in the blank questions, reinforcement will take place.
In our case we want two other additional outcomes from the pre- assessment. We want to tailor our pre-assessment test questions in the first unit, Hacker Motivations and Traits, to set the stage for the rest of the course. In addition, by looking at responses to the questions in this unit, potential problem areas with students can be identified and addressed immediately.
The traditional Mastery Model supports three learning tracks, the main line, the self-pacing enrichment, and the alternative (correctional) track. This approach also has the appeal of being multi-sensory in nature and provides instructional designers the vehicle to meet a variety of multi-modality [15] learning styles, particularly Individually Prescribed Instruction (IPI) [16] techniques. Individualization is promoted within two of the three tracks. In the suggested adult training course model for the test tool, it is the student who decides, based on the pre- assessment, what training track should be chosen. Especially for self study learning units, this technique allows for self paced training and the use of additional learning materials if necessary.
The format for delivery of the first two instruction units can also evaluated in terms of human factors supporting self study or traditional classroom format. In a book by Barefoot [17], it is suggested that face-to-face discussions of dishonesty and its full ramifications are more difficult than less direct approaches such as posters, flyers, etc. With this in mind, providing the first two instruction units, Hacker Motivations and Traits and Legality and Human Relations in a self study format provides a workable solution still within the Mastery Model.
bruceg@hightop.nrl.navy.mil
References
[2] Reactive Security: Reactive computer security deals with who-did-what-when issues as related to local and remote system activity.
[3] Proactive Security: Proactive computer security addresses the need to check the current setup of a system in order to verify that system is secure. A proactive package would look at default conditions as they currently exist on the system and identify problem areas.
[4] Daemon: A program running in the background (or activated by interrupt) which provides a network based service to remote users.
[5] W. V. Maconachy, PhD, Computer Security Education, Training, and Awareness: Turning a Philosophical Orientation into Practical Reality, Proceedings, 12th National Computer Security Conference, PP557A-I, October 1989.
[6] McMahon, Frank, Psychology, The Hybrid Science, Prentice-Hall, New Jersey, 1974.
[7] Humphrey, Jeff, Phreakers, Trashers, and Hackers ... oh my ..., INFOSEC, An Advanced Technical Course by Bruce C. Gabrielson, PhD, AFCEA Educational Foundation, 1993.
[8] Bloom , Benjamin, Taxonomy of Educational Objectives, David Mckay Co, NY, Yearbook 57, Pt 2, National Society of Education, Chicago University Press, 1956.
[9] Foster, Robert, and Danielian, Jack, An Analysis of Human Relations Training and Its Implications for Overseas Performance, Report prepared for Office, Chief of Research and Development, Dept. of the Army, DA 44-188-ARO-2, August, 1966.
[10] Stimac, Michele, From Empathy to Kenepathy, Presented at the Annual Convention of the National Association of Women Deans, Washington D.C., April 4-7, 1979.
[11] Casto, Glen, Human Relationships Skill Training: Trends, Issues, Programs, Exceptional Child Center, Utah State University.
[12] Dejoy, J.K. and D. M, Self-Directed Learning: The Time is Now, Training and Developmental Journal, Vol. 41, p. 64- 66, September, 1987.
[13] ibid
[14] Beta Analytics, Inc., 9600 Pennsylvania Avenue, Upper Marlboro, MD 20772
[15] Multi-mode: various methods of teaching groups or individuals
[16] Individually Prescribed Instruction, Learning Research and Development Center of the University of Pittsburgh, 1966.
[17] Barefoot, J. Kirk, Employee Theft Investigation, Butterworth Publishers, Boston, 1979.