Cognitive Security is differentiated from more traditional security domains in three ways. First, cognitive security is concerned with protecting cognitive systems not necessarily humans; second, cognitive security considers multiple dimensions of system interaction, and third cognitive security considers multiple scales of operation. Adopting a “systems” perspective considers the interconnectedness of system elements, the function of the system, and scalability; systems-of-systems which may result in one system influencing another. This can be problematic from a security perspective because an effect might be induced in one system that causes an effect in another system, without the effected having visibility into the original cause. Three scales of engagement: the tactical level (single engagements), the operational level (multiple engagements), and the strategic level (traditional security concerns in addition to political and economic levers); combed with an extended OSI Model which includes Layers 8, 9, and 10 to describe human factors, describes a full stack for cognitive security. In order to successfully launch a cognitive attack, threat actors must achieve the objectives of four phases of a Cognitive Security Attack Cycle: Collection, Preparation, Execution, and finally Exploitation. Each phase of the implies points of vulnerability at which an attack might be disrupted.
Objective: To introduce domain professionals to cognitive security concepts, social engineering, and the role of a
Cognitive Security Officer (CogSO) in addressing vulnerabilities and threats.
Materials: Presentation slides, handouts
Outline:
I. Introduction (5 minutes)
A. Overview of the class
B. Importance of cognitive security and social engineering awareness
II. Definitions and Concepts (5 minutes)
A. Hacking, vulnerability, and exploit
B. Cognitive security differentiation
C. Cognitive systems definition
D. Systems approach to security
III. Human Vulnerabilities and Cognitive Biases (5 minutes)
A. Exploitable cognitive processes and social norms
B. Cognitive vulnerabilities in social engineering attacks
C. Dr. Robert Cialdini's seven core principles
IV. Human Interconnection Model (HIM) (5 minutes)
A. Extension of OSI Model
B. Layer 8: Individual humans
C. Layer 9: Organizational policy
D. Layer 10: Legal and regulatory
V. Cognitive Security at Multiple Scales of Operation (5 minutes)
A. Tactical, operational, and strategic levels
B. Resources and strategies for each level
VI. Social Engineering Example (5 minutes)
A. Complexity and scope of tactical, operational, and strategic level engagements
VII. Cognitive Security Officer & Systems-Based Approach (5 minutes)
A. Role dedicated to anticipating, preventing, and mitigating cognitive security threats.
B. Multi-level, systems-based approach to security.
VIII. Cognitive Security Attack Cycle (5 minutes)
A. Pre-attack phase
B. Collection phase
C. Preparation phase
D. Execution phase
E. Exploitation phase
F. Nested operations
IX. Cognitive Security Officer (CogSO) (5 minutes)
A. Integrated systems view of security.
B. Threat modeling
C. Counter-influence strategies.
D. Role in corporate counterintelligence.
X. Discussion (15 minutes)
A. Encourage participants to share their experiences and thoughts on the topics covered.
B. Address questions and clarify any doubts.
Teaching Approach:
1. Use real-life examples and case studies to illustrate concepts.
2. Encourage active participation through group discussions and Q&A sessions at the end.
3. Provide digital ‘handouts’ summarizing key points and concepts for easy reference.