How to Conduct a Vulnerability Assessment

Roger Johnston talks about how aliens, Elvis impersonators and your worst security users can help you find and fix security problems.

By Sarah D. Scalet

Page 5

CSO: You've brought a couple of industrial-organizational psychologists onto your team. Why?

ROGER JOHNSTON OF THE LOS ALAMOS NATIONAL LABORATORY'S VULNERABILITY ASSESSMENT TEAM: Industrial-organizational psychology has been applied across a wide range of fields, but for some weird reason, not security. When we first got these psychologists to work with us, they just couldn't believe that no one had applied all these powerful tools in industrial psychology towards security problems. Increasingly, we're using them to understand the human factors associated with security. In the end, security is really about how people interact with technology, how people use and think about technology, and how the technology was designed to enhance what people are already doing.

CSO: What kinds of things have the industrial-organizational psychologists found?

JOHNSTON: The main one early on was the recognition that the security guard turnover problem is a huge problem. The numbers typically run between 40 percent and 400 percent per year. McDonald's has a turnover rate of about 35 to 40 percent, so McDonald's does a better job than security of finding the right people and hanging on to them. There are plenty of organizations that do very fine with turnover rates that don't pay people very well and don't necessarily represent fabulous careers. There are ways that IO psychologists have developed over the last couple decades that help these companies, but the tools never have been applied to security. The first things that our guys did was publish some papers basically saying, "Hey, wake up, we don't need to do any new R&D, there are all these tools already proven out there." They involve things like understanding who you hire and creating a realistic picture in their mind of what the job is like. If you simply do that, turnover rate plummets.

We're just beginning to look more specifically at how IO psychology applies to vulnerability assessments. It's a totally open field. One problem we want to look at is the tamper-indicating seals that are used for cargo security. We know from experience that some people are really good at finding seals that have been tampered with, and some people aren't. But we don't know why. One of the things we want to do is study the people who are good at it and try to understand what it is that they're doing or what characteristics they have that make them good. One of the studies we want to do, and we haven't found anybody to fund it, is an eye-tracking study. We want to look at what seal inspectors are looking at. You give them this little eyeglass thing, and it tells what their eyes are looking at. It's used all the time to judge advertisements for TV; advertisers stick audiences in front of the proposed commercial to see if they're really looking at the product or they're looking at the pretty girl in the background. We want to apply this technology to understanding what the people who are effective at finding seals that have been tampered with are looking at. Maybe we can train people better, or maybe we can do a screening exercise to find the people who are really good at it, for whatever reason.