Curiouser and Curiouser: Cultivating Curiosity in Security Careers

alright y'all I would like to introduce our keynote speaker yeah uh-huh uh-huh uh so we got mr. Chris Sanders he's an author he's a trainer he's a researcher he's a business owner he founded applied network defense which is focused on delivering high quality accessible information security content and he's also worked for the Department of fence for in guardian for mandiant and is also the founder and director of the rural Technology Fund which is the charity we were supporting this year with all of your ticket sales so thank you guys very much for buying tickets because every cent of it goes to the rural Technology Fund which is a nonprofit that donates sponsorships and equipment to public

schools to really kind of further you know technical education and especially in rural areas and impoverished areas that wouldn't be able to get to it otherwise so you know we're very excited to be able to support them this year Chris is authored yeah give it up so if you're counting this 2,000 bucks from 200 ticket sales so yeah so Chris has authored tons of books and articles and training courses including practical packet analysis which is a fantastic read if you know you've ever opened Wireshark in your life if you ever looked at the pcap you absolutely need to read this book it is phenomenal so again we're very excited to have another keynote Chris Anderson thank you well

thanks for the the great introduction I want to take a moment and thank the organizers of the conference as a matter of fact we have another round of applause for all the organizers and all the great work they've done it's a I never knew just how hard to create one of these conferences and make them successful it was until I haven't done it myself but until I have been good friends with folks who have done it seen the stress and the worry and all the work that goes into it so big thanks to those guys now before we get started I'm actually going to give away this copy of practical packet analysis it is signed it is signed in hexadecimal so

you have to decode it but that's half the fun so I have a trivia question it's a sports trivia question so basically the first hand I see I know where the computer conversant I'm asking the sports questions so that's kind of tricky the answer is not University of Kentucky but go Wildcats so and so the coach of University of Cincinnati basketball team is and it's not the question but is somebody yellow bit Cronin I believe well name the school where Mick Cronin really kind of got well-known for taking a team of terms it deserve to go there so you right there Murray State University my alma mater so you went on down

we kind of wish we could have kept him but y'all got him alright I'm going to move over here now all right so does anybody know what movie this is from Alice in Wonderland have you you've seen the cartoon version this is much older version I think it's around well before I was alive most of you have kids your kids have probably seen it and if you haven't seen it rather the premise is pretty simple it's this girl Alice sees a bunny hopping around the bunny heads down this rabbit hole she peers down into the rabbit hole decides hey this could be fun and hops down the rabbit hole and then has this really fantastical adventure where she meets

the Mad Hatter and the Cheshire Cat and all kinds of hilarious and interesting things happen and I want to focus on this scene right here because I think this scene is particularly interesting where Alice is peering down the rabbit hole because there's this is really the critical point in the story and it happens really really early on she's peering down the rabbit hole and she has to make a decision do I go down the rabbit hole right and what made her make that decision what was the one kind of trait that was in her that made her decide this is something I should do and you might say stupidity if this is real life and you're going down a real

gigantic rabbit hole that could hold any number of evil things but for our purposes I think the answer is curiosity so I'm going to talk a little bit about curiosity today and I think I see we have a pretty wide range of Ages here so I assume we have a lot of people who are maybe very new to the field people who are maybe interested in getting into security and they're not in security quite yet so we have I think a lot of diversity so this is not a technical talk I'm not going to talk bits and bytes I'm going to talk about traits and skills and a little bit of psychology and how that you can utilize that to

better better yourself in this field and essentially learn better our field is all about learning learning to get into it learning while you're in it even investigations are the sense of learning what happened what our sense of events that occurred so we're going to talk about about those things and I took the title from the I believe it's in the movie is definitely the book is curiouser and curiouser so we're going to talk about curiosity why it matters a little bit about how it's made up how it's comprised breaking into some different component parts and we will talk about strategies for being more curious whether that's yourself because I think that's the really the x-factor that

makes someone good at what they do in security or if you manage a team helping make them more curious and facilitate in an environment of curiosity I got a really great introduction from Justin I'm not going to spend too much time talking about myself I'm from a little town in Western Kentucky called Mayfield that's actually the town there that's that's the whole thing there's not much there's there's that you can't see there's like a we got our Walmart back there and there's a few traffic lights and there's a McDonald's and and all those things you'd expect to see in the far western in Kentucky I do run a company called Applied Network defense but I just want to talk more about the

real Technology Fund I'm just going to spend a couple minutes on this because that's what this conference is supporting I'm from an incredibly rural area where there wasn't much for me a kid growing up who was interested in technology and wanted to pursue those jobs I was very fortunate to be able to have some success at that thanks to some teachers who really cared about me but not everybody has that so I founded the rule Technology Fund in 2008 to provide educational resources that really get kids interested in computer science and engineering related careers and for those who are already interested kind of helped foster that and give them an advantage when they go into into college

or into their career really talking about the opportunity that technology jobs presents it's life-changing it can in generational poverty it did for me and my family and I think it can do that for a lot of other folks so we donate things all from all spectrums from kindergarten up through a high school level Arduino raspberry PI's we'll build entire makerspaces on occasion ozobot little toy robots that you build and code kids don't realize they're coding they think they're playing a game they're actually learning about logic and if then else statements and things like that so it's really cool they're learning about that stuff without even realizing it so we don't need a lot of those things to do

some scholarships and book donations and some general advocacy as well last year I'm really proud of this number we were able to put technology education resources into the hands of 10,000 kids in 30 states which is super awesome this year were headed to 25,000 that's our goal we're already halfway there we're about halfway there were 12,000 and so we're with the contribution of this conference that's really going to help and one of the cool things we figured out is for two dollars that is donated to the rule Technology Fund that puts technology education resources into the hands of another kid and we're able to be very efficient with our money because we donate not just to individual students

but to entire classrooms so we build these resources that are accessible to entire classroom so for every two dollars donated that's another kid so just by virtue of being at this conference purchasing a ticket I think there were 200 tickets sold at 100 bucks a piece of $2,000 I promise there won't be any more math in this thing two thousand dollars two dollars a piece a thousand kids are going to benefit from this concert so that's pretty awesome right yeah so thank you and I always like to show a couple pictures because it's not something to talk about this when I can show this these are some of the kids who have received our equipment

from across the country I think we have we have Ohio Kentucky Tennessee and I think Texas represented in this picture so a lot of stuff going on so I like to show those pictures on a camp okay to the actual meat of the presentation I'm going to start by talking about why I think this presentation matters and I want to talk about cognitive crisis and it's kind of a little bit about our field in general and things I've observed from it in from my perspective and through the jobs I've had working building government public private sectors and so on the benefit of a keynote it's a little less technical it's kind of more of a broad overarching

view of things at least in this case as I see them and I think several others may as well so cognitive crisis what does that mean well crisis is obviously bad it's not a good thing there was a study done by some Kansas State researchers it's been a few years ago now there were anthropologists right and so they did what they call an ethnographic study and ethnography is really the study of culture so he took some anthropologists in Kansas State and they put them in a functional Security Operations Center god help their souls these non-computer people had to hang out in the stock for a while and if you ever been in a stock for a long time

that can be a very interesting experience if you're not used to it so he went and they spent a lot of time in this sock and they learned about the culture they listened to people they talk to people they saw how people did their jobs and they wrote a really great report about it I'll have the report link here in a second but they had some really interesting findings I think some of the best findings about culture often come from people outside that culture and so I want to share a couple of those with you here one of them says that an end this job is highly dynamic and requires dealing with constantly evolving threats

so far so good doing the job is more art than science ad-hoc on-the-job training for new analysts is the norm okay that's that's about right for my experience but listen to this one the profession of security is so nascent that the how to's have not been fully realized even by the people who have the knowledge the process required to connect the dots is unclear even to the analyst so what does that say well it says sure we're may be very good at what we do but we're not good at telling other people why we're good at what we do and that's a big problem can you imagine going to talk to your doctor and you have to have surgery

and you ask him how are you going to do the surgery and he's like I'm just going to open you up and find the bad stuff and take it out I'll figure it out when I get in there not a great strategy so granted generally life isn't on the line with some of the things we're doing in some cases maybe so it's maybe not not a perfect comparison but we have this sense where in security most of the knowledge is pass it's not written down even the people and we all know them rather people are really really good at this stuff they can't really elaborate it or explain that we have a few folks who are maybe really good at teaching

those things but even the things that were really good teaching like intrusion analysis the concept of connecting the dots starting with some type of input investigating it and determining did something bad happen or not the processes we do that in is very poorly documented and very few even really good really high level socks are good at explaining that I've worked with and around a lot of socks and most practitioners just cannot simply explain how they do what they do and that's a problem and that's entirely limiting to us because especially if you're new to this field and you want to learn and someone says the only way for you to learn is to do on-the-job-training so

sit and watch me do it that doesn't work right again going back to a medical reference we're gonna make a lot of medical references in this talk if you want to be a surgeon you don't start right off the bat just hopping into surgeries right or watching other people do surgeries you do some of that right that's important but you have a whole lot of training that occurs before you're ever cutting into somebody so same type of thing here now one of the ways this plays out of interest to us is in career progression so in terms of how we progress if you want to get into security how do you do that now in other fields it's a lot more

clear-cut if I ask you do you want how do you want to get into how do you get into accounting right pretty straightforward you go to college you probably do some type of apprenticeship you get your CPA license perhaps and then you go into practice very straightforward most people can identify that path if you want to be a lawyer a little more complex but still pretty straightforward you go to college you get into law school you go to law school you graduate you go into some sort of apprenticeship you pass the bar and then you are a lawyer and you can practice and do what lawyers do even medicine again more complicated but college to medical school then you go

into some type of residency with your specialty sometimes you go into a more specialized residency so you may go from a general surgery residency to a cardiac residency of some sort and then you're in practice so all those career progressions are pretty straightforward now sin a lot of time thinking okay was the standard career progression look like for someone who wants to get into security and I think I diagrammed it pretty well so that's that's what we're at right and I host the podcast it's called source code and what I do in that podcast is I talk to people in this field who I think are generally pretty darn successful and I basically have them tell me their life story there's

their source code their origin story how did you get into technology how did you get into computers what led you into security and so on now that the thing I've learned from that basically is that there's no one path everybody takes dramatically different paths for some people that's college for some people it's not for some people it's College but not in computers it's been something completely different right one of my best friends in the world he has a physics degree but he's an excellent security practitioner all the way that was not his plan from the start he just ended up there so the paths are very very different now I want to loop that back into this concept of cognitive

crisis and I looked and we're not really the only field that's experienced some form of cognitive crisis right there are others and medicine is one of those I won't talk about that in a minute but I want to talk about ours first and there are three really factors that I've identified that I think are the things you see their symptoms of the underline affliction that is cognitive crosses one of those is that the demand for expertise greatly outweighs supply if we have anybody in here who's responsible for hiring people you probably know it's very hard to find people really at all ends of the spectrum maybe a little less at the entry level now but the fact

that it's hard to get a job as an entry-level person is mostly because we're not good at identifying and finding people with the intermediate and advanced levels so that creates this kind of tidal wave effect that hurts people trying to get in a job at an entry level most of the information in the field cannot be trusted or validated we don't have peer-reviewed journals in our industry and the ones we do have are 10 years out of date by the time they're published so most of the information we rely on where does it exist blogs Twitter those things are great but anybody can publish to them and there's no way to perfectly vet that information

and even information that's good now may not be good a couple years from now and whose there's no information police out there kind of personal information or sighting that it is not out of data no longer relevant or the theories in it have been debunked and so on so most of the information out there cannot simply cannot be trusted ala dated and finally we have an inability to mobilize and tackle big systemic issues ransomware right that's the big one right now many of you may have had to deal with one a cry recently we still haven't solved patching we still haven't solved SMB urs we still haven't solved ransomware and these are big things that are affecting

everybody ransom represents a good opportunity for our industry to mobilize and figure some things out and formalize some things but we're not quite there yet now again these are examples of information security and cognitive crisis but there are examples of other fields to do this and I once again want to go back to medicine and let's think about medicine not as it is now but as it was a hundred and twenty years ago we think of medicine now it's really robust we have a lot of problems with medicine but they're not really about the study of medicine itself it's more about insurance and politics and things that are kind of on the side but as far as

medicine goes it's really not science now we have this concept of evidence-based medicine where we actually and this is crazy we actually have to observe things that have science to prove things before we make decisions about healthcare and so on we didn't always have that and think about these three things here think about demand for expertise well 100 years ago most towns didn't have doctors right Mayfield Kentucky didn't have a doctor you had to travel 20 30 miles down the road and hope you weren't too sick to to not be able to make it there not only that the doctors we did have also happen to be your vets and your dentist and your morticians and all that

most the information cannot be trusted ated until I think it was maybe 30 years ago we believed that if you had a stomach ulcer you should drink milk well we now know you don't do that that's the exact wrong thing to do is drink milk we have a stomach ulcer makes it worse what is the average temperature of the human body does anybody know that not 8.6 did you all know that's based on a study that's something like 60 or 70 years old and it used technology that was extremely out-of-date and that's not actually the standard temperature for a human body most people they know that so my wife is actually a physician she's a family

medicine position was where I get a lot of these medical references she didn't know that they don't teach that but that study was done by a guy who was using a thermometer it was really hard to read it wasn't that long he did it under the armpit and as opposed to in the mouth which is where we know you do it generally now or regularly but so the average human vison which is actually a few tenths of a degree lower and not only that it's also a range and it can fluctuate by as much as a degree at any given point during the day so evidence-based medicine we know that's not necessarily true now that's not

quite yet permeated society yet and of course inability to mobilize and tackle big systemic issues pick your plague of choice we don't we have a much better ability to handle things like Ebola now whereas if we had a bola as little as 100 years ago it probably would've been much more disastrous thing when it got into this country so medicine went through a lot of the problems we had in terms of cognitive crisis now medicine was able to get through them very slowly but very efficiently because obviously lives were on the line and while lives aren't always on the line with what we're doing sometimes they certainly are now that we have things like critical

infrastructure connected to networks so how do you get out of a cognitive process and I say you do that via cognitive revolution so I look back and I looked at other fields I looked at medicine and biology and physics and law and how they kind of got out of their cognitive crosses and it's really a three-step process kind of at a high level it's much more complex than this but if I had a bill to slow it down to three kind of things it would be these so one is to understand the process used in your craft to practice your crafts that you used to draw conclusions that's what we're all in the business drawing conclusions whether that's a

medical diagnosis a legal case a scientific research discovery and so on developing repeatable techniques and method and then essentially building training that makes those more teachable where we're actually teaching people fundamental facts and concepts that they can use to better learn new information as opposed to just built teaching people specific tools and how to do very specific use case things so it's underlying fundamental knowledge so I think that's how we get out of that and I think that's why understanding how we think about things is very important so that's kind of the basis for the rest of the talk we're going to talk about curiosity because I think it's one of those very important things now

curiosity has a lot of definitions I know we think in information security we have too many definitions for the one thing I could probably start a really fierce debate and hear right now if I said what's the definition of threat hunting we're not going to do that but that's not unique to our field as well and psychology things you would think are very well defined like intelligence or curiosity have dozens of definitions right so I don't want to spend time too much time delving into various different definitions but definition I want you to think of for our purposes today is the desire to know so it's all curiosity is for all intents and purposes and as

we're going to define it and approach it here is the desire to know something and that can be something at a larger scale like I want to know how to be a programmer or something at a very specific scale I have this IDs alert and I want to know whether it's connected to a bad guy right so simply the desire to know now curiosity comes from a couple different places where we've really been able to gain a deeper understanding of it the first is developmental psychology and if you think many of you probably have kids and when you think of a small child a baby you think about them kind of exploring their world right they

discover at some point they have hands and then they they want to just look at their hands and touch their fingers and stick their hands in their mouths and and do other gross things that babies do I guess but they are exploring their world and that's how they learn and really learning in a broader sense as adults is really not much more complicated at a fundamental level we're constantly exploring our world we're taking in new information and where we have some type of drive that drives us to continue to do that exploration and that's generally curiosity so curiosity is very important from a developmental perspective now the other perspective which is interesting is the evolutionary

perspective and I have the Gator on the screen here because there's a very prolific psychologist by the name of William James in the early 20th century and he wrote a lot of great stuff did a lot of very important things but in terms of curiosity one of the kind of epiphany he had he was standing on a riverbank standing just like I'm standing now and he saw a gator so I mean kind of at an angle towards him it was coming from a distance that he could tell it was a gator Gators don't have good eyesight so a gator if I can't tell that he was there that he was a human maybe it never seen a human who knows

but it was swimming towards him and William James for whatever reason didn't run but he was just standing there and this Gator swim towards him he's standing looking at it and any kind of shifts his weight over and when he shifts his weight over that Gator sees him and it darts off the other way right he rises the sting that standing there is actually alive and I don't know what it is and I'm scared of it so you have this concept of fear and that's where we really get our understanding of curiosity versus fear that there are two sides of the same evolutionary coin curiosity is what propels us to explore our world and fear is what is really the

check and balance on that right it limits our ability to explore such that there are certain things that we maybe don't need to explore right so the gator is a simplified kind of animal world example with there are plenty of those in the human world as well so for our purposes curiosity is simply the desire to know and so we're going to talk about how to break that down into sub sub components and some things like that but I want to talk about curiosity first as it relates to experience because I think most people if you ask them about experience will say well how do you measure experience well okay I have five years experience 10 years experience

that is years really the best way to measure experience and let's take this example let's say we have Jack and Diane two American kids live in the Heartland for having security analyst they fresh out of college fresh University of Cincinnati graduates they get hired into the exact same job they have the exact same experience in the field so they get hired in to be security analysts and then you leave them alone and come back five years later and you find out well Diane has far surpassed jaqen ability all of our superiors say she's just a much better analyst she's intensely better at her job but they both have five years experience so what's the difference well I would

posit its curiosity and that Diane is probably all things being equal more curious than jack and that allowed her to gain experience at a more favorable rate of course at this point we're not measuring experience simply by years we're measuring it by the amount of practical knowledge gained for use in the field and that's a much better way to understand curiosity as it relates to experience now the thing about curiosity is its it changes right it goes up and down and up and down but it really affects the rate at which we gain experience and have a couple charts here and you can see we have a time in the job on the bottom there and we have the

amount of experience measured at the way I discussed a moment ago on the vertical axis so at the top we have someone who I would say has very sustained high curiosity and this is their corporate career oppression they learn at a really fast rate and they keep doing that on the bottom we kind of have the flip side it's someone's very sustained low curiosity they're not very curious they're not taking in a lot of new information they're not exploring the world within their domain and so they're not really gaining a lot of useful knowledge and they just don't end up it's a high level of experience that the other person so you would say perhaps

that Diane is at the top here and jack is at the bottom and you can see those career arcs as such now these aren't entirely realistic arcs in terms of how clear out the effects are experiences these are probably little bit more realistic and the top and we have someone who is just getting into their career and they are very very curious and again a lot of experience really quick but then it kind of levels off we've all known folks like this laugh happens you're very career-focused and then maybe you become more family focus you're you get in you take a new job and it's not a great job and it kills your curiosity for a little while or you just

kind of phoned it in we've known folks like that too so this is a waning curiosity on the bottom we have kind of the opposite of that where folks start out with very low curiosity maybe they're not in the right field they're not in the right specialty maybe they're on the blue team side and they decide they figure out that the red team is the place for them to be and then they get on that side and then curiosity really ramps up and they start gaining experience at a whole new level this is also pretty consistent what we see with folks who choose technology as a second career when they get really interested in that and the curiosity is absolutely

there now in truth this is also probably not super realistic it's may be realistic at about a macro scale but if you look in and maybe were to zoom into a year this curiosity doesn't look like this or it doesn't look like this probably looks like this right because again life happens we often want to think that our personal life and our professional life are very separate things but that couldn't be further from the truth everything we do in our personal life psychologically affects our professional life and vice versa so there's a lot of things that go into that and how curious yard we're going to talk about a couple of those here in a

second now practically speaking I see curiosity and experience and the combinations thereof manifest as such now Green is obviously good red is obviously bad and you'll see the common denominator here is experience doesn't matter in a lot of ways and if you look in the top right we have the excels area these are the people who your ideal employees they have a ton of experience and also very curious and all donnelly do they have the experience they're continuing to gain it at a really high rate that's you have the old place to be but not everybody starts with experience and that's okay too so we have that on the top left notice that people are

really curious and they have little experience the good thing is because they're so curious they will gain experience at a much higher rate than others and these folks are generally jumpy that's the word I would use if you're in a stock environment they're the folks who everything they see looks malicious and they want to file a ticket on everything and that's fine it's not fine if they're working by themselves because they can't figure out you know they don't have someone telling them what's good and what's not you need strong mentorship and that's the case and if you are that mentor it can get really frustrating but that's okay that's why you gotta have a strong

will to be able to do that stuff so those folks are jumping and jumping is a good thing jumping can be channelled jumping to be used now what can't be are people with low curiosity and low experience those are your folks who are generally ineffective because not only do they have an experience they don't know what looks what is bad and what isn't they're also not propelled to actually gain that experience at a very quick rate so those are folks are generally ineffective unless you can do something about that curiosity level and then of course on the other side you have folks who have a ton of experience but their curiosity has fallen off the

mat for some reason again the folks who maybe have just kind of phoned at home or have other things going on and they generally tend to be pretty apathetic about the job that's the best word I would use to describe folks like that so you know you want you want to be in that top section you want to be hiring people who are in that top section at an entry level you want to be hiring people on the top left is my experience and again from respective someone who's spent a long time hiring people in a sought environment curiosity is the number one thing I look for when I'm hiring new folks right out of the field now a lot

of people like to talk about passion you want to hire passionate folks but generally speaking I don't expect someone who's never had a job in this field to be passionate about it I don't think that's entirely realistic how can you be a passionate about a job that maybe you don't fully understand the full scope of as a manager I generally believe it's my job to make them passionate about it and if they're curious I'm much more able better able to do that so let's talk about curiosity and a couple of these sub components of it and kind of define it a little bit there are a lot of theories about curiosity obviously psychology is a

field where there are a lot of things we don't know the mind is generally the most studied thing in human history but the least understood we're getting better at that thanks to medical science and MRI devices and things like that but one of the more predominate series about how curiosity works and I think the most subscribed to one is something called information gap theory now with information gap theory you really have two components you have what you know which we call your knowledge point and you have what you don't know which is your reference point and it's your awareness of what you don't know that presents opportunity for curiosity that's where this gap comes in so I know

what I know and I know what I don't know and there's a gap between those two things and that creates essentially deprivation right mental deprivation it creates a little bit of strife and that I really want to be able to close that gap or maybe I do or maybe I don't what you're doing is essentially a subconscious gamble you know what knowledge exists out there and you think okay here's the effort required to gain that knowledge and here's the value I get out of it and you make a gamble and if those two things combined mean it's worth it you're probably going to pursue that knowledge if they don't maybe there's no reward for learning that

there's no career benefit there's no personal benefit or maybe it's just simply too much work to learn it then you're probably not going to pursue it writing that and this isn't just information security specific it's really all walks of life from an investigation standpoint it means you see a weird packet come across the wire and you think how much how long is it going to take me to research what's the benefit of doing it and it's always good you're going to do it chances are if that's your job you're probably going to do that more often if something breaks on your car your alternator breaks and you don't know anything - alternators well you could

probably figure it out and probably figure out how to fix it but is it worth it to you to spin that effort and go through the pain of gaining that knowledge and is there a great benefit to it health and you guys to replace an alternator maybe not often maybe it's not worth it so you have this concept of reward and disappointment and reward and disappointment are kind of moving targets a lot of things have very clear rewards like for our career a lot of us started out playing video games video games are great to have a very clear reward system you get achievements along the way there's a final boss you beat that you get the pride of doing what

you've done but there's also the concept of disappointment we often do things that from a curiosity of respect where we're statue hating our curiosity that we almost never get rewards and I think of one that applies to me is I work from home so my offices at home so one of the bright shining moments in my day when I get a little bit of sunlight is when I go out to check the mail some of you probably work from home and you probably notice I see a lot of heads shaking on the front row so I get really excited when the mail comes my window looks out front I see the mail truck and I just

camper out there and it was very funny when I first got married my wife came home one day from work and she brought in the mail and I was like what are you doing why would you take my joy away so she doesn't get the mail anymore but nonetheless that's the thing is I get really excited about the mail because there's curiosity you know I know the things I know I don't know what's in that mailbox and there's a gap there and I go out and check it every day you very excited now unfortunately nine times out of 10 or more there's nothing exciting the mailbox it's bills it's junk it's what have you I don't get a lot of mail

I guess you can all write me letters I guess that'd be great but I don't get a lot of mail so that's one of those things where I'm constantly disappointed virtually every day but I'm still saturating my curiosity it's probably cuz the efforts really low right and there's benefits of I get through guts I get some fresh air take the dog with me sometimes etc so it is again is a it's a two factor thing it's the reward that comes with it as well as the amount of effort and it's the kind of the interplay between those things so that's how information gap theory essentially works now there's also an interesting concept of knowing what you don't know

and what we kind of see over the course of the career especially in fields like ours where if you've been in it for a while you know that the amount of knowledge out there is vast and more than you'll ever be able to consume a lot of people come into this field saying I want to know everything there is to know about security and as most of us know that's virtually impossible because it's such a diversified field so many different specialties within it so you kind of get that knowledge as you go along and this picture kind of represents that where and when you start in this field as a novice your knowledge point which is

what you know in your reference point which is the point at which you know exists it's pretty close you think ok I can get there but then as you go along those two things diverge pretty quickly and they don't always diverge in a perfectly straight line it's not a linear thing it's often like this like you learn you learn ok I don't know anything about sequel injection and then you kind of learn a little bit about it then you realize there's about a billion different ways to do sequel injection and so your reference point for that goes way up right euros is a massive amount of things you don't know about that and it's a lot of those little

instances and those topical things when combined that produce and art kind of like this where when you get to an expert really often times what expert means is being aware of the things that you don't know and also being aware of who does know those things so you can point people to them I used to I used to feel like to pick on someone in the crowd I feel like I know a lot about sensors Network sensors and now I realize there's so much more I don't know but if there's something I don't know I point them to Mike Reeves sitting in the front row because he knows more about sensors than anyone so that's a

lot of what being an expert is although I don't think they teach that in school as much expert is often not about knowing things it's about knowing what you don't know and then pointing to people who do know those things so we have this concept again of the knowledge point and the reference point now I'm going to get back to that but I want to talk about motivation there's obviously a motivational component to curiosity it's the desire to know and desire means there's a motivational aspect to that now there's two sides of this there's generating curiosity in the first place and maintaining it now generated in the first place is tricky and that relates to interest and interest is kind of

another field I'm not going to get into that too much but how do you generate interest in a specific topic some people are kind of innately interested in information security some people will never be interested in it I think one of the problems with our field with computing in general is there's a general perception you have to be a genius to work on computers for a living and I am living proof that that is not true so by setting that it's almost like an excuse people use you set the barrier to entry so high then theirs then I can use that as an excuse for not getting in a specific field that you need to be a

genius to do these things and there are very few fields where you truly have to be a genius to do them in order certainly one of those so curiosity gently begins with interest how do people get interested in things that's a long and complicated thing that we don't honestly know a ton about so I'm not going to focus on that what I will say is we're really good at getting people interested in this industry at hacking breaking in coding and really bad at getting people interested in detecting defending and writing which are ironically the things I do more of so what goes into that well there's a lot I think I think generally speaking when

you talk about a red team versus blue team type thing on a red team side there's generally a bigger sense of mystery reward and measurable success right as a red teamer you have a very clear perspective of generally here's my objective and here's my mission and you know when you accomplish it whereas on the blue team's side you may spend your entire life preparing for an attack that never comes and you also have this sense of am I being attacked right now and I never know it so it's very hard to measure success it's very hard to identify rewards for things you're doing and that it's very quickly picked up off on by people and as a result it's hard

to get people interested in those things so I think that's where we really have a lot of work to do collectively as an industry because those are things that are I'm not going to say more important but those are things we need more people who are skilled and able to do now next I want to talk about maintaining curiosity don't spend a little more time on this because I think this is important I think we can do things about this and we all know this phrase that a journey of a thousand miles begins with a single step and that's great but here's what they don't tell you is that the first step is also often the easiest

right it's it's the first step out your door and then you get to the mile 124 mm you've got to climb that big ol mountain over there so maintaining motivation is much harder than starting it in the first place and you know go look at a gym on the on January 2nd right everybody sets the new year's resolutions and they want to go to the gym and then you know three weeks later it's a ghost town again so now where this comes into play is with that gap we talked about that gap between what you know and what you don't know and that gaps very important temporarily speaking in terms of your awareness of it if the gap is all about

awareness Mets where curiosity lives but there's something kind of negative that happens when you feel like you really know something then very quickly you realize there's a lot you don't know when that happens really fast it can be very detrimental to motivation and that's something I call rapid gap awareness and this kind of picture shows that to some degree wherein when your awareness which is the red line goes up really really fast your motivation goes down equally as fast and unfortunately the only remedy for getting your motivation back up all the times is closing the gap and once you figure out that gap is very large closing that gap is something that takes a little bit of

time you don't jump out of it you generally crawl out of it so this kind of illustrates how curiosity is easy to start but hard to maintain you get really curious about something and then you realize you don't know a ton about it there's so much to learn you get really demotivated fast the area where I think this applies to a lot of people in our field is coding most people in information security don't start out as programmers and but they realize eventually that yes as a security practitioner it is helpful to be able to write out some Python scripts or something like that so you say I'm going to learn Python and then you write your

first little hello world you start if then else statements some loops and then everything's good then all of a sudden you learn about object-oriented programming and functions and inheritance and all these third-party libraries come into play and you feel like you're doing something right and someone says no you're an idiot you should've been using this other third-party library and there's really no right answer and that's when that's when that knowledge gap you rise it's much bigger and that's when you get demotivated and that's when most people quit right I saw a lot of heads shaking when I said programming so I think a lot of people can relate to I know I can I didn't start out as a programmer and

when I wanted to learn specific languages or specific things very demotivating once you're all is how much there is you don't know so that's this concept of rapid gap awareness or RGA now the good thing about RJ is I think you can do some things about it I want to talk about those but first I want to talk about when is RG a most likely to hit so there are certain events and certain things that occur in our daily lives where you're more likely to have these instances where you rapidly aware of the gap that exists between your knowledge and the knowledge that exists out there one of those very straightforward is when you get a new

job you get a new job and especially if it's a new role you've not done before very easy to say that once you get in there you're going to realize there's a lot you don't know new projects as well especially if they're projects outside your normal comfort zone training does this I see a lot of people who come to my training courses or other ones who they feel like let's say they are doing to a malware analysis course they feel like you know they've used some sand boxes they feel pretty confident they know a little bit about malware analysis and then they start the course and somebody starts talking about assembly code and their eyes glaze over and then

the RGA occurs and motivation is not where it should be meetings you see this happen a lot new hires specifically when you hire someone who is has a knowledge set that you don't have and they come in and they show that very early this can create a lot of contention but it's an RGA inducing event usually and of course that also can lead to some type of competition between people not just competition between put in the workplace but also actual competitions I see there's a lot of people in CTF like the one going on here they go into the competition and they feel really good about it and then they struggle a little bit and realize man there's a lot I

don't know about this and their motivation goes down into the toilet it's an RGA of them so what topics do I see RGA hit with the most and I mentioned a couple of these general skills programming regular expressions I teach a lot of packet analysis and I see a lot of people once they wrote how much they don't know about packet analysis their eyes kind of glaze over as well and it drops their motivation into the floor from a defensive perspective reverse engineering signature development windows log analysis or things that are very big topics that last one is one that sneaks up on people you feel like I'm going to learn everything there are about Windows logs

and then your eyes that the people who wrote the windows login system well we're live streaming they may be watching this great people over there but it's it's very diverse and it changes dramatically between operating systems and it makes me want to fall over so and on the offensive skill side exploit development web at Penn testing so you may look at a lot of these things and say I've really just identified things that are hard in our field and that's maybe true with some of these things but they're often as well a lot harder we make them out to be just because we get very demotivated once you realize how little there is or how much there is

to know that we don't know so we can do things about that and that's why I'll get into the the final portion of the the presentation it's called the Fogg was called curious error curiouser so I want to talk about how you can become curiouser which is a real word so the first thing with being curious if you want to become better at it the first logical question is well can you measure it in the first place rather that's logical and there's really two types of curiosity and I've kind of lumped them together we have this concept of curiosity as a trait so are you born with a certain degree of curiosity more than other people and can

you measure that I've called try a trait curiosity and there are a bunch of tests out there that measure that they're also kind of psychometric valid they're good tests but whether they correlate directly to curiosity how it manifests is a bit of a point of contention amongst a psychological community as I interpret it so we can do that but it's not the best thing what most psychologists have said though is that we have this concept of state curiosity which is curiosity as it's applied to a particular field or particular field of study and we can become better at measuring curiosity and those things and apply it to specific domain you just have to have folks willing to do that

research and learn more about it and that's part of the reason I'm here is trying to figure out how we can better in our field measure curiosity so I've actually had folks take a few of these tests and I'm currently doing that data analysis and that's part of my PhD thesis so we'll come on that but I think we can measure certain aspects of it but we are not there yet so we have the ability where it's not there yet that said we I don't think we can measure it effectively right now but I do think we can recognize it and that's important if you're able to look at someone and look at how they perform their job and

recognize whether they are highly curious or not that's a good thing so there's a couple things I've noticed in my time that and from the literature I've read where you can notice in people whether they're highly curious individuals or not so here a couple things that curious people tend to do one of those is ask questions right I'm really big on question asking really as a form of learning anything you want to be able to ask good questions and being able to ask good questions is a very specific skill that not quite everybody has so curious people generally ask a lot of questions because they're motivated to close the information gaps curious folks often have wandering minds we've all known

folks like this who begin talking about certain thing or looking into a certain facet of their job and Ellison they wander here and there they also pivot rapidly especially in conversations and we all know people like this and we may think they're annoying because you're talking to them about one thing they latch on do like a tangential thing you said and take it take it and run with it so that can be annoying if you're not used to that but that's generally a sign of just rapid curiosity and an inability to kind of regulate attention between those things curious people often either get up too much or don't get up enough right so they don't get up enough

because they're intensely focused on what they're doing and they're doing all this pivoting and they're staying really engaged but on the flip side they often get up a lot because they see something that's really interested and I just want to think about it they want to process it they're kind of thinking out loud or not thinking aloud but kind of walking as they think and and doing active thinking so it's really the extreme of of either in not getting up enough getting up too much curious people also tend to engage in very random discussions we don't know anybody does that I'm sure I think that's you know one thing I will say about our field is

I think our field generally attracts people who are more curious about things so the baseline of curiosity is probably much higher on our field and I see a lot of this with a lot of people in our field but also on the flip side those people often don't engage in any discussions it's that whole getting up versus not getting that thing they're generally the folks who oftentimes are very quiet and they're reserved because their mind is just going in a lot of directions and this ability to regulate that it's a little difficult so again both ends of the spectrum so these are these are a few of the ways that I see that you can recognize curiosity amongst

people and obviously a lot of these are kind of two ends of the spectrum so getting up not getting up enough example what is the normal amount of getting up I don't know like that's not been studied but that's something that if you if you look at someone say man I should get up a lot and move around a lot and like they're walking around thinking or whatever else it may be so they're insanely curious and that's a good thing so the last part is really creating a sustained curiosity so how can you create more of it how can you sustain it better so I'm going to have a few tips here really quickly on what I've

observed that are effective number one is understand rapid the rapid onset of those knowledge gaps we talked about it today so all of you already better equipped to understand it both in yourself and when you see it in others so by understanding it knowing it's there knowing that your lack of motivation isn't because you're not good enough that you're not have enough skill that you're not smart enough that's not the case you're just rapidly motivated because you realize there's a lot to learn and again the journey of a thousand miles begins with a single step the first one is the easiest but by taking those first few hundred steps you are a little better equipped when you come to to come to

over those those mountains like we talked about number two and I hit on this earlier is building fundamental domain knowledge one of the things I was talking with someone about this example the other day I have a lot of analysts who have come to me and they'll say they have investigation experience and they used a single tool so they used Ark side right and so they'll say I am an analyst I use darkside and know how to do investigations but then they come to an environment doesn't have Ark side and they don't actually know how to do investigations they actually just no matter you dark side so less learning of specific tools more learning underlying fundamental domain

knowledge how to ask good questions how to use evidence how to pivot between that evidence learning how to actually do investigations as opposed to just learning the tools that facilitate them and that will help diminish those RGA level events and help you better process information next thing is looking for aha moments one of the best ways to get out of these gaps created by rapid gap awareness is to be able to make quick leaps in your knowledge and there's not a lot of those there's not a lot of aha moments to be found when I found with packet analysis which I teach a lot is the concept of encapsulation of protocols you teach that very early on

and people are much more likely to get less confused as they get further into the course when you're looking at packet captures that all have you know SMB and TCP and IP and Ethernet all in one packet view and they want to understand that well if you understand encapsulation better that really helps a lot so looking for those fundamental nuggets of knowledge that really help people get over the hump we're not very good at that right now but we need to become better at it and those things I believe exist in every area for in some sense there are several of them in programming I'm sure a lot of the college professors if there any in the

room have seen the AHA look on students faces when they really get one concept that enables the learning of other concepts so we're looking for those aha moments mentorship is very important both seeking a mentor and being one the thing about about humans is were naturally not inclined to be able to see and detect our own biases by definition we don't know we're biased most of the time and really rapid gap awareness and this is really a bias towards being less motivated and so we need others to help us realize we're kind of in that rut in that cycle and others are a lot better at recognizing that so you want someone who you can be around who can recognize

that in you who's not afraid to tell you hey don't worry you're not it's not that you're not good enough to do this it's just you have this rapid gap awareness and you just need to pick the curiosity back up and kind of work through it and let's do it together so seeking a mentor if you're newer in this field or if you're you know I think there's a myth that you can be a someone with 20 years experience in information security and can't have a mentor I think that's false everyone needs a mentor everyone needs to mentor from my perspective creating interest is important the phrase from the literature is that they use specifically is that it problems the

pump of curiosity so we don't know a lot about creating interest right now but I do know that by gamifying things that's a really great way to do it one of the great ways people get interested in red teaming is via CTS like the one going on in here your game affine the work so they get really interested in it and then that problems the pump of curiosity it's a lot easier to sustain curiosity once that initial interest is created so creating that interest is an interesting thing we're always looking for ways to do that next keep in mind that attention is limited I've not talked about intention a lot but you know you can only pay

attention to one or two things at once so for people who are insanely curious they really tend to wander right I've talked about they want to pivot from different things so for people who are curious you want to saturate that by having multiple work streams available to them I know I work better this way I can't have this one single job I do I need four or five things so I can spend a couple hours a day doing each one and I think generally speaking people who have a higher degree of curiosity need more of those multiple works in so they can pivot so they don't get bored and they maintain their high level curiosity

and finally just learn to recognize underserved curiosity again the things I talked about earlier people getting up all the time asking a lot of questions those things can come off as annoying at first for new people and it's very easy to dismiss those people but I think that's where we lose a lot of our best people so being patient with people recognizing curiosity serving it helping people satiate that curiosity close those information gaps I think that goes a dramatically long way towards keeping and developing good people in our field so last slide I just want to close talked a little bit about art versus science I mentioned that earlier that was a quote from the Kansas

State study is that our field is really more arts and science and this is something I see people ask a lot well is what we do more art or science and I think that's the wrong question because I think what we do is neither art nor science if you get enough people in the room you can answer any question there is that answer about an information security problem there's not really any phenomena so to speak I think what we do with engineering and maybe that's a little D glamorizing for our field but I don't think it necessarily should be I think what we do in our field is more attend to a craftsmanship as it would be

with an engineer it's not art but there can be an art to it it's not science but we can use science to better understand it right we can use science to collect data form hypotheses seek out answers just like some of the science I've applied here with psychology and how we think about thinking this concept of metacognition which is just a fancy word that means thinking about thinking so it is not art ersatz I think the right question is not is what we are to science it is how do I use science to better understand security so it is less art and more craft so that's really my challenge to everyone here is just that

is learning how we can better use science to make this less of an art more more direct implicit knowledge less tacit knowledge and making this more a better place to learn and a better place that attracts more initial town doesn't lose talent when that initial curiosity gap occurs so that's all god I think I got some time for a couple questions maybe yeah any questions Oh

sure so I think it's a great question the question was if you didn't hear it was was like how do you focus curiosity when you were generally curious about a lot of things and I think that a lot of us can probably relate to that we probably all have a lot of hobbies and I think it's really I don't have a lot of super-great prattle about I do think it really is contingent upon being aware of it's being aware of the fact that you obviously obviously have limited attention and you have you're making this subconscious gamble all the time right the one where you have this information gap and it's what do I get out of doing it and what is the effort

required and I think if you frame it that way and you start approaching things that way and realize that time and attention or limited commodity you know you don't just pick what seems interesting the time when you when you're going to do a hobby say what am I going to get out of this and it doesn't have to be financial doesn't have to be work alight it could just be you get joy out I like to cook barbecue and I get delicious meat out of that but also I just enjoy the process so it's being aware of that subconscious gamble and then having awareness of it is really half the battle and then once you're

aware of it you can kind of apply your time accordingly but yes or do have to recognize that yeah Tom and Tom's the only thing in life you can't get more of and attention is also fairly limited good

well sure yeah that's definitely part of it maybe it's an oversimplification as I presented here but that is definitely a facet of it of rapid gap awareness for those that didn't hear it's basically there is a factor of not only being aware that that knowledge gap exists but not knowing where to go those kind of go hand in hand a lot of the time especially especially in our field like the programming example I use it most of us have a problem we're going to try to google it but there's so much information out there and there's so much bad information out there it becomes really easy to get frustrated and and it creates this effect of not

only do you not know the things you don't know you don't know where to go to get them and that actually only just makes it a larger gap quite honestly because that's knowledge it's the knowledge you don't know and the knowledge of not knowing where to go or just there's still knowledge but it's increasing that gap so absolutely ok I think that's it thank you for the time [Applause]